Date: 19 October 1999
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-1999.02 AUSCERT Advisory
Multiple Vulnerabilities in wu-ftpd based daemons
19 October 1999
Last Revised: --
- ---------------------------------------------------------------------------
AusCERT has received information that there are vulnerabilities in all
versions of wu-ftpd (prior to 2.6.0) and its derivatives which run on
various platforms.
These vulnerabilities may allow local, remote and anonymous users to gain
root privileges or degrade system performance.
AusCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
- ---------------------------------------------------------------------------
1. Description
The wu-ftpd program provides file transfer protocol (FTP) services.
A user may gain privileged access by exploiting a buffer overrun in
a wu-ftpd daemon which has insufficient bounds checking on expansions
in message files. This vulnerability may be exploited by creating
a maliciously crafted message file or manipulating the results of
remotely supplied information to an existing message file.
A separate buffer overrun vulnerability is exploitable in the
'ftpshut' program if it is set with suid-root privilege. This can be
leveraged by local users to gain root.
(Please note wu-ftpd does not install 'ftpshut' suid-root by default.)
Due to inadequate pathname filtering, a user may exploit a resource
starvation Denial of Service (DoS) vulnerability by issuing a number
of specific directory listing requests.
These are new vulnerabilities unlike the ftpd vulnerabilities described
in AusCERT Advisory AA-1999.01 "wu-ftpd/BeroFTPD MAPPING_CHDIR
Vulnerability" and CERT Advisory CA-99-03 "FTP Buffer Overflows"
(reissued as AusCERT ESB-1999.020).
Sites can determine if this program is installed by using:
% ftp hostname
and examining the output of the ftp login banner.
If no version information appears on the login banner, or to verify
this information, log into the ftp server as normal then issue the
following command:
ftp> quote stat
Some affected versions of the wu-ftpd daemon allow control over the
information revealed in the initial login banner however they all
return their version number in response to the ftp server stat command
shown above.
2. Impact
These vulnerabilities may allow local, remote and anonymous users to
gain root privileges or degrade system performance.
3. Solution
AusCERT recommends that sites prevent the exploitation of these
vulnerabilities in wu-ftpd by immediately upgrading as described in
Section 3.2. Versions known to be vulnerable are listed in Section 3.1
If no patch or upgrade is available for other derivatives of wu-ftpd,
AusCERT recommends sites move to the wu-ftpd distribution as described
in Section 3.2.
If the functionality provided by wu-ftpd is not required at all, it
is recommended that sites disable it on their systems.
3.1 Status of variants and versions of wu-ftpd likely to be affected.
These vulnerabilities are known to be present in the following
ftpd implementations:
wu-ftpd:
Versions effected: All versions prior to wu-ftpd-2.6.0
Including all derivative versions from
wustl.edu, academ.com, vr.net and wu-ftpd.org.
(See Section 3.2)
BeroFTPD:
Versions effected: All present versions.
No vendor patch will be available.
BeroFTPD and wu-ftpd have been merged as of
wu-ftpd 2.6.0.
(See Section 3.2)
RedHat:
Versions effected: All present versions.
No patch is currently available.
(See Section 3.3)
3.2 Upgrade to latest wu-ftpd.
These vulnerabilities have been fixed in the 2.6.0 release of wu-ftpd
which has been made available by the WU-FTPD Development Group. Sites
should upgrade to the latest version of wu-ftpd (2.6.0).
The 2.6.0 release of wu-ftpd is available from:
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/
or
ftp://ftp.auscert.org.au/pub/mirrors/ftp.wu-ftpd.org/wu-ftpd/
wu-ftpd is also available from mirror sites listed in:
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/README-MIRRORS
IMPORTANT NOTE: The 2.6.0 version has been corrected to increase
it's conformance to the RFC standards for FTP. However, as a result,
some FTP clients which are not completely RFC compliant may cease to
inter-operate correctly with wu-ftpd 2.6.0 servers.
It is believed that the W3C libwww ftp implementation is
non-conforming. This affects Lynx, CERN, Squid and Midnight Commander.
The effects of a non-conforming client are a hanging transfer (usually
when obtaining a directory listing).
Squid, however, appears to recover and may hide the failure from the
FTP user and the FTP site administrator; the Squid administrator may
see a large number of errors in their logs.
In addition, the popular ftp mirroring program 'mirror' written by
Lee McLoughlin is also affected. Versions up to and including the
current version (2.9) will not work correctly with wu-ftpd 2.6.0
servers. Users of the mirror program version 2.9 can apply the following
patch to mirror to make it compatible with wu-ftpd 2.6.0 servers:
ftp://ftp.wu-ftpd.org/pub/support/wu-ftpd-2.6.0-mirror-2.9.patch
ftp://ftp.auscert.org.au/pub/mirrors/ftp.wu-ftpd.org/support/wu-ftpd-2.6.0-mirror-2.9.patch
Users of mirror prior to version 2.9 should install the 2.9 release
and apply the above mentioned patch. The 2.9 version is available
from:
ftp://ftp.wu-ftpd.org/pub/support/mirror-2.9.tar.gz
ftp://ftp.auscert.org.au/pub/mirrors/ftp.wu-ftpd.org/support/mirror-2.9.tar.gz
As a temporary measure, sites can keep the old (non-conforming)
functionality of previous ftpd versions by enabling the following
option during compilation of wu-ftpd 2.6.0:
o Using GNU autoconf (not available on all platforms):
Reconfigure adding the --enable-badclients option, make clean and
make as normal.
o Using old-style 'build' command:
Edit config.h.noac, change
#undef SUPPORT_BROKEN_CLIENTS
to
#define SUPPORT_BROKEN_CLIENTS
Clear any previous build results (build clean) then recompile for
your platform as normal.
This option will not be supported in future releases of wu-ftpd.
3.3 Upgrade to latest wu-ftpd RPM when available.
AusCERT expects that Red Hat will shortly release updated versions of
wu-ftpd which address this advisory. Until then sites may wish to
install wu-ftpd 2.6.0 as described in Section 3.2.
4. Additional measures
4.1 Disable/Limit writable ftp incoming areas.
Public writable areas have been a common source of abuse on ftp
servers. To limit exposure to similar incidents, sites should review
and modify their configuration to remove or limit any upload areas.
This may provide little or no protection against non-anonymous
accounts. Caution needs to be taken as this is a complex configuration
issue.
For the correct procedures on how to configure upload areas on wu-ftpd
based implementations, please refer to:
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/upload.configuration.HOWTO
- ---------------------------------------------------------------------------
AusCERT thanks Gregory A Lundberg of the WU-FTPD Development Group for the
original report and assistance in the preparation of this advisory.
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AusCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AusCERT
Advisories, and other computer security information.
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOAyYbih9+71yA2DNAQGsMQP/ef4ZyF0U54gMUr6FPel1W7ffMR5WSPo2
5XyW4lQpUeTJMQiD4Cl8+B50ZSkVwVJ52C4IsAbkDd3CpOLXQZ/SGCrc4u4QHBCn
mQCxLDJbJ4Dhlr+0bfH17ZofhP6Q/qemYxHwoLy0Imt8XtigrwG+z+9FeVl7q2an
VKm1CvWqQDE=
=sp0T
-----END PGP SIGNATURE-----
|