[UNIX] Wu-Ftpd File Globbing Heap Corruption Vulnerability

From: support@securiteam.com
Date: 11/30/01


From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] Wu-Ftpd File Globbing Heap Corruption Vulnerability
Message-Id: <20011130214032.4B0BA138BF@mail.der-keiler.de>
Date: Fri, 30 Nov 2001 22:40:32 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Wu-Ftpd File Globbing Heap Corruption Vulnerability
------------------------------------------------------------------------

SUMMARY

Wu-Ftpd contains a remotely exploitable heap corruption bug. The
vulnerability allows a remote attacker to execute arbitrary code on the
server.
This vulnerability can be exploitable by arbitrary attackers if anonymous
FTP is enabled on the server.

DETAILS

Vulnerable systems:
Washington University wu-ftpd 2.6.1 and prior

Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained by
Washington University.

Wu-Ftpd allows clients to organize files for ftp actions based on "file
globbing" patterns. File globbing is also used by various shells. The
implementation of file globbing included in Wu-Ftpd contains a heap
corruption vulnerability that may allow an attacker to execute arbitrary
code on a server remotely.

During the processing of a globbing pattern, the Wu-Ftpd implementation
creates a list of the files that match. The memory where this data is
stored is on the heap, allocated using malloc(). The globbing function
simply returns a pointer to the list. It is up to the calling functions to
free the allocated memory.

If an error occurs, processing the pattern, memory will not be allocated
and a variable indicating this should be set. The calling functions must
check the value of this variable before attempting to use the globbed
filenames (and later freeing the memory).

When certain globbing patterns are processed, the globbing function does
not set this variable when an error occurs. Because of this, Wu-Ftpd may
eventually attempt to free uninitialized memory. There are a number of
possibly exploitable conditions.

If this region of memory contained user-controllable data before the free
call, it may be possible to have an arbitrary word in memory overwritten
with an arbitrary value. This can lead to execution of arbitrary code if
function pointers or return addresses are overwritten.

If anonymous FTP is not enabled, valid user credentials are required to
exploit this vulnerability.

This vulnerability was initially scheduled for public release on December
3, 2001. However, Red Hat has made details public as of November 27, 2001.
As a result, we are forced to warn other users of the vulnerable product,
so that they may take appropriate actions.

Attack scenarios:
Either to exploit this vulnerability, an attacker must have valid
credentials required to log in as an FTP user, or anonymous access must be
enabled.

The attacker must ensure that a maliciously constructed malloc header
containing the target address and its replacement value are in the right
location in the uninitialized part of the heap. The attacker must also
place shellcode in server process memory.

The attacker must send an FTP command containing a specific globbing
pattern that does not set the error variable.

When the server attempts to free the memory used to store the globbed
filenames, the target word in memory will be overwritten.

If an attacker overwrites a function pointer or return address with a
pointer to the shellcode, it may be executed by the server process.

Exploits:
The following (from the CORE advisory) demonstrates the existence of this
vulnerability:

    ftp> open localhost
    Connected to localhost (127.0.0.1).
    220 sasha FTP server (Version wu-2.6.1-18) ready.
    Name (localhost:root): anonymous
    331 Guest login ok, send your complete e-mail address as password.
    Password:
    230 Guest login ok, access restrictions apply.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> ls ~{
    227 Entering Passive Mode (127,0,0,1,241,205)
    421 Service not available, remote server has closed connection

    1405 ? S 0:00 ftpd: accepting connections on port 21
    7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd
    26256 ? S 0:00 ftpd:
  sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    26265 tty3 R 0:00 bash -c ps ax | grep ftpd
    (gdb) at 26256
    Attaching to program: /usr/sbin/wu.ftpd, process 26256
     Symbols already loaded for /lib/libcrypt.so.1
    Symbols already loaded for /lib/libnsl.so.1
    Symbols already loaded for /lib/libresolv.so.2
    Symbols already loaded for /lib/libpam.so.0
    Symbols already loaded for /lib/libdl.so.2
    Symbols already loaded for /lib/i686/libc.so.6
    Symbols already loaded for /lib/ld-linux.so.2
    Symbols already loaded for /lib/libnss_files.so.2
    Symbols already loaded for /lib/libnss_nisplus.so.2
    Symbols already loaded for /lib/libnss_nis.so.2
    0x40165544 in __libc_read () from /lib/i686/libc.so.6
    (gdb) c
    Continuing.

    Program received signal SIGSEGV, Segmentation fault.
    __libc_free (mem=0x61616161) at malloc.c:3136
    3136 in malloc.c

Mitigating strategies:
This vulnerability is remotely exploitable. Restricting access to the
network port, (TCP port 21 is standard for FTP), will block clients from
unauthorized networks.

With some operating systems, anonymous FTP is enabled by default.
Anonymous FTP is often in use on public FTP sites, most often software
repositories. It is basically a guest account with access to download
files from within a restricted environment. This vulnerability is
exploitable by clients logged in through anonymous FTP. Anonymous FTP
should be disabled immediately until fixes are available, as it would
allow any host on the Internet who can connect to the service to exploit
this vulnerability. It is a good idea to disable it normally unless it is
necessary (in which case the FTP server should be on a dedicated, isolated
host).

Stack and other memory protection schemes may complicate exploitability,
and/or prevent commonly available exploits from working. This should not
be relied upon for security. This vulnerability involves 'poking' words in
memory. This means that there are many different ways that it may be
exploited. Making the stack non-executable or checking the integrity of
stack variables may not be enough to prevent all possible methods of
exploitation.

It is advised to disable the service and use alternatives until fixes are
available.

Solutions:
Vendor notified on Nov 14, 2001.

Fixes will be available from the author as well as from vendors who ship
products that include Wu-Ftpd as core or optional components.

This vulnerability was initially scheduled for public release on December
3, 2001. Red Hat preemptively released an advisory on November 27, 2001.
As a result, other vendors may not yet have fixes available.

This record will be updated as fixes from various vendors become
available.

For Washington University wu-ftpd 2.6.1:
Red Hat RPM 6.2 alpha wu-ftpd-2.6.1-0.6x.21.alpha.rpm
 
<ftp://updates.redhat.com/6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha.rpm>
ftp://updates.redhat.com/6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha.rpm

Red Hat RPM 6.2 sparc wu-ftpd-2.6.1-0.6x.21.sparc.rpm
 
<ftp://updates.redhat.com/6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc.rpm>
ftp://updates.redhat.com/6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc.rpm

Red Hat RPM 7.0 alpha wu-ftpd-2.6.1-16.7x.1.alpha.rpm
 
<ftp://updates.redhat.com/7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm>
ftp://updates.redhat.com/7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm

Red Hat RPM 7.0 i386 wu-ftpd-2.6.1-16.7x.1.i386.rpm
 <ftp://updates.redhat.com/7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm>
ftp://updates.redhat.com/7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm

Red Hat RPM 7.1 alpha wu-ftpd-2.6.1-16.7x.1.alpha.rpm
 
<ftp://updates.redhat.com/7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm>
ftp://updates.redhat.com/7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm

Red Hat RPM 7.1 i386 wu-ftpd-2.6.1-16.7x.1.i386.rpm
 <ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm>
ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm

Red Hat RPM 7.1 ia64 wu-ftpd-2.6.1-16.7x.1.ia64.rpm
 <ftp://updates.redhat.com/7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rpm>
ftp://updates.redhat.com/7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rpm

Red Hat RPM 7.2 i386 wu-ftpd-2.6.1-20.i386.rpm
 <ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm>
ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm

Red Hat RPM 6.2 i386 wu-ftpd-2.6.1-0.6x.21.i386.rpm
 <ftp://updates.redhat.com/6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rpm>
ftp://updates.redhat.com/6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rpm

ADDITIONAL INFORMATION

The information has been provided by <mailto:da@securityfocus.com> Dave
Ahmad.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages