=============================================================================

FreeBSD-SA-96:17                                            Security Advisory

Revised: Tue Jul 16 21:44:54 PDT 1996                           FreeBSD, Inc.



Topic:          "Trojan Horse" vulnerability via rz program



Category:       ports

Module:         rzsz

Announced:      1996-07-16

Affects:        All FreeBSD ports collections released before 2.1.5-RELEASE

Corrected:      ports collection as of 1996-07-06

Source:         rzsz shareware package

FreeBSD only:   no



Patches:        http://freebsd.org/pub/CERT/patches/SA-96:17/



=============================================================================



I.   Background



     All existing versions of the rz program (a program for receiving

     files over serial lines using the Z-Modem protocol) are equipped

     with a feature that allows the sender of a file to request the

     execution of arbitrary commands on the receiver's side.  The user

     using rz does not have any control over this feature.



     The workaround is to have rz never execute any command, and

     always pretend a successful execution.



     All FreeBSD users are encouraged to use the workaround provided.

     Since the intent of the Z-Modem protocol is to provide a reliable

     connection between systems of a vastly different architecture,

     the execution of local commands at request of the sending side

     cannot even be considered a useful feature at all.





II.  Problem Description



     The Z-Modem protocol specifies a mechanism which allows the

     transmitter of a file to execute an arbitrary command string

     as part of the file transfer.  This is typically used to rename

     files or eliminate temporary files.  A malicious "trusted" sender

     could send down a command that could damage a user's environment.





III. Impact



     The rzsz package is an optional port that made be installed on

     some FreeBSD systems.  This program is not installed by default.

     Systems without this program are not vulnerable.



     rz allows "Trojan Horse" type attacks against unsuspecting users.

     Since the rz executable does not run with special privileges,

     the vulnerability is limited to changes in the operating environment

     that the user could willingly perform.



     This vulnerability is a fundamental flaw in the Z-Modem protocol.

     Other operating systems and other implementations of the Z-Modem

     protocol may also suffer similar vulnerabilities.



IV.  Workaround



     Disable the rz program.  If it has been installed, it would

     typically be found in /usr/local/bin.



        # chmod 000 /usr/local/bin/rz

        # ls -l /usr/local/bin/rz

        ----------  1 root  wheel  23203 Mar  4 23:12 /usr/local/bin/rz





V. Solution(s)



     This feature is a relatively unknown part of the Z-Modem protocol.

     It is not critical to file transfers in general.  The safest

     approach is to disable this feature in the receiving program.



     Any rzsz port that is obtained from the official ports collection

     after 1996-07-06 includes the following patch to disable this feature.

     This patch applies to rzsz v3.42, if you have an earlier version

     of the rzsz sources, please upgrade to the latest version first.



    *** rz.c.orig       Sat Jul  6 17:34:26 1996

    --- rz.c    Sat Jul  6 17:44:52 1996

    ***************

    *** 1020,1039 ****

    --- 1020,1045 ----

                    case ZCOMMAND:

                            cmdzack1flg = Rxhdr[ZF0];

                            if (zrdata(secbuf, 1024) == GOTCRCW) {

    + #ifdef BIG_SECURITY_HOLE

                                    void exec2();



                                    if (cmdzack1flg & ZCACK1)

                                            stohdr(0L);

                                    else

                                            stohdr((long)sys2(secbuf));

    + #else

    +                           stohdr(0L);

    + #endif

                                    purgeline();        /* dump impatient questions */

                                    do {

                                            zshhdr(4,ZCOMPL, Txhdr);

                                    }

                                    while (++errors<20 && zgethdr(Rxhdr) != ZFIN);

                                    ackbibi();

    + #ifdef BIG_SECURITY_HOLE

                                    if (cmdzack1flg & ZCACK1)

                                            exec2(secbuf);

    + #endif

                                    return ZCOMPL;

                            }

                            zshhdr(4,ZNAK, Txhdr); goto again;



=============================================================================

FreeBSD, Inc.



Web Site:                       http://www.freebsd.org/

Confidential contacts:          security-officer@freebsd.org

PGP Key:                        http://freebsd.org/pub/CERT/public_key.asc

Security notifications:         security-notifications@freebsd.org

Security public discussion:     security@freebsd.org



Notice: Any patches in this document may not apply cleanly due to

        modifications caused by digital signature or mailer software.

        Please reference the URL listed at the top of this document

        for original copies of all patches if necessary.

=============================================================================