Original release date: November 29, 2001<BR> Last revised: February 15, 2002<BR> Source: CERT/CC<BR> <P>A complete revision history can be found at the end of this file.</P> <A NAME="affected"> <H3>Systems Affected</H3> <UL> <LI>Systems running WU-FTPD and its derivatives </LI> </UL> <A NAME="overview"> <H2>Overview</H2> <P> WU-FTPD is a widely deployed software package used to provide File Transfer Protocol (FTP) services on UNIX and Linux systems. There are two vulnerabilities in WU-FTPD that expose a system to potential remote root compromise by anyone with access to the FTP service. These vulnerabilities have recently received increased scrutiny. </P> <A NAME="description"> <H2>I. Description</H2> <P> There are two remote code execution vulnerabilities in the Washington University FTP daemon (WU-FTPD). Both of these vulnerabilities have been discussed in public forums and have received widespread exposure. </P> <p> <b><a href="http://www.kb.cert.org/vuls/id/886083">VU#886083</a>: WU-FTPD does not properly handle file name globbing</b> </p> <p> WU-FTPD features globbing capabilities that allow a user to specify multiple file names and locations using typical shell notation. See CERT Advisory <a href="http://www.cert.org/advisories/CA-2001-07.html">CA-2001-07</a> for a more complete explanation of globbing. </p> <p> WU-FTPD implements its own globbing code instead of using libraries in the underlying operating system. When the globbing code is called, it allocates memory on the heap to store a list of file names that match the expanded glob expression. The globbing code is designed to recognize invalid syntax and return an error condition to the calling function. However, when it encounters a specific string, the globbing code fails to properly return the error condition. Therefore, the calling function proceeds as if the glob syntax were correct and later frees unallocated memory that can contain user-supplied data. </p> If intruders can place addresses and shellcode in the right locations on the heap using FTP commands, they may be able to cause WU-FTPD to execute arbitrary code by later issuing a command that is mishandled by the globbing code. </p> <p> This vulnerability is potentially exploitable by any user who is able to log in to a vulnerable server, including users with anonymous access. If the exploit is successful, an attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root. If the exploit is unsuccessful, the thread servicing the request will fail, but the WU-FTPD process will continue to run. </p> <p> Note that at least one derivative of WU-FTPD, BeroFTPD, is also vulnerable. BeroFTPD has been merged back into WU-FTPD and is no longer separately maintained. </p> <p> This vulnerability has been assigned the identifier CAN-2001-0550 by the Common Vulnerabilities and Exposures (CVE) group: <dl> <dd> <A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0550">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0550</a> </dd> </dl> </p> <p> CORE Security Technologies has published a Vulnerability Report on this issue: <dl> <dd> <a href="http://www.corest.com/pressroom/advisories_desplegado.php?idxsection=10&idx=172">http://www.corest.com/pressroom/advisories_desplegado.php?<br>dxsection=10&idx=17</a> </dd> </dl> </p> <p> <b><a href="http://www.kb.cert.org/vuls/id/639760">VU#639760</a>: WU-FTPD configured to use RFC 931 authentication running in debug mode contains format string vulnerability</b> </p> <p> WU-FTPD can perform <a href="http://www.ietf.org/rfc/rfc931.txt">RFC 931</a> authentication when accepting inbound connections from clients. <a href="http://www.ietf.org/rfc/rfc931.txt">RFC 931</a> defines the Authentication Server Protocol, and is obsoleted by <a href="http://www.ietf.org/rfc/rfc1413.txt">RFC 1413</a> which defines the Identity Protocol. RFC 931 is commonly known as "auth" or "authd", and RFC 1413 is commonly known "ident" or "identd". Both are named after the daemon that commonly provides the service. <p> When using RFC 931 authentication, WU-FTPD will request ident information before authorizing a connection request from a client. The auth or ident service running on the client returns user-specific information, allowing WU-FTPD to make authentication decisions based on data in the ident response. </p> <p> WU-FTPD can also be run in debugging mode, which provides detailed information about its operation. </p> <p> When WU-FTPD is configured to perform RFC 931 authentication and is run in debug mode, it logs connection information using <font face="Courier">syslog(3)</font> function calls. The logging code does not include format string specifiers in some <font face="Courier">syslog(3)</font> calls, nor does the code perform adequate input validation on the contents of the identd response received from a client. As a result, a crafted identd response containing user-supplied format string specifiers is interpreted by <font face="Courier">syslog(3)</font>, possibly overwriting arbitrary locations in memory. By carefully designing such a request, an attacker may execute arbitrary code with the privileges of WU-FTPD. </p> <p> This vulnerability is potentially exploitable by any user who is able to log in to a vulnerable server, including users with anonymous access. The intruder must also be able to control their response to the ident request. If successful, an attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root. </p> <p> Note that this vulnerability does not manifest unless WU-FTPD is configured to use RFC 931 authentication and is run in debug mode. </p> <p> This vulnerability has been assigned the identifier CVE-2001-0187 by the Common Vulnerabilities and Exposures (CVE) group: <dl> <dd> <A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0187">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0187</a> </dd> </dl> </p> <A NAME="impact"> <H2>II. Impact</H2> <p> Both of these vulnerabilities can be exploited remotely by any user with access to the FTP service, including anonymous access. Both vulnerabilities allow an intruder to execute arbitrary code with the privileges of WU-FTPD, typically root. An exploit attempt that does not succeed in executing code may crash WU-FTPD or end the connection used by the intruder. </p> <p> For additional information about the impacts of each of these vulnerabilities, please consult the CERT Vulnerability Notes Database (<a href="http://www.kb.cert.org/vuls">http://www.kb.cert.org/vuls</a>). </p> <A NAME="solution"> <H2>III. Solution</H2> <H4>Apply patches from your vendor</H4> <P> <A HREF="vendors">Appendix A</A> contains information for this advisory provided by vendors. As they report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly. </P> <p> Although some distributions may not include WU-FTPD, it can be compiled and run on a wide variety of UNIX and Linux systems. If you install WU-FTPD separately, apply the source code <a href="#wuftpd">patches</a> from the WU-FTPD Development Group. </p> <H4>Restrict access to WU-FTPD</H4> <p> As a general practice, the CERT/CC recommends disabling services and access that are not explicitly required. You may wish to disable WU-FTPD until you are able to apply a patch. </P> <p> If you cannot disable the service, you can limit your exposure to these vulnerabilities by blocking or restricting access to the control channel (by default, port 21/tcp) used by WU-FTPD. In the case of the format string vulnerability (VU#639760), an exploit would be transmitted from port 113/tcp on the attacking host to the WU-FTPD server that made the identd request. Note that blocking access from untrusted networks such as the Internet does not protect your systems against attacks from within your network. </p> <h4>Disable anonymous FTP access</h4> <p> Although disabling anonymous FTP access does not prevent attacks from occurring, it does prevent unauthenticated users from attempting to exploit the globbing vulnerability (VU#886083). </p> <A NAME="vendors"> <H2>Appendix A. Vendor Information</H2> <P> This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Note that this advisory discusses two distinct vulnerabilities, and vendor statements may address one or both. </P> <A NAME="beroftpd"> <H4>BeroFTPD</H4> Parts of WU-FTPD's globbing code are shared by BeroFTPD, which is vulnerable to the glob handling problem described in VU#886083. BeroFTPD has been merged back into WU-FTPD and is no longer separately maintained. <!-- end vendor --> <A NAME="caldera"> <H4>Caldera</H4> Caldera has addressed VU#886083 with the following Caldera Security Advisories: <ul> <li>Caldera Security Advisory CSSA-2001-041.0 (Linux)<br> <a href="http://www.caldera.com/support/security/advisories/CSSA-2001-041.0.txt">http://www.caldera.com/support/security/advisories/<br>CSSA-2001-041.0.txt</a></li> <p></p> <li>Caldera Security Advisory CSSA-2001-SCO.36 (UnixWare)<br> <a href="ftp://stage.caldera.com/pub/security/unixware/CSSA-2001-SCO.36.2/CSSA-2001-SCO.36.2.txt">ftp://stage.caldera.com/pub/security/unixware/CSSA-2001-SCO.36.2/<br>CSSA-2001-SCO.36.2.txt</a></li> <p></p> <li>Caldera Security Advisory CSSA-2001-SCO.36 (Open UNIX)<br> <a href="ftp://stage.caldera.com/pub/security/unixware/CSSA-2001-SCO.36.2/CSSA-2001-SCO.36.2.txt">ftp://stage.caldera.com/pub/security/unixware/CSSA-2001-SCO.36.2/<br>CSSA-2001-SCO.36.2.txt</a></li> <p></p> <li>Caldera Security Advisory CSSA-2002-SCO.1 (OpenServer)<br> <a href="ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.1/CSSA-2002-SCO.1.txt">ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.1/<br>CSSA-2002-SCO.1.txt</a></li> </ul> <!-- end vendor --> <A NAME="compaq"> <H4>Compaq Computer Corporation</H4> This reported problem [VU#886083] could not be exploited on Compaq Tru64/UNIX Operating Systems Software. WU-FTPD 2.6.1 is shipped on the <a href="http://www.tru64unix.compaq.com/internet/osis.htm">Internet Express</a> CD. <!-- end vendor --> <A NAME="conectiva"> <H4>Conectiva</H4> Conectiva has released the following Conectiva Linux Security Announcements: <ul> <li>VU#886083: Conectiva Linux Security Announcement CLA-2001:442<br> <a href="http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000442">http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000442</a></li> <p></p> <li>VU#639760: Conectiva Linux Security Announcement CLA-2001:443<br> <a href="http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000443">http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000443</a></li> </ul> <!-- end vendor --> <A NAME="cray"> <H4>Cray</H4> Cray, Inc. is not vulnerable since the ftp supplied with UNICOS and UNICOS/mk is not based on the Washington University version. Cray did check their ftp code and does not see this exploit. <!-- end vendor --> <A NAME="debian"> <H4>Debian</H4> Debian has released the following Debian Security Advisories: <ul> <li>VU#886083: Debian Security Advisory DSA-087<br> <a href="http://www.debian.org/security/2001/dsa-087">http://www.debian.org/security/2001/dsa-087</a></li> <p></p> <li>VU#639760: Debian Security Advisory DSA-016 (January 2001)<br> <a href="http://www.debian.org/security/2001/dsa-016">http://www.debian.org/security/2001/dsa-016</a></li> </ul> <!-- end vendor --> <A NAME="fujitsu"> <H4>Fujitsu</H4> Regarding VU#886083 and VU#639760 (WU-FTPD vulnerabilities), UXP/V is not vulnerable, because UXP/V does not support WU-FTPD. <!-- end vendor --> <A NAME="hp"> <H4>Hewlett-Packard Company</H4> HP's HP-UX is immune to this issue [VU#886083]. It was fixed in conjunction with the last "globbing" issue announced in CERT Advisory CA-2001-07, released April 10, 2001. The lab did a complete check/scan of the globbing software, and fixed this issue then as well. Customers should apply the patches listed in HP Security Bulletin #162 released July 19, 2001: <dl> <dd> HPSBUX0107-162 Security Vulnerability in ftpd and ftp </dd> </dl> Hewlett-Packard has addressed VU#639760 with Hewlett-Packard Company Security Bulletin HPSBUX0201-180: <dl> <dd> HPSBUX0201-180 Sec. Vulnerability with WU-FTPD 2.6 </dd> </dl> Hewlett-Packard Security Bulletins are available at the IT Resource Center web site (registration required): <dl> <dd> <a href="http://www.itresourcecenter.hp.com/">http://www.itresourcecenter.hp.com/</a> </dd> </dl> <!-- end vendor --> <A NAME="ibm"> <H4>IBM Corporation</H4> IBM's AIX operating system does not use WU-FTPD, hence is not vulnerable to the exploit described by CORE ST. <!-- end vendor --> <A NAME="immunix"> <H4>Immunix</H4> Immunix has released the following Immunix OS Security Advisories: <ul> <li>VU#886083: Immunix OS Security Advisory IMNX-2001-70-036-01<br> <a href="http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-036-01">http://download.immunix.org/ImmunixOS/7.0/updates/<br>IMNX-2001-70-036-01</a></li> <p></p> <li>VU#639760: Immunix OS Security Advisory IMNX-2001-70-036-02<br> <a href="http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-036-02">http://download.immunix.org/ImmunixOS/7.0/updates/<br>IMNX-2001-70-036-02</a></li> </ul> <!-- end vendor --> <A NAME="mandrakesoft"> <H4>MandrakeSoft</H4> MandrakeSoft has addressed VU#886083 with Mandrake Linux Security Update Advisory MDKSA-2001:090: <dl> <dd> <a href="http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-090.php3">http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-090.php3</a> </dl> </dd> <!-- end vendor --> <A NAME="ncftpd"> <H4>NcFTP Software</H4> All versions of NcFTPd Server are not vulnerable to the problems described by VU#886083 and VU#639760. <!-- end vendor --> <A NAME="openbsd"> <H4>OpenBSD</H4> OpenBSD does not use WU-FTPD. <!-- end vendor --> <A NAME="redhat"> <H4>Red Hat</H4> Red Hat has addressed VU#886083 with Red Hat Linux Errata Advisory RHSA-2001-157: <dl> <dd> <a href="http://www.redhat.com/support/errata/RHSA-2001-157.html">http://www.redhat.com/support/errata/RHSA-2001-157.html</a> </dd> </dl> <!-- end vendor --> <A NAME="sgi"> <H4>SGI</H4> SGI does not ship IRIX with WU-FTPD, so IRIX is not vulnerable to these issues. <!-- end vendor --> <A NAME="sun"> <H4>Sun</H4> <p> Sun [Solaris] does not ship WU-FTPD, thus Solaris is not affected by these issues. </p> <p> [Concerning VU#886083], the only Sun Cobalt Server Appliance that is vulnerable to this exploit is the Qube1. The Qube1 is no longer a supported appliance, but we do understand the need of having updates available. The following RPM is not officially supported by Sun Cobalt, but offers legacy customers the ability to maintain a limited level of security. </p> <p> Qube1: <dl> <dd> <a href="ftp://ftp.cobaltnet.com/pub/unsupported/qube1/rpms/wu-ftpd-2.6.1-C1.NOPAM.mips.rpm">ftp://ftp.cobaltnet.com/pub/unsupported/qube1/rpms/<br>wu-ftpd-2.6.1-C1.NOPAM.mips.rpm</a> <p></p> <a href="ftp://ftp.cobaltnet.com/pub/unsupported/qube1/srpms/wu-ftpd-2.6.1-C1.NOPAM.src.rpm">ftp://ftp.cobaltnet.com/pub/unsupported/qube1/srpms/<br>wu-ftpd-2.6.1-C1.NOPAM.src.rpm</a> </dd> </dl> </p> <!-- end vendor --> <A NAME="suse"> <H4>SuSE</H4> SuSE has addressed VU#886083 with SuSE Security Announcement SuSE-SA:2001:043. <!-- end vendor --> <A NAME="turbolinux"> <H4>Turbolinux</H4> Turbolinux has addressed VU#886083 with Turbolinux Advisory <a href="http://www.turbolinux.com/pipermail/tl-security-announce/2002-January/000446.html">TLSA2002002</a>. <!-- end vendor --> <A NAME="wuftpd"> <H4>WU-FTPD</H4> The WU-FTPD Development Group has provided source code patches that address both of these issues in WU-FTPD 2.6.1: <ul> <li>VU#886083:<br> <a href="ftp://ftp.wu-ftpd.org/pub/wu-ftpd-attic/wu-ftpd-2.6.1-patches/ftpglob.patch">ftp://ftp.wu-ftpd.org/pub/wu-ftpd-attic/wu-ftpd-2.6.1-patches/<br>ftpglob.patch</a></li> <p></p> <li>VU#639760:<br> <a href="ftp://ftp.wu-ftpd.org/pub/wu-ftpd-attic/wu-ftpd-2.6.1-patches/missing_format_strings.patch">ftp://ftp.wu-ftpd.org/pub/wu-ftpd-attic/wu-ftpd-2.6.1-patches/<br>missing_format_strings.patch</a></li> </ul> The WU-FTPD Development Group has also released WU-FTPD 2.6.2 which addresses both of these issues: <dl> <dd> <a href="ftp://ftp.wu-ftpd.org/pub/wu-ftpd/">ftp://ftp.wu-ftpd.org/pub/wu-ftpd/</a> </dl> </dd> <!-- end vendor --> <HR NOSHADE> <P>The CERT Coordination Center thanks CORE Security Technologies and the WU-FTPD Development Group for their help <P></P> <HR NOSHADE> <P>Author: <A HREF="mailto:cert@cert.org?subject=CA-2001-33%20Feedback%20VU%23886083%20VU%23639760">Art Manion</A> <p></p> <HR NOSHADE> <p>References</p> <ul> <li><a href="http://www.kb.cert.org/vuls/id/886083">http://www.kb.cert.org/vuls/id/886083</a></li> <li><a href="http://www.kb.cert.org/vuls/id/639760">http://www.kb.cert.org/vuls/id/639760</a></li> <li><a href="http://www.kb.cert.org/vuls">http://www.kb.cert.org/vuls</a></li> <li><a href="http://www.ietf.org/rfc/rfc931.txt">http://www.ietf.org/rfc/rfc931.txt</a></li> <li><a href="http://www.ietf.org/rfc/rfc1413.txt">http://www.ietf.org/rfc/rfc1413.txt</a></li> <li><a href="http://www.ietf.org/rfc/rfc959.txt">http://www.ietf.org/rfc/rfc959.txt</a></li> <li><a href="http://www.corest.com/pressroom/advisories_desplegado.php?idxsection=10&idx=172">http://www.corest.com/pressroom/advisories_desplegado.php?<br>idxsection=10&idx=172</a></li> </ul> <P></P> <!--#include virtual="/include/footer_nocopyright.html" --> <P>Copyright 2002 Carnegie Mellon University.</P> <P>Revision History <PRE> November 29, 2001: initial release November 30, 2001: updated vendor information, CAN/CVE number, WU-FTPD 2.6.2, "Apply paches" December 4, 2001: updated vendor information, WU-FTPD patch locations, wrap long URLs December 10, 2001: included BeroFTPD information, updated title of VU#886083 December 17, 2001: updated BeroFTPD information January 10, 2002: updated Caldera information January 23, 2002: updated HP information February 4, 2002: added Turbolinux and Compaq information February 15, 2002: updated Caldera information </PRE> |