I received this today - do the RAQ machines run this? I don't know enough about the internal workings to know.
Thanks, Jale CERT Advisory CA-2001-33 Multiple Vulnerabilities in WU-FTPD >> Original release date: November 29, 2001 >> Last revised: -- >> Source: CERT/CC >> >> A complete revision history can be found at the end of this file. >> >>Systems Affected >> >> * Systems running WU-FTPD and its derivatives >> >>Overview >> >> WU-FTPD is a widely deployed software package used to provide File >> Transport Protocol (FTP) services on UNIX and Linux systems. There are >> two vulnerabilities in WU-FTPD that expose a system to potential >> remote root compromise by anyone with access to the FTP service. These >> vulnerabilities have recently received increased scrutiny. >> >>I. Description >> >> There are two remote code execution vulnerabilities in the Washington >> University FTP daemon (WU-FTPD). Both of these vulnerabilities have >> been discussed in public forums and have received widespread exposure. >> >> VU#886083: WU-FTPD does not properly handle glob command >> >> WU-FTPD features globbing capabilities that allow a user to specify >> multiple file names and locations using typical shell notation. See >> CERT Advisory CA-2001-07 for a more complete explanation of globbing. >> >> WU-FTPD implements its own globbing code instead of using libraries in >> the underlying operating system. When the globbing code is called, it >> allocates memory on the heap to store a list of file names that match >> the expanded glob expression. The globbing code is designed to >> recognize invalid syntax and return an error condition to the calling >> function. However, when it encounters a specific string, the globbing >> code fails to properly return the error condition. Therefore, the >> calling function proceeds as if the glob syntax were correct and later >> frees unallocated memory that can contain user-supplied data. >> If intruders can place addresses and shellcode in the right locations >> on the heap using FTP commands, they may be able to cause WU-FTPD to >> execute arbitrary code by later issuing a command that is mishandled >> by the globbing code. >> >> This vulnerability is potentially exploitable by any user who is able >> to log in to a vulnerable server, including users with anonymous >> access. If the exploit is successful, an attacker may be able to >> execute arbitrary code with the privileges of WU-FTPD, typically root. >> If the exploit is unsuccessful, the thread servicing the request will >> fail, but the WU-FTPD process will continue to run. >> >> This vulnerability has been assigned the identifier CAN-2001-0550 by >> the Common Vulnerabilities and Exposures (CVE) group: >> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0550 >> >> CORE Security Technologies has published a Vulnerability Report on >> this issue: >> >> http://www.corest.com/pressroom/advisories_desplegado.php? >> dxsection=10&idx=17 >> >> VU#639760: WU-FTPD configured to use RFC 931 authentication running in >> debug mode contains format string vulnerability >> >> WU-FTPD can perform RFC 931 authentication when accepting inbound >> connections from clients. RFC 931 defines the Authentication Server >> Protocol, and is obsoleted by RFC 1413 which defines the Identity >> Protocol. RFC 931 is commonly known as "auth" or "authd", and RFC 1413 >> is commonly known "ident" or "identd". Both are named after the daemon >> that commonly provides the service. >> >> When using RFC 931 authentication, WU-FTPD will request ident >> information before authorizing a connection request from a client. The >> auth or ident service running on the client returns user-specific >> information, allowing WU-FTPD to make authentication decisions based >> on data in the ident response. >> >> WU-FTPD can also be run in debugging mode, which provides detailed >> information about its operation. >> >> When WU-FTPD is configured to perform RFC 931 authentication and is >> run in debug mode, it logs connection information using syslog(3) >> function calls. The logging code does not include format string >> specifiers in some syslog(3) calls, nor does the code perform adequate >> input validation on the contents of the identd response received from >> a client. As a result, a crafted identd response containing >> user-supplied format string specifiers is interpreted by syslog(3), >> possibly overwriting arbitrary locations in memory. By carefully >> designing such a request, an attacker may execute arbitrary code with >> the privileges of WU-FTPD. >> >> This vulnerability is potentially exploitable by any user who is able >> to log in to a vulnerable server, including users with anonymous >> access. The intruder must also be able to control their response to >> the ident request. If successful, an attacker may be able to execute >> arbitrary code with the privileges of WU-FTPD, typically root. >> >> Note that this vulnerability does not manifest unless WU-FTPD is >> configured to use RFC 931 authentication and is run in debug mode. >> >> This vulnerability has been assigned the identifier CAN-2001-0187 by >> the Common Vulnerabilities and Exposures (CVE) group: >> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0187 >> >>II. Impact >> >> Both of these vulnerabilities can be exploited remotely by any user >> with access to the FTP service, including anonymous access. Both >> vulnerabilities allow an intruder to execute arbitrary code with the >> privileges of WU-FTPD, typically root. An exploit attempt that does >> not succeed in executing code may crash WU-FTPD or end the connection >> used by the intruder. >> >> For additional information about the impacts of each of these >> vulnerabilities, please consult the CERT Vulnerability Notes Database >> (http://www.kb.cert.org/vuls). >> >>III. Solution >> >>Apply patches from your vendor >> >> Appendix A contains information for this advisory provided by vendors. >> As they report new information to the CERT/CC, we will update this >> section and note the changes in our revision history. If a particular >> vendor is not listed below, we have not received their comments. >> Please contact your vendor directly. >> >>Restrict access to WU-FTPD >> >> As a general practice, the CERT/CC recommends disabling services and >> access that are not explicitly required. You may wish to disable >> WU-FTPD until you are able to apply a patch. >> >> If you cannot disable the service, you can limit your exposure to >> these vulnerabilities by blocking or restricting access to the control >> channel (by default, port 21/tcp) used by WU-FTPD. In the case of the >> format string vulnerability (VU#639760), an exploit would be >> transmitted from port 113/tcp on the attacking host to the WU-FTPD >> server that made the identd request. Note that blocking access from >> untrusted networks such as the Internet does not protect your systems >> against attacks from within your network. >> >>Disable anonymous FTP access >> >> Although disabling anonymous FTP access does not prevent attacks from >> occurring, it does prevent unauthenticated users from attempting to >> exploit the globbing vulnerability (VU#886083). >> >>Appendix A. Vendor Information >> >> This appendix contains information provided by vendors for this >> advisory. As vendors report new information to the CERT/CC, we will >> update this section and note the changes in our revision history. If a >> particular vendor is not listed below, we have not received their >> comments. Note that this advisory discusses two distinct >> vulnerabilities, and vendor statements may address one or both. >> >>Caldera >> >> Caldera has released Security Advisory CSSA-2001-041.0: >> >> http://www.caldera.com/support/security/advisories/CSSA-2001-04 >> 1.0.txt >> >>Cray >> >> Cray, Inc. is not vulnerable since the ftp supplied with UNICOS and >> UNICOS/mk is not based on the Washington University version. Cray did >> check their ftp code and does not see this exploit. >> >>Debian >> >> Debian addressed VU#639760 with Debian Security Advisory DSA-016 in >> January 2001: >> >> http://www.debian.org/security/2001/dsa-016 >> >>Hewlett-Packard Company >> >> HP's HP-UX is immune to this issue. It was fixed in conjunction with >> the last "globbing" issue announced in CERT Advisory CA-2001-07, >> released April 10, 2001. The lab did a complete check/scan of the >> globbing software, and fixed this issue then as well. Customers should >> apply the patches listed in HP Security Bulletin #162 released July >> 19,2001: >> >> HPSBUX0107-162 Security Vulnerability in ftpd and ftp >> >> Hewlett-Packard Security Bulletins are available at the IT Resource >> Center web site (registration required): >> >> http://www.itresourcecenter.hp.com/ >> >>IBM Corporation >> >> IBM's AIX operating system does not use WU-FTPD, hence is not >> vulnerable to the exploit described by CORE ST. >> >>Immunix >> >> Immunix has released Security Advisory IMNX-2001-70-036-01: >> >> http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70- >> 036-01 >> >>OpenBSD >> >> OpenBSD does not use WU-FTPD. >> >>RedHat Inc. >> >> RedHat has released Errata Advisory RHSA-2001-147: >> >> http://www.redhat.com/support/errata/RHSA-2001-147.html >> >>SGI >> >> SGI does not ship IRIX with wu-ftpd, so IRIX is not vulnerable to >> these issues. >> >>SuSE >> >> SuSE has released SuSE Security Announcement SuSE-SA:2001:043. >> >>WU-FTPD >> >> The WU-FTPD Development Group has provided source code patches that >> address both of these issues. >> * VU#886083: >> ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/ftpglob >> .patch >> * VU#639760: >> ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/missing >> _format_strings.patch >> _________________________________________________________________ >> >> The CERT Coordination Center thanks CORE Security Technologies and the >> WU-FTPD Development Group for their help >> _________________________________________________________________ >> >> Author: Art Manion >> _________________________________________________________________ >> >> References >> * http://www.kb.cert.org/vuls/id/886083 >> * http://www.kb.cert.org/vuls/id/639760 >> * http://www.kb.cert.org/vuls >> * http://www.ietf.org/rfc/rfc931.txt >> * http://www.ietf.org/rfc/rfc1413.txt >> * http://www.ietf.org/rfc/rfc959.txt >> * http://www.corest.com/pressroom/advisories_desplegado.php?idxsecti >> on=10&idx=172 >> ______________________________________________________________________ >> >> This document is available from: >> http://www.cert.org/advisories/CA-2001-33.html >> ______________________________________________________________________ >> >>CERT/CC Contact Information >> >> Email: [EMAIL PROTECTED] >> Phone: +1 412-268-7090 (24-hour hotline) >> Fax: +1 412-268-6989 >> Postal address: >> CERT Coordination Center >> Software Engineering Institute >> Carnegie Mellon University >> Pittsburgh PA 15213-3890 >> U.S.A. >> >> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / >> EDT(GMT-4) Monday through Friday; they are on call for emergencies >> during other hours, on U.S. holidays, and on weekends. >> >>Using encryption >> >> We strongly urge you to encrypt sensitive information sent by email. >> Our public PGP key is available from >> >> http://www.cert.org/CERT_PGP.key >> >> If you prefer to use DES, please call the CERT hotline for more >> information. >> >>Getting security information >> >> CERT publications and other security information are available from >> our web site >> >> http://www.cert.org/ >> >> To subscribe to the CERT mailing list for advisories and bulletins, >> send email to [EMAIL PROTECTED] Please include in the body of your >> message >> >> subscribe cert-advisory >> >> * "CERT" and "CERT Coordination Center" are registered in the U.S. >> Patent and Trademark Office. >> ______________________________________________________________________ >> >> NO WARRANTY >> Any material furnished by Carnegie Mellon University and the Software >> Engineering Institute is furnished on an "as is" basis. Carnegie >> Mellon University makes no warranties of any kind, either expressed or >> implied as to any matter including, but not limited to, warranty of >> fitness for a particular purpose or merchantability, exclusivity or >> results obtained from use of the material. Carnegie Mellon University >> does not make any warranty of any kind with respect to freedom from >> patent, trademark, or copyright infringement. >> _________________________________________________________________ >> >> Conditions for use, disclaimers, and sponsorship information >> >> Copyright 2001 Carnegie Mellon University. >> >> Revision History >>November 29, 2001: Initial release _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
