From: InfoSec News (isnC4I.ORG)
Date: Mon Apr 09 2001 - 22:10:55 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://news.cnet.com/news/0-1003-200-5551015.html?tag=mn_hd

By Robert Lemos
Special to CNET News.com
April 9, 2001, 3:30 p.m. PT

A bug in popular software used to transfer files between computers
over the Internet could leave a door open to online vandals and
network intruders, data protection specialist PGP Security said
Monday.

"In addition to the threat of data loss and attacks against private
networks...these vulnerabilities could offer an easy avenue of
approach for an attacker intent on defacing Web sites," said Jim
Magdych, manager of PGP Security's vulnerability response team.

The vulnerability occurs in a function that allows people accessing a
file server to search for particular words, even when they don't know
the complete file name. When attackers put in a specially crafted
search term, they can cause the computer to execute malicious code,
said PGP Security.

Along with HTML--the lingua franca of the Web--and e-mail, file
transfer protocol, or FTP, is the most common way of moving data
across the Web.

According to PGP Security, the flawed FTP server software is part of
the standard operating system package from Sun Microsystems,
Hewlett-Packard and Silicon Graphics. The FTP software packaged with
NetBSD and FreeBSD, two open-source variants of Unix, are also
affected, Magdych said.

"FTP has been around a long time, so they use the same root code
base," Magdych said.

FTP software has been a common chink in the digital armor that many
companies have erected around their networks. Flaws in the free file
server created by Washington University, known as wu-FTP, led to a
large number of last year's defacements.

While wu-FTP contains the vulnerable function--known as "glob()"--it
works in a slightly different way with Linux systems, leaving most of
those systems protected from the exploit.

The Santa Clara, Calif., subsidiary of Network Associates announced
the most recent flaw on Monday. The company said it had notified
software and computer makers that incorporate the vulnerable software
in their systems more than two weeks ago and also notified the
Computer Emergency Response Team (CERT) at Carnegie Mellon University.

"Ordinarily we might be inclined to hold off a little longer, but we
are concerned that information about (the vulnerability) may be
starting to circulate," Magdych said.

As of Monday afternoon, however, neither Network Associates nor CERT
had an advisory on its Web site.

Systems administrators looking to protect their systems can do so by
attacking the root problem, Magdych said.

"To protect yourselves, a quick first step is to make sure that
nothing is writable by anonymous FTP users or that those users are not
allowed to make a directory," he said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]