CERT Advisory CA-2001-33 Multiple Vulnerabilities in WU-FTPD

From: CERT Advisory (cert-advisory@cert.org)
Date: 11/30/01


Date: Thu, 29 Nov 2001 18:47:23 -0500 (EST)
Message-Id: <CA-2001-33.1@cert.org>
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Subject: CERT Advisory CA-2001-33 Multiple Vulnerabilities in WU-FTPD


-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2001-33 Multiple Vulnerabilities in WU-FTPD

   Original release date: November 29, 2001
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Systems running WU-FTPD and its derivatives

Overview

   WU-FTPD is a widely deployed software package used to provide File
   Transport Protocol (FTP) services on UNIX and Linux systems. There are
   two vulnerabilities in WU-FTPD that expose a system to potential
   remote root compromise by anyone with access to the FTP service. These
   vulnerabilities have recently received increased scrutiny.

I. Description

   There are two remote code execution vulnerabilities in the Washington
   University FTP daemon (WU-FTPD). Both of these vulnerabilities have
   been discussed in public forums and have received widespread exposure.

   VU#886083: WU-FTPD does not properly handle glob command

   WU-FTPD features globbing capabilities that allow a user to specify
   multiple file names and locations using typical shell notation. See
   CERT Advisory CA-2001-07 for a more complete explanation of globbing.

   WU-FTPD implements its own globbing code instead of using libraries in
   the underlying operating system. When the globbing code is called, it
   allocates memory on the heap to store a list of file names that match
   the expanded glob expression. The globbing code is designed to
   recognize invalid syntax and return an error condition to the calling
   function. However, when it encounters a specific string, the globbing
   code fails to properly return the error condition. Therefore, the
   calling function proceeds as if the glob syntax were correct and later
   frees unallocated memory that can contain user-supplied data.
   If intruders can place addresses and shellcode in the right locations
   on the heap using FTP commands, they may be able to cause WU-FTPD to
   execute arbitrary code by later issuing a command that is mishandled
   by the globbing code.

   This vulnerability is potentially exploitable by any user who is able
   to log in to a vulnerable server, including users with anonymous
   access. If the exploit is successful, an attacker may be able to
   execute arbitrary code with the privileges of WU-FTPD, typically root.
   If the exploit is unsuccessful, the thread servicing the request will
   fail, but the WU-FTPD process will continue to run.

   This vulnerability has been assigned the identifier CAN-2001-0550 by
   the Common Vulnerabilities and Exposures (CVE) group:

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0550

   CORE Security Technologies has published a Vulnerability Report on
   this issue:

          http://www.corest.com/pressroom/advisories_desplegado.php?
          dxsection=10&idx=17

   VU#639760: WU-FTPD configured to use RFC 931 authentication running in
   debug mode contains format string vulnerability

   WU-FTPD can perform RFC 931 authentication when accepting inbound
   connections from clients. RFC 931 defines the Authentication Server
   Protocol, and is obsoleted by RFC 1413 which defines the Identity
   Protocol. RFC 931 is commonly known as "auth" or "authd", and RFC 1413
   is commonly known "ident" or "identd". Both are named after the daemon
   that commonly provides the service.

   When using RFC 931 authentication, WU-FTPD will request ident
   information before authorizing a connection request from a client. The
   auth or ident service running on the client returns user-specific
   information, allowing WU-FTPD to make authentication decisions based
   on data in the ident response.

   WU-FTPD can also be run in debugging mode, which provides detailed
   information about its operation.

   When WU-FTPD is configured to perform RFC 931 authentication and is
   run in debug mode, it logs connection information using syslog(3)
   function calls. The logging code does not include format string
   specifiers in some syslog(3) calls, nor does the code perform adequate
   input validation on the contents of the identd response received from
   a client. As a result, a crafted identd response containing
   user-supplied format string specifiers is interpreted by syslog(3),
   possibly overwriting arbitrary locations in memory. By carefully
   designing such a request, an attacker may execute arbitrary code with
   the privileges of WU-FTPD.

   This vulnerability is potentially exploitable by any user who is able
   to log in to a vulnerable server, including users with anonymous
   access. The intruder must also be able to control their response to
   the ident request. If successful, an attacker may be able to execute
   arbitrary code with the privileges of WU-FTPD, typically root.

   Note that this vulnerability does not manifest unless WU-FTPD is
   configured to use RFC 931 authentication and is run in debug mode.

   This vulnerability has been assigned the identifier CAN-2001-0187 by
   the Common Vulnerabilities and Exposures (CVE) group:

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0187

II. Impact

   Both of these vulnerabilities can be exploited remotely by any user
   with access to the FTP service, including anonymous access. Both
   vulnerabilities allow an intruder to execute arbitrary code with the
   privileges of WU-FTPD, typically root. An exploit attempt that does
   not succeed in executing code may crash WU-FTPD or end the connection
   used by the intruder.

   For additional information about the impacts of each of these
   vulnerabilities, please consult the CERT Vulnerability Notes Database
   (http://www.kb.cert.org/vuls).

III. Solution

Apply patches from your vendor

   Appendix A contains information for this advisory provided by vendors.
   As they report new information to the CERT/CC, we will update this
   section and note the changes in our revision history. If a particular
   vendor is not listed below, we have not received their comments.
   Please contact your vendor directly.

Restrict access to WU-FTPD

   As a general practice, the CERT/CC recommends disabling services and
   access that are not explicitly required. You may wish to disable
   WU-FTPD until you are able to apply a patch.

   If you cannot disable the service, you can limit your exposure to
   these vulnerabilities by blocking or restricting access to the control
   channel (by default, port 21/tcp) used by WU-FTPD. In the case of the
   format string vulnerability (VU#639760), an exploit would be
   transmitted from port 113/tcp on the attacking host to the WU-FTPD
   server that made the identd request. Note that blocking access from
   untrusted networks such as the Internet does not protect your systems
   against attacks from within your network.

Disable anonymous FTP access

   Although disabling anonymous FTP access does not prevent attacks from
   occurring, it does prevent unauthenticated users from attempting to
   exploit the globbing vulnerability (VU#886083).

Appendix A. Vendor Information

   This appendix contains information provided by vendors for this
   advisory. As vendors report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular vendor is not listed below, we have not received their
   comments. Note that this advisory discusses two distinct
   vulnerabilities, and vendor statements may address one or both.

Caldera

   Caldera has released Security Advisory CSSA-2001-041.0:

          http://www.caldera.com/support/security/advisories/CSSA-2001-04
          1.0.txt

Cray

   Cray, Inc. is not vulnerable since the ftp supplied with UNICOS and
   UNICOS/mk is not based on the Washington University version. Cray did
   check their ftp code and does not see this exploit.

Debian

   Debian addressed VU#639760 with Debian Security Advisory DSA-016 in
   January 2001:

          http://www.debian.org/security/2001/dsa-016

Hewlett-Packard Company

   HP's HP-UX is immune to this issue. It was fixed in conjunction with
   the last "globbing" issue announced in CERT Advisory CA-2001-07,
   released April 10, 2001. The lab did a complete check/scan of the
   globbing software, and fixed this issue then as well. Customers should
   apply the patches listed in HP Security Bulletin #162 released July
   19,2001:

          HPSBUX0107-162 Security Vulnerability in ftpd and ftp

   Hewlett-Packard Security Bulletins are available at the IT Resource
   Center web site (registration required):

          http://www.itresourcecenter.hp.com/

IBM Corporation

   IBM's AIX operating system does not use WU-FTPD, hence is not
   vulnerable to the exploit described by CORE ST.

Immunix

   Immunix has released Security Advisory IMNX-2001-70-036-01:

          http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-
          036-01

OpenBSD

   OpenBSD does not use WU-FTPD.

RedHat Inc.

   RedHat has released Errata Advisory RHSA-2001-147:

          http://www.redhat.com/support/errata/RHSA-2001-147.html

SGI

   SGI does not ship IRIX with wu-ftpd, so IRIX is not vulnerable to
   these issues.

SuSE

   SuSE has released SuSE Security Announcement SuSE-SA:2001:043.

WU-FTPD

   The WU-FTPD Development Group has provided source code patches that
   address both of these issues.
     * VU#886083:
       ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/ftpglob
       .patch
     * VU#639760:
       ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/missing
       _format_strings.patch
     _________________________________________________________________

   The CERT Coordination Center thanks CORE Security Technologies and the
   WU-FTPD Development Group for their help
     _________________________________________________________________

   Author: Art Manion
     _________________________________________________________________

   References
     * http://www.kb.cert.org/vuls/id/886083
     * http://www.kb.cert.org/vuls/id/639760
     * http://www.kb.cert.org/vuls
     * http://www.ietf.org/rfc/rfc931.txt
     * http://www.ietf.org/rfc/rfc1413.txt
     * http://www.ietf.org/rfc/rfc959.txt
     * http://www.corest.com/pressroom/advisories_desplegado.php?idxsecti
       on=10&idx=172
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2001-33.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
   EDT(GMT-4) Monday through Friday; they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   http://www.cert.org/CERT_PGP.key

   If you prefer to use DES, please call the CERT hotline for more
   information.

Getting security information

   CERT publications and other security information are available from
   our web site

   http://www.cert.org/

   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2001 Carnegie Mellon University.

   Revision History
November 29, 2001: Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPAbHnaCVPMXQI2HJAQHA3wQAxL4GR+SowiE0IMczh+V7ENB5n2fo/1Yc
zmI69F4rkOqQQXflsUrVcpPgDkKH2UIrlxREShj/gDqG+gcpyKig2OiqvzlOyb3e
qdDScjFer80EhGlzgTKOoQE0L0RNU5tTD86jfxr8oATY+wjcLYm4Sos+HrnW78CZ
UeM2P0vy/Oo=
=oAMd
-----END PGP SIGNATURE-----



Relevant Pages

  • CERT Advisory CA-2001-33 Multiple Vulnerabilities in WU-FTPD
    ... CERT Advisory CA-2001-33 Multiple Vulnerabilities in WU-FTPD ... vendor is not listed below, we have not received their comments. ...
    (Cert)
  • Re: download wu-ftpd
    ... It's definitely not like Red Hat to ... >ignore security vulnerabilities and you wouldn't be the first person to ... On the Official web site of Wu-ftpd, ...
    (RedHat)
  • [Full-Disclosure] its all about timing
    ... Why do people look for vulnerabilities? ... They publish vuln info because they have customers that pay (or ... Full Disclosure issue must take into account the ... report vulns primarily to the vendor, in the hope that the vendor will ...
    (Full-Disclosure)
  • Re: ROI (ROSI?) on IDP devices
    ... vulnerabilities go all the way up the application stack. ... after 2 to 7 days by IPS vendor. ... I'd say that's a useless IDP system, ... The signatures are lagging too far behind the vulnerabilities. ...
    (Focus-IDS)
  • [Full-disclosure] Vulnerability Type Distributions in CVE
    ... Vulnerability Type Distributions in CVE ... Table 4 Analysis: Open and Closed Source ... lead to publicly reported vulnerabilities, ... are in the top 3 for OS vendor advisories. ...
    (Full-Disclosure)