Date: 29 November 2001
References: ESB-2001.503 ESB-2001.504 ESB-2001.507 ESB-2001.514 ESB-2001.521 ESB-2002.046
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-2001.05 AUSCERT Advisory
wu-ftpd "File Globbing Heap Corruption" Vulnerability
29 November 2001
Last Revised: --
- ---------------------------------------------------------------------------
AusCERT has received information that there is a vulnerability in some
versions of wu-ftpd (up to and including 2.6.1) which run on various
platforms.
This vulnerability may allow local, remote and anonymous users to gain
root privileges or to cause a Denial of Service.
Information about this vulnerability has been made publicly available.
AusCERT recommends that sites take the steps outlined in Section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
- ---------------------------------------------------------------------------
1. Description
The wu-ftpd program provides file transfer protocol (FTP) services.
The CORE ST Team has found a remotely exploitable heap corruption bug
in all versions of wuftpd's ftpglob() function. It is possible to
coerce the wu-ftpd daemon to execute arbitrary code.
Sites can determine if this program is installed by using:
% ftp hostname
and examining the output of the ftp login banner.
If no version information appears on the login banner, or to verify
the information on the login banner is correct, log into the ftp
server as normal then issue the following command:
ftp> quote stat
All affected versions of the wu-ftpd daemon allow control over the
information revealed in the initial login banner, however they all
return their version number in response to the ftp server "stat"
command as shown above.
2. Impact
This vulnerability may allow local, remote and anonymous users to gain
root privileges. If anonymous FTP is not available, this vulnerability
may still be exploited by authenticated users. It may also allow for
a Denial of Service vulnerability that is exploitable remotely.
3. Workarounds/Solution
AusCERT recommends that sites prevent the exploitation of the
vulnerability in wu-ftpd by immediately upgrading and applying patches
when available as described in Section 3.2. Versions known to be
vulnerable are listed in Section 3.1
If the functionality provided by wu-ftpd is not required at all, or
if a patch for the vulnerability is not available for their
architecture, it is recommended that sites disable it on their systems.
3.1 Status of variants and versions of wu-ftpd likely to be affected.
This vulnerability may exist on any systems on which the wu-ftpd daemon
is installed:
wu-ftpd:
Versions affected: wu-ftpd-2.6.1 (and prior versions)
Vendor patch is NOT available at the time of this
advisory
(See Section 3.2)
This vulnerability is known to be present on the following specific
wu-ftpd implementations:
Red Hat:
Versions affected: All present versions.
Vendor patch is available.
(See Section 3.3)
SuSE:
Versions affected: All present versions.
Vendor patch is available.
(See Section 3.4)
Caldera:
Versions affected: All present versions.
Vendor patch is available.
(See Section 3.5)
3.2 Disable the service and use alternatives until patches are available.
A temporary fix other than using a different server implementation of
the ftp protocol is not available. We recommend to update the wuftpd
package on your system from your vendor as soon as possible.
3.3 Upgrade to latest wu-ftpd Red Hat RPM.
Red Hat have released updated versions of wu-ftpd which address this
vulnerability. More information (including RPMs) can be found at:
http://www.redhat.com/support/errata/RHSA-2001-157.html
3.4 Upgrade to latest wu-ftpd SuSE RPM.
SuSE have released updated versions of wu-ftpd which address this
vulnerability. More information (including RPMs) can be found at:
http://lists2.suse.com/archive/suse-security-announce/2001-Nov/0005.html
3.5 Upgrade to latest wu-ftpd Caldera package.
Caldera have released updated versions of wu-ftpd which address this
vulnerability. More information (including RPMs) can be found at:
http://www.caldera.com/support/security/advisories/CSSA-2001-041.0.txt
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AusCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AusCERT
Advisories, and other computer security information.
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPAZfCSh9+71yA2DNAQEz1AP/UgWe0KY+C0xW9q2eJuLAOXsrqEVrjyvb
/WiK8sQbtx+OTu/dWNfAng60PVz19nvq9fa1kbttuIi4yZB4kC56TdEgRBRlemt9
cx59nXsFhmMrK8qdNvIoO5YNjIhmZcdtf/0SSYo8epjP3RZg4oWiHZd5UQa1Km16
50+4LOw+iuI=
=b8SZ
-----END PGP SIGNATURE-----
|