|
To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.on.ca ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Open UNIX 8.0.0 UnixWare 7.1.1 : ftpd allows data connection hijacking via PASV mode Advisory number: CSSA-2002-SCO.23 Issue date: 2002 May 30 Cross reference: ______________________________________________________________________________ 1. Problem Description In FTP PASV mode, the client makes a control connection to the FTP server (typically port 21/tcp) and requests a PASV data connection. The server responds by listening for client connections on a specified port number, which is supplied to the client via the control connection. If an attacker can make a connection to the listening port before the client connects, the server will transmit the data to the attacker instead of the client. To exploit this vulnerability, the attacker must intercept or guess the port number that the server will use, then make its connection attempt before the client establishes a data connection. If the server chooses port numbers using an easily identifiable pattern (such as incrementally), this vulnerability is trivial to exploit. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- Open UNIX 8.0.0 /usr/sbin/in.ftpd UnixWare 7.1.1 /usr/sbin/in.ftpd 3. Solution The proper solution is to install the latest packages. 4. Open UNIX 8.0.0 4.1 Location of Fixed Binaries ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.23 4.2 Verification MD5 (erg501602b.pkg.Z) = e25467ff65349f5f388698fdd39161b5 md5 is available for download from ftp://stage.caldera.com/pub/security/tools/ 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following commands: Download erg501602b.pkg.Z to the /var/spool/pkg directory # uncompress /var/spool/pkg/erg501602b.pkg.Z # pkgadd -d /var/spool/pkg/erg501602b.pkg 5. UnixWare 7.1.1 5.1 Location of Fixed Binaries ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.23 5.2 Verification MD5 (erg501602b.pkg.Z) = e25467ff65349f5f388698fdd39161b5 md5 is available for download from ftp://stage.caldera.com/pub/security/tools/ 5.3 Installing Fixed Binaries Upgrade the affected binaries with the following commands: Download erg501602b.pkg.Z to the /var/spool/pkg directory # uncompress /var/spool/pkg/erg501602b.pkg.Z # pkgadd -d /var/spool/pkg/erg501602b.pkg 6. References Specific references for this advisory: http://www.kb.cert.org/vuls/id/2558 Caldera UNIX security resources: http://stage.caldera.com/support/security/ Caldera OpenLinux security resources: http://www.caldera.com/support/security/index.html This security fix closes Caldera incidents sr863902, fz520882, erg501602. 7. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera products.