File Transfer Protocol (FTP) servers, one of the most popular avenues for uploading and downloading files on the Internet, are commonly packaged and automatically turned on with Web server packages. Executing certain commands on those FTP servers can provide anyone with root access, said Jim Magdych, a security research manager at PGP.
"It's very common for Web servers to run FTP at the same time," Magdych said. "A lot of systems may be running FTP servers when people don't even realise it's running."
Researchers at Covert Labs (Computer Vulnerability Emergency Response Team), a division of PGP, discovered the hole about a month ago, Magdych says. Since then, the lab has confirmed Sun Solaris, HP-UX, SGI's IRIX, FreeBSD, NetBSD and OpenBSD as the Unix platforms that are vulnerable and have been notifying the companies that produce them. Microsoft Windows NT/2000 and IIS have been confirmed not to be vulnerable.
PGP will not notify the general public of the exploit until tomorrow, by which time researches hope those vendors who are open to attack, have published fixes to the problem. Magdych says there have been no reported attacks using the exploit to date.
Currently, PGP is balancing "responsible disclosure versus full disclosure," Magdych said. "Anytime [an exploit] is discovered and you bring someone in the loop, there's a risk of the information getting out, but once there's a risk of it being misused, you want to highlight the vulnerability."
To those who would say to keep the cat in the bag, Magdych calls that "security through obscurity."
"The fact is [the exploit] does exist whether or not we tell anyone."
While avoiding offering a hacker's handbook, Magdych says the problem is with the implementation of "glob()," an FTP function that's used to expand file searches. Typing "a*" means someone is looking for every file beginning with the letter "a."
Under certain conditions, a potential intruder could make glob() return more data than it should, which would cause a buffer overflow, then causing the server to execute whatever data that is left as program data, which could then be used to give root access to the server.
Businesses and service providers that use one of the above platforms are urged to contact that software company or go to PGP.com for more information.
