Date: 22 October 1999
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-1999.161 -- RHSA-1999:043-01
wu-ftp security remote exploit
22 October 1999
===========================================================================
Red Hat, Inc. has released the following advisory concerning multiple
vulnerabilities in wu-ftpd based daemons. Remote and local intruders may
be able exploit these vulnerabilities to execute arbitrary code as the user
running the ftpd daemon, typically root.
These vulnerabilities were first discussed in AusCERT Advisory AA-1999.02
and more information was added in CERT Advisory CA-99-13. (ESB-1999.157)
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: Security problems in WU-FTPD
Advisory ID: RHSA-1999:043-01
Issue date: 1999-10-21
Updated on:
Keywords: wu-ftp security remote exploit
Cross references:
- - ---------------------------------------------------------------------
1. Topic:
Various computer security groups have reported security problems in the
WU-FTPD daemon, the FTP server shipped with all versions of Red Hat Linux.
2. Problem description:
Three vulnerabilities have been identified in WU-FTPD and other ftp daemons
based on the WU-FTPD source code.
Vulnerability #1: MAPPING_CHDIR Buffer Overflow
Vulnerability #2: Message File Buffer Overflow
Remote and local intruders may be able exploit these vulnerabilities to
execute arbitrary code as the user running the ftpd daemon, usually root.
Vulnerability #3: SITE NEWER Consumes Memory
Remote and local intruders who can connect to the FTP server can cause
the server to consume excessive amounts of memory, preventing normal
system operation. If intruders can create files on the system, they
may be able exploit this vulnerability to execute arbitrary code as
the user running the ftpd daemon, usually root.
3. Bug IDs fixed (http://developer.redhat.com/bugzilla for more info):
N/A
4. Relevant releases/architectures:
Red Hat Linux 4.2 for i386, alpha and sparc
Red Hat Linux 5.2 for i386, alpha and sparc
Red Hat Linux 6.x for i386, alpha and sparc
5. Obsoleted by:
6. Conflicts with:
7. RPMs required:
Red Hat Linux 4.2
- - -----------------
Intel:
ftp://updates.redhat.com//4.2/i386/wu-ftpd-2.6.0-0.4.2.i386.rpm
Alpha:
ftp://updates.redhat.com//4.2/alpha/wu-ftpd-2.6.0-0.4.2.alpha.rpm
Sparc:
ftp://updates.redhat.com//4.2/sparc/wu-ftpd-2.6.0-0.4.2.sparc.rpm
Source packages:
ftp://updates.redhat.com//4.2/SRPMS/wu-ftpd-2.6.0-0.4.2.src.rpm
Red Hat Linux 5.2
- - -----------------
Intel:
ftp://updates.redhat.com//5.2/i386/wu-ftpd-2.6.0-0.5.x.i386.rpm
Alpha:
ftp://updates.redhat.com//5.2/alpha/wu-ftpd-2.6.0-0.5.x.alpha.rpm
Sparc:
ftp://updates.redhat.com//5.2/sparc/wu-ftpd-2.6.0-0.5.x.sparc.rpm
Source packages:
ftp://updates.redhat.com//5.2/SRPMS/wu-ftpd-2.6.0-0.5.x.src.rpm
Red Hat Linux 6.x
- - -----------------
Intel:
ftp://updates.redhat.com//6.0/i386/wu-ftpd-2.6.0-1.i386.rpm
Alpha:
ftp://updates.redhat.com//6.0/alpha/wu-ftpd-2.6.0-1.alpha.rpm
Sparc:
ftp://updates.redhat.com//6.0/sparc/wu-ftpd-2.6.0-1.sparc.rpm
Source packages:
ftp://updates.redhat.com//6.0/SRPMS/wu-ftpd-2.6.0-1.src.rpm
8. Solution:
For each RPM for your particular architecture, run:
rpm -Uvh <filename>
where filename is the name of the RPM.
9. Verification:
MD5 sum Package Name
- - --------------------------------------------------------------------------
c6e1e63399ce8497b6ff7c9945954690 i386/wu-ftpd-2.6.0-0.4.2.i386.rpm
05c278b6507fbac44443a8be434adeed alpha/wu-ftpd-2.6.0-0.4.2.alpha.rpm
0ecd4ff150450607ce4b69982419ef07 sparc/wu-ftpd-2.6.0-0.4.2.sparc.rpm
acb4144d477075480fd89112112658a9 SRPMS/wu-ftpd-2.6.0-0.4.2.src.rpm
13349a3192515d85c06dc873344a10bd i386/wu-ftpd-2.6.0-0.5.x.i386.rpm
c6e97b13e6924d96f40cf4da8e8d217b alpha/wu-ftpd-2.6.0-0.5.x.alpha.rpm
35a32345c364e216e7437b1485c95160 sparc/wu-ftpd-2.6.0-0.5.x.sparc.rpm
b9bdb8ca91e296e07344e1c1915078dd SRPMS/wu-ftpd-2.6.0-0.5.x.src.rpm
dcd5d04df11849007aa3c4fb398cfbfb i386/wu-ftpd-2.6.0-1.i386.rpm
a0b3a1a0dcfbdfd1443d0aecd960e907 alpha/wu-ftpd-2.6.0-1.alpha.rpm
7511f1f96b3044207cbe11d34f75ff7a sparc/wu-ftpd-2.6.0-1.sparc.rpm
7e30ea42e82908752b943621580f6f1c SRPMS/wu-ftpd-2.6.0-1.src.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>
10. References:
CERT Advisory CA-99-13 Multiple Vulnerabilities in WU-FTPD
http://www.cert.org
AUSCERT Advisory AA-1999.01
ftp://www.auscert.org.au/security/advisory/AA-1999.01.wu-ftpd.mapping_chdir.vul
AUSCERT Advisory AA-1999.02
ftp://www.auscert.org.au/security/advisory/AA-1999.02.multi.wu-ftpd.vuls
Cristian
- - --
- - ----------------------------------------------------------------------
Cristian Gafton -- gafton@redhat.com -- Red Hat, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"How could this be a problem in a country where we have Intel and
Microsoft?" --Al Gore on Y2K
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBOA+DnfGvxKXU9NkBAQE4IwQAolvXS8CqvwZQ0EmAxVqht/0mnJ8OasfA
rsIqfLufM/hcKcp1f9EuIX/CJoJRJNmuDEWHLgc8QD53vZpqXuEdd6q+7HQOA3n6
7eD8DRWHdcgUfmZmQ94JBmvJgIues2MD5yNPZkpI20ehQ/ILQbnJCkEP+70s9qEc
LfvgysrzOIE=
=JLsl
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOEJrQCh9+71yA2DNAQFTeQP/fd4JCLWzW6td+hx9OAnK9vyHHfm57Btz
QrdnTe6bsk2Te/iiZBsqQkWosoLExxWHzYFOAKTjmLXkcolaDxz51V8WqFj1YLS/
IOjsERG64H8fEhXhE6xxxcFI3cmZ3CWzjgAcJiWkYxrqk1WvI1MqgiXahp+g7bBb
6RgJsCRizcU=
=GrF3
-----END PGP SIGNATURE-----
|