Original issue date: November 30, 1995<BR>
Last revised: September 23, 1997<BR>
Updated copyright statement
<P>A complete revision history is at the end of this file.
<P>A vulnerability exists with certain configurations of the SITE EXEC command
in the Washington University ftpd, also known as wu-ftpd. Exploitation of
this vulnerability may allow root access from any account on the system.
<P>The vulnerable configuration is known to exist in numerous Linux distributions
and is currently being actively exploited by intruders.
<P>It should be noted that this vulnerability is not necessarily limited to Linux
but may exist on any wu-ftpd installation. Thus, all users of the wu-ftpd
program, not just the Linux users, should take this opportunity to verify the
configuration of their daemons. Note that versions of wu-ftpd before the 2.4
release contain serious security vulnerabilities and should be updated
immediately.
<P>Section III contains instructions for disabling ftpd and correcting the
configuration.
<P>We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.
<P><HR>
<P>
<H2>I. Description</H2>
<P>There is a problem with the default configuration of the Washington
University FTP Server version 2.4 in major Linux distributions, including
but not limited to Slackware 2.0, 2.1, 2.2, 2.3, Yggdrasil Plug&Play
Fall'94, and the Debian Distribution. By exploiting this problem, any
user who is able to log into a system having the vulnerable configuration
via FTP using their login, and not the anonymous login, may gain root
access.
<P>Other systems besides Linux can be configured to be vulnerable although
the standard wu-ftpd 2.4 source code as distributed is not vulnerable.
<P>The problem is that the variable _PATH_EXECPATH was set to "/bin" in
the configuration file src/pathnames.h when the distribution binary
was built. _PATH_EXECPATH should be set to "/bin/ftp-exec" or a similar
directory that does not contain a shell or command interpreter, for
example. The source code shipped with the Linux distributions contains
the correct value ("/bin/ftp-exec") despite the incorrect distribution
binary. You should verify that _PATH_EXECPATH has the correct value
before recompiling.
<P>Note that the documentation for wu-ftpd states that the directory
defined by _PATH_EXECPATH is relative to ~ftp, the ftp home directory
as specified in the password file. This is misleading. The pathname
is relative to ~ftp for anonymous users only. This pathname is relative
to "/" for other user sessions.
<P>
<H2>II. Impact</H2>
<P>Any user with a local account on a system offering FTP services
with the vulnerable configuration may gain root access. Support for
anonymous FTP access is not required to exploit this vulnerability.
<P>
<H2>III. How to determine if you are vulnerable</H2>
<P>All systems running wu-ftpd should be checked to determine if the
configuration is vulnerable.
<P>To test your configuration, access the FTP server using a legitimate user
account (not an anonymous FTP login) and login to your FTP server. For
example:
<P>
<PRE>
srchost> ftp ftphost
Connected to ftphost
220 ftphost FTP server (Version wu-2.4(2) Mon Apr 18 09:135 [...]
ready.
Name (srchost:joe):
331 Password required for joe.
Password:
230 User joe logged in.
</PRE>
<P>Then type:
<P>
<PRE>
ftp> quote site exec echo problem
</PRE>
<P>If you see the following response, then you are not vulnerable:
<P>
<PRE>
200-echo problem
200 (end of 'echo problem')
</PRE>
<P>However, if you see this following response, then you are vulnerable
(note the additional '200-problem' entry):
<P>
<PRE>
200-echo problem
200-problem
200 (end of 'echo problem')
</PRE>
<P>
<H2>IV. Solution</H2>
<P>If you have the vulnerability, we recommend that you turn off ftpd
immediately using the method described in Section A below. Once you have
done that, you can then decide whether to rebuild or fetch a new ftpd
binary.
<P>If you have built wu-ftpd from a source distribution, follow the steps
in Sections B.2 and B.3 below.
<P>Once you have eliminated this vulnerability, turn on ftpd with the
method described in Section C below.
<P>
<H3>A. Disable ftpd</H3>
<P>To disable ftpd, do the following as root.
<P>
<OL>
<LI>Shut down the FTP server using the ftpshut command. This command blocks all connections to the FTP server.
<P>For ftpshut to work correctly, the <I>ftpaccess(5)</I> file will need a
shutdown directive that names a file used by wu-ftpd to indicate
that the server is shutdown. If your ftpaccess file does not have
such a directive, add one to that file. When added, use <I>ftpshut(8)</I>
to shut down the server. Once the server has been shutdown, all
new incoming FTP requests will fail.
<P>Here is an example of the ftpshut command:
<P><PRE>
ftpshut now
</PRE>
<LI><P>Verify that the FTP service has been shut down by attempting to
connect to it. You should see a message that contains a line
similar to the following:
<P><PRE>
hostname FTP server shut down -- please try again later
</PRE>
<P>where hostname is the host from which you are requesting
FTP service.
<P>
</OL>
<P>
<H3>B. Correct the configuration</H3>
<P>Item 1 below applies to those running Debian Linux. Item 2 applies
to all other Linux systems. Item 3 applies to those who are building
wu-ftpd from source on systems other than Linux.
<P>
<OL>
<LI>If you are running Debian Linux, obtain a fixed binary,
available from the following location, and install this binary.
<P>
<A HREF=ftp://ftp.debian.org/debian/debian-0.93/binary/net/wu-ftpd-2.4-14.deb>ftp://ftp.debian.org/debian/debian-0.93/binary/net/wu-ftpd-2.4-14.deb</A>
<BR>
MD5 (wu-ftpd-2.4-14.deb) = c00a0aac75216bf83568aee4c2e7d168
<LI><P>If you are running any version of Linux, there is a version of
the source code available that has been improved to compile more
cleanly. It too is correctly configured for SITE EXEC. It is
available from (file wu-ftpd-2.4-fixed.tar.gz)
<P>
<A HREF=ftp://bach.cis.temple.edu/pub/Linux/security/wu-ftpd-2.4-fix/>ftp://bach.cis.temple.edu/pub/Linux/security/wu-ftpd-2.4-fix/</A>
<BR>
MD5 (wu-ftpd-2.4-fixed.tar.gz) = 3e1c6fd7cd6757e45894df0d3638b524
<P>This version is also correctly configured for the SITE EXEC
command and can be compiled and installed. Consult Section
IV below for suggestions on how to configure wu-ftpd.
<LI><P>If you are running a version of wu-ftpd before version 2.4,
you should upgrade to version 2.4 first. That version is
available from
<P>
<A HREF=ftp://wuarchive.wustl.edu/packages/wuarchive-ftpd/wu-ftpd-2.4.tar.Z>ftp://wuarchive.wustl.edu/packages/wuarchive-ftpd/wu-ftpd-2.4.tar.Z</A>
<BR>
MD5 (wu-ftpd-2.4.tar.Z) = 57f1a962c90a9b12825d39af518df433
<P>Version 2.4 is correctly configured for the SITE EXEC command
and can be compiled and installed. Consult Section IV below for
suggestions on how to configure wu-ftpd.
</OL>
<P>
<H3>C. Enabling ftpd</H3>
<P>
<OL>
<LI>To turn ftpd back on, delete the file referenced by the shutdown
directive in your ftpaccess file.
<LI><P>Verify that the FTP service has been enabled by attempting to
connect to it. You should see a message that contains lines
similar to the following:
<P>
<PRE>
srchost> ftp ftphost
Connected to ftphost
220 ftphost FTP server (Version wu-2.4(3) Mon Apr 3 16:53:11 EDT 1995) ready.
Name (srchost:joe):
</PRE>
</OL>
<P>
<H2>IV. Advice on configuring the FTP Daemon for SITE EXEC</H2>
<P>Here are some configuration guidelines for the directories named by
the _PATH_EXECPATH variable.
<P>
<OL>
<LI>Directories used by SITE EXEC: The documentation for wu-ftpd
states that the directory defined by the _PATH_EXECPATH variable is
relative to ~ftp, the ftp home directory as specified in the password
file. This is misleading. The pathname is relative to ~ftp for
anonymous users only. The pathname is relative to "/" for all other
user sessions.
<P>Therefore, you need to check the two directories used by the SITE
EXEC command. For example, if the _PATH_EXECPATH variable is set to
/bin/ftp-exec, then wu-ftpd searches the ~ftp/bin/ftp-exec directory
for programs specified by SITE EXEC when the anonymous login is used,
and the /bin/ftp-exec directory specified by SITE EXEC when any other
login is used.
<LI><P>Contents of the directories used by SITE EXEC: The commands installed
in these directories can be executed by the SITE EXEC command. We
strongly recommend that this directory contain only those programs
that you wish to be executed by those users who connect to your FTP
server. An example of a program to install in these directories is
the ls program. Programs that should not be installed in these
directories are shells, for example sh or csh, and command
interpreters, for example awk and perl.
<P>
</OL>
<HR>
The CERT Coordination Center thanks AUSCERT, the Australian response team, and
Alexander O. Yuriev, Temple University, author of Linux Security Updates, for
their support in responding to this problem. Linux Security Updates are
available from
<A HREF=http://bach.cis.temple.edu/linux/linux-security/>http://bach.cis.temple.edu/linux/linux-security/</A>
<HR>
<P>
<H2>UPDATES</H2>
<P>
<H4>Information for Solaris 2.4</H4>
<P>After the advisory was originally issued, Charles Jardine
<A HREF=mailto:cj10@cam.ac.uk><cj10@cam.ac.uk></A>
provided the following information.
<P>The problem with the SITE EXEC command is that programs spawned by
wu-ftpd are run as the effective user and group id of the logged in
user but real user and group id of root (or however wu-ftpd is started
by inetd, usually root).
<P>To address this, the following can be used as a basis for a patch.
(Note that this patch works for Solaris 2.4 compiled with gcc-2.7.2.)
<P>
<PRE>
*** /tmp/T0a001YI Mon Dec 4 10:22:13 1995
--- popen.c Mon Dec 4 10:22:08 1995
***************
*** 141,146 ****
--- 141,158 ----
}
(void) close(pdes[1]);
}
+ /*
+ * This fixes the ``real'' problem with SITE EXEC
+ */
+ {
+ uid_t u = geteuid();
+ gid_t g = getegid();
+
+ setuid(0);
+ setgid(g);
+ setuid(u);
+ }
+
execv(gargv[0], gargv);
_exit(1);
}
</PRE>
<P><HR>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1995, 1996 Carnegie Mellon University.</P>
<HR>
Revision History
<PRE>
Sep. 23, 1997 Updated copyright statement
Aug. 30, 1996 Information previously in the README was inserted
into the advisory.
Jan. 19, 1996 Updates - Added code that can be used as the basis for a patch
for the SITE EXEC command for Solaris 2.4.
Dec. 19, 1995 Sec. III - Expanded the explanation of how to determine if
you are vulnerable.
</PRE>
|