Original release date: July 7, 2000<BR>
Last revised: November 21, 2000<BR>
Source: CERT/CC<BR>
<P>A complete revision history is at the end of this file.
<A NAME="affected">
<H3>Systems Affected</H3>
<UL>
<LI>Any system running wu-ftpd 2.6.0 or earlier</LI>
<li>Any system running ftpd derived from wu-ftpd 2.0 or later</li>
<li>Some systems running ftpd derived from BSD ftpd 5.51 or BSD ftpd 5.60 (the final BSD release)
</UL>
<A NAME="overview">
<H2>Overview</H2>
<P>A vulnerability involving an input validation error in the "site
exec" command has recently been identified in the Washington
University ftpd (wu-ftpd) software package. Sites running affected
systems are advised to update their wu-ftpd software as soon as
possible.
<P>A similar but distinct vulnerability has also been identified that
involves a missing format string in several setproctitle() calls. It
affects a broader number of ftp daemons. Please see <A
HREF="#vendors">Appendix A</a> of this document for specific
information about the status of specific ftpd implementations and
solutions.
<A NAME="description">
<H2>I. Description</H2>
<H3>"Site exec" Vulnerability</H3>
<p>A vulnerability has been identified in wu-ftpd and other ftp
daemons based on the wu-ftpd source code. Wu-ftpd is a common package
used to provide file transfer protocol (ftp) services. This
vulnerability is being discussed as the wu-ftpd "site exec" or
"lreply" vulnerability in various public forums. Incidents involving
the exploitation of this vulnerability—which enables remote
users to gain root privileges—have been reported to the CERT
Coordination Center.
<p>The problem is described in AUSCERT Advisory AA-2000.02, "wu-ftpd
'site exec' Vulnerability," which is available from
<DL><DD>
<a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02">ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02</a>
</DL>
<p>The wu-ftpd "site exec" vulnerability is the result of missing
character-formatting argument in several function calls that implement
the "site exec" command functionality. Normally if "site exec" is
enabled, a user logged into an ftp server (including the 'ftp' or
'anonymous' user) may execute a restricted subset of quoted commands
on the server itself. However, if a malicious user can pass character
format strings consisting of carefully constructed *printf()
conversion characters (%f, %p, %n, etc) while executing a "site exec"
command, the ftp daemon may be tricked into executing arbitrary code
as root.
<p>The "site exec" vulnerability appears to have been in the wu-ftpd
code since the original wu-ftpd 2.0 came out in 1993. Any vendors who
have based their own ftpd distributions on this vulnerable code are
also likely to be vulnerable.
<p>The vulnerability appears to be exploitable if a local user account
can be used for ftp login. Also, if the "site exec" command
functionality is enabled, then anonymous ftp login allows sufficient
access for an attack.
<H3>setproctitle() Vulnerability</H3>
<p>A separate vulnerability involving a missing character-formatting
argument in setproctitle(), a call which sets the string used to
display process identifier information, is also present in
wu-ftpd. Other ftpd implementations have been found to have vulnerable
setproctitle() calls as well, including those from proftpd and
OpenBSD.
<P>The setproctitle() vulnerability appears to have been present in
various ftpd implementations since at least BSD ftpd 5.51 (which predates
wuarchive-ftpd 1.0). It has also been confirmed to be present in
BSD ftpd 5.60 (the final BSD release). Any vendors who have based
their own ftpd distributions on this vulnerable code are also likely
to be vulnerable.
<P>It should be noted that many operating systems do not support
setproctitle() calls. However, other software engineering defects
involving the same type of missing character-formatting argument may
be present.
<P>It had been previously reported that the setproctitle()
vulnerability had been used in conjunction with the "site exec"
vulnerability to exploit vulnerable versions of wu-ftpd. The CERT/CC
is unable to confirm such reports at this time.
<h3>Intruder Activity</h3>
<p>One possible indication you are being attacked with either of these
vulnerabilities may be the appearance of syslog entries similar to the
following:
<FONT FACE="monospace">
<DL><DD>
<PRE>
Jul 4 17:43:25 victim ftpd[3408]: USER ftp
Jul 4 17:43:25 victim ftpd[3408]: PASS [malicious shellcode]
Jul 4 17:43:26 victim ftpd[3408]: ANONYMOUS FTP LOGIN FROM
attacker.example.com [10.29.23.19], [malicious shellcode]
Jul 4 17:43:28 victim-site ftpd[3408]: SITE EXEC (lines: 0):
%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%
.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f
%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%
.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f
%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%c%c%c%.f|%p
Jul 4 17:43:28 victim ftpd[3408]: FTP session closed
</PRE></DL>
</FONT>
<p>Details of both the "site exec" and setproctitle() vulnerabilities
have been posted in various public forums. Please see
<DL><DD>
<a href="http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=1387">http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=1387</a><BR>
<a href="http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=1425">http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=1425</a><BR>
<a href="http://ciac.llnl.gov/ciac/bulletins/k-054.shtml">http://ciac.llnl.gov/ciac/bulletins/k-054.shtml</a>
</DL>
<P>The CERT/CC has received reports of the "site exec" vulnerability
being successfully exploited on the Internet. Please check our <a
href="http://www.cert.org/current/current_activity.html">Current
Activity</a> page for updates regarding intruder activity involving
both of these vulnerabilities.
<A NAME="impact">
<H2>II. Impact</H2>
<P>By exploiting any of these input validation problems, local or
remote users logged into the ftp daemon may be able execute arbitrary
code as root. An anonymous ftp user may also be able to execute
arbitrary code as root.
<A NAME="solution">
<H2>III. Solution</H2>
<H4>Upgrade your version of ftpd</H4>
<P>Please see <A HREF="#vendors">Appendix A</a> of this advisory for
more information about the availability of updated ftpd packages
specific for your system.
<H4>Apply a patch from your vendor</H4>
<P>If you are running vulnerable ftpd implementations and cannot
upgrade, you need to apply the appropriate vendor patches and
recompile and/or reinstall the ftpd server software.
<P><A HREF="#vendors">Appendix A</a> contains information provided by
vendors for this advisory. We will update the appendix as we receive
more information. If you do not see your vendor's name, the CERT/CC
did not hear from that vendor. Please contact your vendor
directly.</P>
<H4>Disable ftp services</H4>
<P>If neither an upgrade nor a patch can be applied, the CERT/CC
recommends disabling all vulnerable wu-ftpd and proftpd servers. While
disabling "site exec" command functionality or anonymous ftp access
minimizes exposure to the "site exec" vulnerability, neither is a
complete solution and may not mitigate against the risks involved with
exposure to the setproctitle() vulnerability.
<A NAME="vendors">
<H2>Appendix A. Vendor Information</H2>
<A NAME="BSDI">
<H4>BSDI</H4>
<P>Current versions of BSD/OS do not include any version of wu-ftpd. The
BSDI ftpd is not vulnerable to the reported problems; it is not based on
the wu-ftpd code.
<P>The version of ftpd in modern versions of BSD/OS is not vulnerable
to the generic setproctitle() vulnerabilities.
<A NAME="caldera">
<A NAME="openlinux">
<H4>Caldera Systems, Inc</H4>
<P>Please see CSSA-2000-020.0 regarding the wu-ftpd issue and OpenLinux:
<DL><DD>
<a href="ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-020.0.txt">ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-020.0.txt</a>
</DL>
<P>Copyright © 2000 Caldera Systems, Inc.
<A NAME="conectiva">
<H4>Conectiva S.A.</H4>
<P>Please see:
<DL><DD>
<a href="http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000623212826.A13925@conectiva.com.br">http://www.securityfocus.com/templates/archive.pike?list =1&msg=20000623212826.A13925@conectiva.com.br</a>
</DL>
<A NAME="dec">
<A NAME="compaq">
<H4>COMPAQ COMPUTER CORPORATION</H4>
<P>At the time of writing this document, this reported problem is
currently still under evaluation by engineering to determine the
requirement of a solution if necessary. COMPAQ will provide an update
to this advisory accordingly.
<A NAME="debian">
<H4>Debian GNU/Linux</H4>
<P>Please see the following regarding the wu-ftpd "site exec" issue:
<DL><DD>
<a href="http://www.debian.org/security/2000/20000623">http://www.debian.org/security/2000/20000623</a>
</DL>
<P>Copyright © 1997-2000 <a href="http://www.spi-inc.org/">SPI</a>
<A NAME="freebsd">
<H4>FreeBSD, Inc.</H4>
<P>The version of ftpd shipped with all versions of FreeBSD since
2.2.0 is not vulnerable to this problem. FreeBSD also ships with
several optional third-party FTP servers in the Ports Collection,
including wu-ftpd and proftpd. The wu-ftpd vulnerability was corrected
on 2000/06/24 and is the subject of <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00%3A29.wu-ftpd.asc.v1.1">FreeBSD
Security Advisory SA-00:29</a>. At this time no patch has been
released by the proftpd vendor and the version in FreeBSD ports is
still vulnerable to this attack. [An <a href="#proftpd">update</a> to
proftpd is now available. -CERT/CC] FreeBSD makes no guarantee about
the security of third-party software in the ports collection and users
are advised that there may be security vulnerabilities in other FTP
servers available there.
<A NAME="fujitsu">
<H4>Fujitsu</H4>
<P>Fujitsu's UXP/V operating system is not vulnerable to any of the
vulnerabilities discussed in [this] advisory.
<A NAME="hp">
<H4>Hewlett-Packard Company</H4>
<P>HP is vulnerable. Please see:
<DL>HPSBUX0007-117: Sec. Vulnerability in ftpd, **Rev.01**
HEWLETT-PACKARD COMPANY SECURITY ADVISORY: #00117, 11 July '00, Last
Revised: 12 July '00
</DL>
<P>An excerpt:<BR>
<FONT FACE="monospace">
<DL>
<HR NOSHADE WIDTH="100%">
<P>PROBLEM: The ftp server (ftpd) on HP-UX allows users root access.
<P>PLATFORM: HP-UX release 11.00 - Both Problem #1 and #2 below;
<BR> HP-UX release 10.20 - Problem #2, setproctitle(), only
<P>DAMAGE: Unauthorized root access.
<P>SOLUTION: Install temporary binary until an official patch is released.
<P>AVAILABILITY: The temporary binary is available now (see below).
<HR NOSHADE WIDTH="100%">
<P>A. Background<BR>
There are 2 problems with FTP Server (ftpd) on HP-UX.
<ol>
<li>ftpd handling of the SITE EXEC command that allows remote users to
gain root access. This is possible in the default configuration of
ftpd on HP-UX 11.00 ONLY.
<li>ftpd does not properly format the parameters to the setproctitle()
function, allowing users to gain root access. This problem applies to
both 11.00 and 10.X.
</ol>
<P>B. Fixing the problem<BR>
All system administrators are encouraged to install our temporary
binary until an official patch is released. The file can be retrieved
to simply replace the original factory supplied binary.
<P>C. Recommended solution<BR>
Two temporary ftp binaries (for HP-UX 11.00 and HP-UX 10.20)
can be found at:
<DL><DD>
<a href="ftp://ftp.cup.hp.com/dist/networking/ftp/ftpd.11.0">ftp://ftp.cup.hp.com/dist/networking/ftp/ftpd.11.0</a>
<BR>
<a href="ftp://ftp.cup.hp.com/dist/networking/ftp/ftpd.10.20">ftp://ftp.cup.hp.com/dist/networking/ftp/ftpd.10.20</a>
</DL>
<P>**Revised 01**<BR>
--->>>These are to be installed in /usr/lbin/ftpd, with permissions 544.
<P>NOTE: This advisory [HPSBUX0007-117] will be updated when
patches become available.
</DL>
</FONT>
<P>Copyright © 2000 Hewlett-Packard Company
<A NAME="ibm">
<H4>IBM Corporation</H4>
<P>IBM's AIX operating system is not vulnerable to the exploit described in CA-2000-13
</P>
<A NAME="mandrake">
<H4>MandrakeSoft Inc.</H4>
<P>Please see the MANDRAKE 7.1 update section for wu-ftpd information at:
<DL><DD>
<a href="http://www.linux-mandrake.com/en/fupdates.php3">http://www.linux-mandrake.com/en/fupdates.php3</a>
</DL>
<A NAME="microsoft">
<H4>Microsoft Coporation</H4>
<P>The IIS FTP service is not is not affected by these issues.
<A NAME="kerberos">
<H4>MIT Kerberos Development Team</H4>
<P>It seems that the MIT Kerberos ftpd is based on BSD ftpd revision
5.40, and has never contained any serious format string related bugs
for some reason. It is possible that by defining an undocumented CPP
macro SETPROCTITLE, calls to setproctitle() can be made, however,
there is an internally declared setproctitle() function that does not
take a format string as its argument, and is hence not vulnerable.
<A NAME="proftpd">
<H4>ProFTPD Project</H4>
<P>Upgrade to ProFTPD 1.2.0:
<DL><DD>
<a href="http://www.proftpd.net/download.html">http://www.proftpd.net/download.html</a>
</DL>
<P>Please see the discussion concerning setproctitle() at
<DL><DD>
<a href="http://www.proftpd.org/proftpd-l-archive/00-07/msg00059.html">http://www.proftpd.org/proftpd-l-archive/00-07/msg00059.html</a>
<BR>
<a href="http://www.proftpd.org/proftpd-l-archive/00-07/msg00060.html">http://www.proftpd.org/proftpd-l-archive/00-07/msg00060.html</a>
<BR>
<a href="http://bugs.proftpd.net/show_bug.cgi?id=121">http://bugs.proftpd.net/show_bug.cgi?id=121</a>
<BR>
<a href="http://www.proftpd.net/security.html">http://www.proftpd.net/security.html</a>
</DL>
<A NAME="netbsd">
<H4>NetBSD Foundation, Inc</H4>
<P>Please see NetBSD Security Advisories NetBSD-SA2000-009 & NetBSD-SA2000-010:
<DL><DD>
<a href="ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-009.txt.asc">ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-009.txt.asc</a>
<BR>
<a href="ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-010.txt.asc">ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-010.txt.asc</a>
</DL>
<P>Copyright © 2000, The NetBSD Foundation, Inc. All Rights Reserved.
<A NAME="OpenBSD">
<H4>OpenBSD</H4>
<P>The setproctitle bug is in OpenBSD.
Please see:
<DL><DD>
<a href="http://www.openbsd.org/errata.html#ftpd">http://www.openbsd.org/errata.html#ftpd</a>
</DL>
<A NAME="wietse">
<A NAME="porcupine">
<H4>Porcupine.org</H4>
<P>[...] None of my software [ftpd from my <a href="ftp://ftp.porcupine.org/pub/security/index.html#software">logdaemon</a> utilities] has
either the "site exec" or "setproctitle" features enabled.
<P>Wietse Venema<BR>
<a href="mailto:wietse@porcupine.org">mailto:wietse@porcupine.org</a>
<A NAME="redhat">
<H4>Redhat</H4>
<P>Please see RHSA-2000-039-02 regarding the wu-ftpd issue:
<DL><DD>
<a href="http://www.redhat.com/support/errata/RHSA-2000-039-02.html">http://www.redhat.com/support/errata/RHSA-2000-039-02.html</a>
</DL>
<P>Copyright © 2000 Red Hat, Inc. All rights reserved.
<a name="sgi">
<H4>SGI</H4></a>
<P>IRIX ftpd is not vulnerable to the issues mentioned in this
advisory. See <a
href="ftp://sgigate.sgi.com/security/20000701-01-I">ftp://sgigate.sgi.com/security/20000701-01-I</a>
for more information.
<A NAME="slackware">
<H4>Slackware Linux Project</H4>
<P>Please see the patches made available regarding the wu-ftpd issue, at:
<DL><DD>
<a href="ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/wu-ftpd-patch.README">ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/wu-ftpd-patch.README</a>
</DL>
<A NAME="sun">
<H4>Sun Microsystems</H4>
<P>SISP FTPD is similar to wu-ftpd. SISP FTPD does not allow site
exec nor does it use setproctitle(). Therefore, SISP FTPD does not
appear to be vulnerable.
<A NAME="suse">
<H4>SuSE Ltd.</H4>
<P>Please see SuSE Security Announcement #53 regarding the wu-ftpd
issue, at:
<DL><DD>
<a href="http://www.suse.de/de/support/security/suse_security_announce_53.txt">http://www.suse.de/de/support/security/suse_security_announce_53.txt</a>
</DL>
<A NAME="wu-ftpd">
<A NAME="wuftpd">
<H4>WU-FTPD Development Group</H4>
<P>The WU-FTPD Development Group's primary distribution site is
mirrored world-wide. A list of mirrors is available from:
<DL><DD>
<a href="http://www.wu-ftpd.org/mirrors.txt">http://www.wu-ftpd.org/mirrors.txt</a>
</DL>
<P>If possible, please use a mirror to obtain patches or the latest version.
<H5>Upgrade your version of wu-ftpd</H5>
<P>The latest release of wu-ftpd, version 2.6.1, has been released to
address these and several other security issues:
<DL><DD>
<a href="ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz">ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz</a>
<BR>
<a href="ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz.asc">ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz.asc</a>
<BR>
<a href="ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z">ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z</a>
<BR>
<a href="ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z.asc">ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z.asc</a>
</DL>
<H5>Apply a patch</H5>
<P>The wu-ftpd developers have published the following patch for wu-ftpd 2.6.0:
<DL><DD> <A
HREF="ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.0/lreply-buffer-overflow.patch">ftp://ftp.wu-ftpd.org/pub/
wu-ftpd/patches/apply_to_2.6.0/lreply-buffer-overflow.patch</a>
<BR>
<a href="ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.0/lreply-buffer-overflow.patch.asc">ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.0/lreply-buffer-overflow.patch.asc</a>
</DL>
<HR NOSHADE>
<P>The CERT Coordination Center thanks Gregory Lundberg and Theo de
Raadt for their help in developing this advisory.</P>
<HR NOSHADE>
<P>Author: <a href="mailto:cert@cert.org?subject=CA-2000-13%20Feedback">Jeffrey S. Havrilla</a>
<P></P>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 2000 Carnegie Mellon University</P>
<P>Revision History
<font face="monospace">
<PRE>
Jul 7, 2000: Initial release
Jul 7, 2000: Updated WU-FTP and Sun vendor sections
Jul 13, 2000: Updated HP, FreeBSD, ProFTPD vendor sections
Jul 13, 2000: Added vendor sections for Compaq, Fujitsu, NetBSD, Porcupine
Jul 14, 2000: Added vendor section for SGI
Jul 18, 2000: Updated SGI vendor section
Aug 30, 2000: Updated incorrect link to setproctitle() vulnerability
Nov 14, 2000: Updated description to reflect new understanding of the
setproctitle() vulnerability
Nov 21, 2000: Added IBM response
</PRE>
</font>
|