[SLUG] Fwd: [MDLUG] From you friendly Microsoft rep

From: Bill (selinux@home.com)
Date: Thu Dec 06 2001 - 02:47:57 EST


Hey Tina, Rob (all others, too!) ... have a field day with this one
:-)
Read the enclosure then come back and read the cited references. I
think you'll find the forwarded email very enlightening.

googling for wu-ftp, CERT, NIPC, Core and Bindview Corporation
reveals:
http://www.wu-ftpd.org/
http://www.cert.org/advisories/CA-2001-33.html
http://www.nipc.gov/
http://www.core-sdi.com/pressroom/pop_nota.php?idx=172
http://www.bindview.com/

Pay close attention to dates. It took 6 months to find the actual
exploit; 2 weeks to fix it. Code Red got rolling in March. The "iffy"
code in wu-ftp was spotted 2 months later. Nov. 14 it was developed
into a full tilt exploit. Nov. 28 a distribution specific upgrade
became available from RedHat. By Dec. 3 (not quite 3 weeks) all major
distros had patched upgrades available. Meanwhile, I still get hit
with over 1,400 Nimda attempts a day. And the Gartner Group has
advised corporations to pull IIS as being not worth fixing and a risk
to the continuation of business. If you read between the lines, I
think you will agree somebody wanted these exploits exposed. Core
appears to have released the exploit code the same day it announced
the vulnerability.

Question how many copies of wu-ftp are still in use. Question the
reference to Grannie ... and whether I would be getting hit 1,400
times a day if she could apply a MSFT service pack. The difference
is, any Linux Grannie running an FTP server knows it. Most Windows
people have no idea what is actually running on their machines.

Wu-ftp ships with a lot of distributions. It is not enabled by
default in any of them that I know of. AFAIK, ProFTP is generally the
favored form of FTP for those running Linux-based FTP servers. To get
a real feel for the threat to the public from breached wu-ftp
servers, consider that all five of these conditions must be true. 1)
Must be exposed to the internet --> 2) must run Linux --> 3) must run
an FTP server --> 4) must have chosen wu-ftp --> 5) has not applied a
single package upgrade.

Think hard about the wet-noodle line. Isn't the customary MSFT
defense to whine that it is made a target because it has so many
copies installed? Linux didn't cop that plea ... Linux fixed the
problem.

So nearly as I can tell, the "patches are imminent" line is a
definite and verifiable falsehood. The patches were available two
days before the email was sent. If the original author of the email
was as well versed in the matter as he presented himself as being, he
could be reasonably expected to know he was lying.

Bill
---------- Forwarded Message ----------
Subject: [MDLUG] From you friendly Microsoft rep
Date: Wed, 05 Dec 2001 10:24:55 EST
From: Ray Hernandez <hernan43@msu.edu>
To: mdlug@radiusnet.net

This was a warning sent out by my company's Microsoft rep:

Just in case you know someone running Linux...

FBI Warns: Turn Off Your Linux FTP Servers

The FBI, following the premature, accidental disclosure of a massive
 security hole by Red Hat, has issued an alert advising all web sites
 running Linux- based FTP servers to shut down immediately - or at a
 minimum disable anonymous guest login and strictly enforce password
 security.

The security problem is believed to affect most FTP servers in the
 world. Patches are imminent - and some may be available by the time
 this story is read. Anyone who doesn't patch risks the consequences.

The hole isn't in Linux itself, but in the wu-FTPd program, written
 at Washington University, that ships with the most copies of Linux.
 Some folks describe wu-FTPd as "ubiquitous."

The flaw, known by the unlovely name "wu-FTP Globbing Heap Corruption
Vulnerability," lets a hacker who knows how access every single file
 on the server.

Those tricks were unknown until Red Hat accidentally revealed the
 problem on Tuesday by issuing an alert and saying it had a fix - for
 Red Hat Linux only. Once hackers knew the hole existed it was
 apparently simple to write an "exploit" to take advantage of it.

"It is believed that an exploit, leveraging this vulnerability for
 Linux system, is already circulating in the hacker community," the
 FBI's National Infrastructure Protection Center warned Wednesday.

The emergency problem was created when Red Hat accidentally violated
 an understanding, coordinated by the US government-funded Computer
 Emergency Response Team (CERT), under which the major Linux vendors
 agreed not to reveal the problem until December 3.

By then a patch was supposed to be ready for all affected Linux
distributions, a list that includes Caldera, Sun/Cobalt, Connectiva,
MandrakeSoft, TurboLinux, Wirex, Debian and SuSE in addition to Red
 Hat. The list of which versions of each distribution are affected is
 pages long.

A red-faced Red Hat admitted it goofed. It said it finished work on
 its own fix early. The security alert was written and wasn't
 supposed to go out until December 3, but slipped out along with some
 other unrelated software updates. The problem was that there was no
 patch ready for anyone else's distribution. Hmmm.

Red Hat apologized to the industry and said that it's changing its
 release process to prevent such a thing from happening again, but
 the damage was done.

According to the FBI, the security problem was actually discovered
 more than six months ago by Bindview. Nobody in the Linux community
 did anything about it for all that time based on a belief, proven
 erroneous on November 14 by Core Security Technologies, that the
 vulnerability could not be exploited.

Linux security folks began patching Globbing Heap but, according to
 some reports, they were working at a leisurely pace, figuring they
 had until December 3 to finish. After all, why bolt down a few gulps
 of Thanksgiving turkey and ruin the holiday weekend by rushing back
 to work.

If such a tale had been told about a Windows security vulnerability,
Microsoft would have been publicly hung by the thumbs and flogged
 with a wet noodle until it cried for mercy.

That's not to say that Microsoft hasn't faced equally horrendous
 security problems, Nimda and Code Red just to name the most recent
 headline grabbers.

This problem may, though, be even greater in scale because there are
 believed to be far more Linux-powered ftp sites on the Internet than
 Windows-powered sites. Nobody has an accurate count.

According to the FBI the greatest danger is to web sites that let
 anyone access the files in a given directory on their server - the
 so-called anonymous or guest login. The practice of letting guests
 log-in is widespread. Anyone who's ever downloaded a piece of free
 software, a free music file or even a text file has probably used
 such a login, even if they didn't realize they were doing it.

The vulnerability also exists on sites that are password protected.
 Anyone with a legitimate password providing access to even a single
 directory can apparently misuse the right and penetrate a server
 down to the root.

At press time, the wu-FTP group had posted what appears to be a
 patch, though it's not clear that it works with all Linux
 distributions. The patch was said to protect only wu-FTP 2.6.1.
 Users of earlier versions have to upgrade and then apply several
 patches.

This isn't, by the way, a job for grandma. The patch is raw source
 code. When the various distributions release finished patches they
 should be usable by normal human beings, or as close to normal as
 anyone who's in charge of a web server ever gets.

There's also another problem.
The Washington University crew warns that some pre-released Linux
distributions include the beta version of a new cut of wu-FTP. The
 beta of the new version, currently identified as version 2.7 but
 scheduled for eventual release as version 2.8, is vulnerable. The
 patch won't fix it. - SZ

-------------------------------------------------------

-- 
         total       used       free     shared    buffers     cached
Mem:   1545352    1463748      81604          0     311936     794256
Swap:   401584         12     401572
Total: 1946936    1463760     483176
Linux a.genesis.com 2.4.14 #3 Fri Nov 9 23:14:31 EST 2001 K7 750MHz
1:56am  up 5 days, 2 min,  5 users,  load average: 0.03, 0.08, 0.07



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:02:16 EDT