TUCoPS :: Linux :: General :: ciack054.htm

Vulnerability in Linux wu-ftpd
Vulnerability in Linux wu-ftpd Privacy and Legal Notice

CIAC >

K-054: Vulnerability in Linux wu-ftpd

June 26, 2000 17:00 GMT


PROBLEM:       Due to improper implementation of the 'site exec' command, it
               is possible to execute arbitrary code.
PLATFORM:      Caldera
                    OpenLinux Desktop 2.3 (with wu-ftpd-2.5.0-7 and prior)
                    OpenLinux eServer 2.3 (with wu-ftpd-2.5.0-7 and prior)
                    OpenLinux eBuilder 2.3 (with wu-ftpd-2.5.0-7 and prior)
                    OpenLinux eDesktop 2.4 (with wu-ftpd-2.5.0-7 and prior)
               Debian:
                    Debian GNU/Linux 2.1 (slink, potato and woody)
               Red Hat
                    Red Hat Linux 5.2 - i386 alpha sparc
                    Red Hat Linux 6.2 - i386 alpha sparc
DAMAGE:        This vulnerability may allow local, remote and anonymous users
               to gain root privileges.
SOLUTION:      Immediately apply fixes as recommended in the advisory.


VULNERABILITY  The risk is HIGH. The vulnerability and exploits have been
ASSESSMENT:    discussed in public forums.



[******  Start AusCERT Advisory ******]

-----BEGIN PGP SIGNED MESSAGE-----


===========================================================================
AA-2000.02                    AUSCERT Advisory
                      wu-ftpd "site exec" Vulnerability

                                26 June 2000

Last Revised: --

- ---------------------------------------------------------------------------

AusCERT has received information that there is a vulnerability in some
versions of wu-ftpd (up to and including 2.6.0) which run on various
platforms.

This vulnerability may allow local, remote and anonymous users to gain
root privileges.

Information about this vulnerability and an exploit has been made publicly
available.

AusCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

This advisory will be updated as more information becomes available.

- ---------------------------------------------------------------------------

1.  Description

    The wu-ftpd program provides file transfer protocol (FTP) services.

    Due to insufficient checking in the formatting of the "site exec"
    command, it is possible to coerce the wu-ftpd daemon to execute
    arbitrary code.

    Sites can determine if this program is installed by using:

       % ftp hostname

    and examining the output of the ftp login banner.

    If no version information appears on the login banner, or to verify
    the information on the login banner is correct, log into the ftp
    server as normal then issue the following command:

      ftp> quote stat

    All affected versions of the wu-ftpd daemon allow control over the
    information revealed in the initial login banner, however they all
    return their version number in response to the ftp server "stat"
    command as shown above.

2.  Impact

    This vulnerability may allow local, remote and anonymous users to gain
    root privileges.

3.  Workarounds/Solution

    AusCERT recommends that sites prevent the exploitation of the
    vulnerability in wu-ftpd by immediately upgrading and applying the
    available patch as described in Section 3.2.  Versions known to be
    vulnerable are listed in Section 3.1

    If the functionality provided by wu-ftpd is not required at all, it
    is recommended that sites disable it on their systems.

3.1 Status of variants and versions of wu-ftpd likely to be affected.

    This vulnerability is known to be present on the following ftpd
    implementations:

    wu-ftpd:
      Versions effected:

        wu-ftpd-2.6.0 (and prior versions)
        (See Section 3.2)

    Red Hat:
      Versions effected: All present versions.
                         Vendor patch is available.
        (See Section 3.3)

    Caldera:
      Versions effected: All present versions.
                         Vendor patch is available.
        (See Section 3.4)

    Debian:
      Versions effected: All present versions.
                         Vendor patch is available.
        (See Section 3.5)

3.2 Upgrade to latest wu-ftpd and apply patch.

    A patch to remove this vulnerability from the 2.6.0 release of wu-ftpd
    has been made available by the WU-FTPD Development Group. Sites should
    upgrade to the latest version of wu-ftpd (2.6.0) and apply this patch.

    The 2.6.0 release of wu-ftpd is available from:

      ftp.wu-ftpd.org/pub/wu-ftpd

    The security patch that needs to be applied to wu-ftpd 2.6.0 is available
    from:

      ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.0/lreply-buffer-
overflow.patch

3.3 Upgrade to latest wu-ftpd Red Hat RPM.

    Red Hat have released updated versions of wu-ftpd which address this
    vulnerability. More information (including RPM's) can be found at:

      http://www.redhat.com/support/errata/RHSA-2000-039-02.html/

    The RPM's they have made available contain the patch mentioned in
    section 3.2.

3.4 Upgrade to latest wu-ftpd Caldera RPM.

    Caldera have released updated versions of wu-ftpd which address this
    vulnerability. More information (including RPM's) can be found at:

      ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-020.0.txt

    The RPM's they have made available contain the patch mentioned in
    section 3.2.

3.5 Upgrade to latest wu-ftpd Debian package.

    Debian have released updated versions of wu-ftpd which address this
    vulnerability. More information (including packages) can be
    found at:

      http://www.debian.org/security/2000/20000623

    The packages they have made available contain the patch mentioned in
    section 3.2.

- ---------------------------------------------------------------------------

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation.  The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures.  AusCERT takes no responsibility for the consequences of
applying the contents of this document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp.auscert.org.au/pub.  This archive contains past SERT and AusCERT
Advisories, and other computer security information.

AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOVeGxyh9+71yA2DNAQE8swP7BKpCEejbWGtLhvZ+kGZgY9CQL10IwXH7
Fxx2QR1UpsKtNBscsShO5rhQ7OoImJ+ND/K/MtuIofP1VSv1DsifIVbftfPX/v0A
ZQufcQQTlvX49WfpZAMuhb/QZGw8tGAgoWsATBbH+e1VHEZjm5LZ8IbEokqzpWVU
PWfyyEx5+38=
=8Js6
-----END PGP SIGNATURE-----

[******  End AusCERT Advisory ******]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of AusCERT for the
information contained in this bulletin.
_______________________________________________________________________________


CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC
can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH