Here's a heads-up to all of you running wu-ftpd. A serious vulnerability has been found (yet again) that can give an intruder root privileges. All vendors have either released patches or are in the process of releasing patches. I STRONGLY recommend patching you systems as soon as possible or disabling wu-ftpd if a patch is not available. Better yet, replace wu-ftpd with an alternative that is more secure.
Here is the advisory from CORE. regards, Kerry. -----Forwarded Message----- > From: Iv�n Arce <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] > Subject: CORE-20011001: Wu-FTP glob heap corruption vulnerability > Date: 28 Nov 2001 23:01:05 -0300 > > CORE Security Technologies > http://www.corest.com > > Vulnerability Report For WU-FTPD Server > > > Date Published: 2001-11-28 > > Last Update: 2001-11-28 > > Advisory ID: CORE-20011001 > > Bugtraq ID: 3581 > > CVE CAN: None currently assigned > > Title: WU-FTPD Improper Ftpglob Error Handling Vulnerability > > Class: Failure to handle exceptional conditions > > Remotely Exploitable: Yes > > Locally Exploitable: Yes > > Release Mode: FORCED RELEASE > > Vulnerability Description: > > The Washington University FTP daemon (WU-FTPD) is a highly modified and > significantly complex version of FTPD that provides some extra features: > custom logging, limited remote command support, and other enhacements > to the standard BSD version of FTPD. > > A problem was found in all versions of Wu-FTPD included by default in all > major Linux distributions. Other platforms that ship wu-ftpd and FTP > server programs derived from it are affected. > > By exploiting this problem, any user who is able to log into a vulnerable > version of the WU-FTPD server may be able to execute arbitrary code > remotely with the privileges of the server process (usually root) which > can lead to complete system compromise. > > The problem is due to a combination of bugs, one located within the > function responsible for the globbing feature, which fails to properly > signal an error to its caller under certain conditions. The glob function > does not properly handle the string "~{" as an illegal parameter. > The other bug is at the caller, a command parser function, that incorrectly > handles the error status returned by the glob function allowing the > corruption of the process memory space. > > For those interested in a technical description and proof of concept follow > towards the end of this advisory. > > Vulnerable Packages: > > WU-FTPD > > All versions of wu-ftpd including and up to 2.6.1 are vulnerable. > Version 2.7.0 snapshots are also vulnerable. > Note that 2.7.0 is has not been released officially and is currently a > testing version. > > Washington University wu-ftpd 2.6.1 > + Caldera OpenLinux Server 3.1 > + Caldera OpenLinux Workstation 3.1 > + Cobalt Qube 1.0 > + Conectiva Linux 7.0 > + Conectiva Linux 6.0 > + MandrakeSoft Corporate Server 1.0.1 > + MandrakeSoft Linux Mandrake 8.1 > + MandrakeSoft Linux Mandrake 8.0 ppc > + MandrakeSoft Linux Mandrake 8.0 > + MandrakeSoft Linux Mandrake 7.2 > + MandrakeSoft Linux Mandrake 7.1 > + MandrakeSoft Linux Mandrake 7.0 > + MandrakeSoft Linux Mandrake 6.1 > + MandrakeSoft Linux Mandrake 6.0 > + RedHat Linux 7.2 noarch > + RedHat Linux 7.2 ia64 > + RedHat Linux 7.2 i686 > + RedHat Linux 7.2 i586 > + RedHat Linux 7.2 i386 > + RedHat Linux 7.2 athlon > + RedHat Linux 7.2 alpha > + RedHat Linux 7.1 noarch > + RedHat Linux 7.1 ia64 > + RedHat Linux 7.1 i686 > + RedHat Linux 7.1 i586 > + RedHat Linux 7.1 i386 > + RedHat Linux 7.1 alpha > + RedHat Linux 7.0 sparc > + RedHat Linux 7.0 i386 > + RedHat Linux 7.0 alpha > + TurboLinux TL Workstation 6.1 > + TurboLinux Turbo Linux 6.0.5 > + TurboLinux Turbo Linux 6.0.4 > + TurboLinux Turbo Linux 6.0.3 > + TurboLinux Turbo Linux 6.0.2 > + TurboLinux Turbo Linux 6.0.1 > + TurboLinux Turbo Linux 6.0 > + Wirex Immunix OS 7.0-Beta > + Wirex Immunix OS 7.0 > Washington University wu-ftpd 2.6.0 > + Cobalt Qube 1.0 > + Conectiva Linux 5.1 > + Conectiva Linux 5.0 > + Conectiva Linux 4.2 > + Conectiva Linux 4.1 > + Conectiva Linux 4.0es > + Conectiva Linux 4.0 > + Debian Linux 2.2 sparc > + Debian Linux 2.2 powerpc > + Debian Linux 2.2 arm > + Debian Linux 2.2 alpha > + Debian Linux 2.2 68k > + Debian Linux 2.2 > + RedHat Linux 6.2 sparc > + RedHat Linux 6.2 i386 > + RedHat Linux 6.2 alpha > + RedHat Linux 6.1 sparc > + RedHat Linux 6.1 i386 > + RedHat Linux 6.1 alpha > + RedHat Linux 6.0 sparc > + RedHat Linux 6.0 i386 > + RedHat Linux 6.0 alpha > + RedHat Linux 5.2 sparc > + RedHat Linux 5.2 i386 > + RedHat Linux 5.2 alpha > + S.u.S.E. Linux 6.4ppc > + S.u.S.E. Linux 6.4alpha > + S.u.S.E. Linux 6.4 > + S.u.S.E. Linux 6.3 ppc > + S.u.S.E. Linux 6.3 alpha > + S.u.S.E. Linux 6.3 > + S.u.S.E. Linux 6.2 > + S.u.S.E. Linux 6.1 alpha > + S.u.S.E. Linux 6.1 > + TurboLinux Turbo Linux 4.0 > + Wirex Immunix OS 6.2 > Washington University wu-ftpd 2.5.0 > + Caldera eDesktop 2.4 > + Caldera eServer 2.3.1 > + Caldera eServer 2.3 > + Caldera OpenLinux 2.4 > + Caldera OpenLinux Desktop 2.3 > + RedHat Linux 6.0 sparc > + RedHat Linux 6.0 i386 > + RedHat Linux 6.0 alpha > > Sun Microsystems Inc. > > The Sun Cobalt Qube1 is vulnerable. > > Solaris is NOT vulnerable to this problem. > > As reported by Brent Paulson from Sun regarding > Solaris ISP server that ships with a wu-ftpd derived server: > "The Sun engineering group for the SISP in.ftpd product > has verified that we are not vulnerable to the issue > described in the described vulnerability." > > > Hewlett Packard > > As reported by Dan Grove from HP: > > " HP-UX is immune to this issue. It was fixed > in conjunction with the last "globbing" issue > announced in CERT Advisory CA-2001-07, released > April 10, 2001. The lab did a complete check/scan > of the globbing software, and fixed this issue then > as well. Customers should apply the patches listed > in HP Security Bulletin #162 released July 19,2001: > > HPSBUX0107-162 Security Vulnerability in ftpd and ftp" > > > Solution/Vendor Information/Workaround: > > Wu-FTPD > The wu-ftpd development team has devised a patch > that fixes the problem and its already applied to > the current wu-ftpd source tree. Current 2.7.0 > snapshots are NOT vulnerable, however 2.7.0 is > not an official wu-ftpd release and should be thought > as a version for testing. > > The team will provide patches for the vulnerable > WU-ftpd releases shortly. > > RedHat > > RedHat Linux had released and advisory and and > SRPMs to address the problem, they can be obtained > from > http://www.redhat.com/support/errata/RHSA-2001-157.html > > Conectiva Linux > > Fixed packages will be made available in the next days > for all supported Conectiva Linux distributions at > ftp://atualizacoes.conectiva.com.br > > Caldera Systems > > OpenLinux 2.3 > > Vulnerable. > Fixed packages were released on 2001/11/28: > ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/068/ > > OpenLinux eServer 2.3.1 > > Vulnerable. > Fixed packages were released on 2001/11/28: > ftp://ftp.caldera.com/pub/updates/eServer/2.3/064/ > > OpenLinux eDesktop 2.4 > > Vulnerable. > Fixed packages were released on 2001/11/28: > ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/058/ > > OpenLinux Workstation 3.1 > > Not vulnerable. (Does not include wu-ftpd) > > OpenLinux Server 3.1 > > Vulnerable. > Fixed packages were released on 2001/11/28: > ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/020/ > > Sun Microsystems > > "The only Sun Cobalt Server Appliance that is vulnerable to this > exploit is the Qube1. The Qube1 is no longer a supported appliance, > but we do understand the need of having updates available. > The following RPM is not officially supported by Sun Cobalt, > but offers legacy customers the ability to maintain a limited > level of security." > > Qube1: > > ftp://ftp.cobaltnet.com/pub/unsupported/qube1/rpms/wu-ftpd-2.6.1-C1.NOPAM.mi > ps.rpm > > ftp://ftp.cobaltnet.com/pub/unsupported/qube1/srpms/wu-ftpd-2.6.1-C1.NOPAM.s > rc.rpm > > > SuSE Linux > > SuSE have the set of patches to fix the vulnerability. > Updated packages that fix the vulnerability are available > from the following URLs: > > i386 Intel Platform: > > SuSE-7.3 > ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/wuftpd-2.6.0-344.i386.rpm > d1b549b8c2d91d66a8b35fe17a1943b3 > source rpm: > ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/wuftpd-2.6.0-344.src.rpm > 9ef0e6ac850499dc0150939c62bc146f > > SuSE-7.2 > ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/wuftpd-2.6.0-344.i386.rpm > 4583443a993107b26529331fb1e6254d > source rpm: > ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/wuftpd-2.6.0-344.src.rpm > aaee0343670feae70ccc9217a8e22211 > > SuSE-7.1 > ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/wuftpd-2.6.0-346.i386.rpm > 347a030a85cb5fcbe32d3d79d382e19e > source rpm: > ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/wuftpd-2.6.0-346.src.rpm > aa3e53641f6ce0263196e6f1cb0447c3 > > SuSE-7.0 > ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/wuftpd-2.6.0-344.i386.rpm > e34eec18ecc10f187f6aa1aa3b24b75b > source rpm: > ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/wuftpd-2.6.0-344.src.rpm > fafc8c2bbd68dd5ca3d04228433c359a > > SuSE-6.4 > ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/wuftpd-2.6.0-344.i386.rpm > 2354abe95b056762c7f6584449291ff2 > source rpm: > ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/wuftpd-2.6.0-344.src.rpm > 507b8d484b13737c9d2b6a68fda0cc26 > > SuSE-6.3 > ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/wuftpd-2.6.0-347.i386.rpm > 9851ad02e656bba8b5e02ed2ddb46845 > source rpm: > ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/wuftpd-2.6.0-347.src.rpm > 5d7c4b6824836ca28b228cc5dcfc4fd6 > > Sparc Platform: > > SuSE-7.3 > > ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/wuftpd-2.6.0-240.sparc.rpm > 2d19e4ead17396a1e28fca8745f9629d > source rpm: > > ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/wuftpd-2.6.0-240.src.rpm > bdb0b5ddd72f8563db3c8e444a0df7f5 > > SuSE-7.1 > > ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/wuftpd-2.6.0-242.sparc.rpm > f6b04f284bece6bf3700facccc015ffe > source rpm: > > ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/wuftpd-2.6.0-242.src.rpm > 1660547ac9a5a3b32a4070d69803cf18 > > SuSE-7.0 > > ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/wuftpd-2.6.0-241.sparc.rpm > 1bd905b095b9a4bb354fc190b6e54a01 > source rpm: > > ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/wuftpd-2.6.0-241.src.rpm > 597263eb7d0fbbf242d519d3c126a441 > > AXP Alpha Platform: > > SuSE-7.1 > ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/wuftpd-2.6.0-252.alpha.rpm > e608bfd2cc9e511c6eb6932c33c68789 > source rpm: > ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/wuftpd-2.6.0-252.src.rpm > 34915af1ca79b27bad8bc2fd3a5cab05 > > SuSE-7.0 > ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/wuftpd-2.6.0-251.alpha.rpm > 86a7d8f60d76a053873bcc13860b0bbb > source rpm: > ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/wuftpd-2.6.0-251.src.rpm > 9674f9f1630b3107ac22d275705da76e > > SuSE-6.4 > ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/wuftpd-2.6.0-251.alpha.rpm > 2501444a1e4241e8f6f4cdcc6fd133b0 > source rpm: > ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/wuftpd-2.6.0-251.src.rpm > 34812d943900bdb902ad7edd40e1943f > > SuSE-6.3 > ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/wuftpd-2.6.0-250.alpha.rpm > 429a49ef9d4d0865fbb443c212b8a8c7 > source rpm: > ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/wuftpd-2.6.0-250.src.rpm > 76467dae0f460677ba80ec907eefca28 > > PPC Power PC Platform: > > SuSE-7.3 > ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/wuftpd-2.6.0-277.ppc.rpm > a381269b3e2fc43fda59e4d08aef57ae > source rpm: > ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/wuftpd-2.6.0-277.src.rpm > 7cacb696a88e57a843402a796212aee6 > > SuSE-7.1 > ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/wuftpd-2.6.0-277.ppc.rpm > bfc39be2c09323d96f974fdd0c73fda1 > source rpm: > ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/wuftpd-2.6.0-277.src.rpm > e2681b2ed4801ce14b5dfb926480ac51 > > SuSE-7.0 > ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/wuftpd-2.6.0-279.ppc.rpm > 19f989e637fd9b6fa652f8a4014bb7b1 > source rpm: > ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/wuftpd-2.6.0-279.src.rpm > 76c493a915691c51a2481f0925e8ce39 > > SuSE-6.4 > ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/wuftpd-2.6.0-278.ppc.rpm > ad29cf172bbd03a5e1f301cf6b9404e5 > source rpm: > ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/wuftpd-2.6.0-278.src.rpm > 82338702692eba599d8c3d242aff3d1a > > MandrakeSoft > > MandrakeSoft has developed a patch for the problem, fixed packages > will be made available shortly. > > Turbo Linux > > Contact Turbo-linux for patch information and fixed packages. > http://www.turbolinux.com/security/ > > Debian Linux > > Debian has developed a patch for the problem, fixed packages > will be made available shortly. > > > Wirex Inmunix > > WireX has developed a patch for the problem, fixed packages > will be made available shortly. > > Workaround: > > To prevent exploitation of this bug it is advised to disable anonymous > FTP access until patches are applied. > Notice that legit users with FTP accounts can still exploit the problem > even if anonymous access is disabled. If legit ftp accoutn posse > a security risk, FTP service should be disabled completly until > fixed packages are deployed. > > > Vendors notified on: November 14th, 2001 > > Credits: > > This vulnerability was initially reported to the vuln-dev mailing list > at SecurityFocus.com by Matt Power from Bindview Corp. on April 30th, 2001. > At that moment, it was thought as a not exploitable bug and no further > research was conducted. > > The bug was re-discovered independantly by Luciano Notarfrancesco and > Juan Pablo Martinez Kuhn from Core Security Technologies and confirmed to > be > exploitable on Nov. 1st, 2001 > > This advisory was drafted with the aid of the Vulnerability Help team at > SecurityFocus.com. > > We would like to thank the VulnHelp Team, CERT,the WU-ftpd development > team and the Linux vendors for their efforts trying to coordinate the > release > of information and availability of fixes. > > Technical Description - Exploit/Concept Code: > > Tests were performed using wu-ftp server versions 2.6.1 and 2.7.0 snapshots > > WU-FTPD server features globbing capabilities, allowing a user to search > pathnames matching patterns according to the rules used by the shell. > The feature does not use the glibc implementation of the glob() > function, instead it implements its own in the the glob.c file > > This implementation fails to set the globerr variable under certain > circunstances, bypassing error checking after the call, and trying to free > an uninitialized memory address. This memory address is located in the > process heap and can be manipulated by the user, issuing especially crafted > commands beforehand to the server. This issue was found twice in the source > code. > > The handling of the globbing metacharacters is done by the ftpglob() > function included in the glob.c file. The function is called for example > from ftpcmd.y line 1277 and line 1303 while processing pathnames for > restricted and non-restricted users beggining with a '/' or a '~' > character respectively. > > if (restricted_user && logged_in && $1 && strncmp($1, "/", 1) == 0){ > [...] > globlist = ftpglob(t); > [...] > } > > else if (logged_in && $1 && strncmp($1, "~", 1) == 0) { > char **globlist; > > globlist = ftpglob($1); > [...] > } > > After that, the variable globerr is checked to handle any possible error > that could had happened during the globbing process, setting this variable > is responsability of the ftpglob() function. > > Under certain circunstances not properly handled by the function, globerr > is not set even though an error condition is present > > Being not initialized explicitly, globlist contains what was in the heap > before, which can be properly set with specially crafted requests to the > server. > > As the globerr was not set properly, the function attempts to free > the provided pointer in ftpcmd.y line 1282 and line 1288. > > if (globerr) { > reply(550, globerr); > $$ = NULL; > if (globlist) { > blkfree(globlist); > free((char *) globlist); > } > } > else if (globlist) { > $$ = *globlist; > blkfree(&globlist[1]); > free((char *) globlist); > } > > As shown, during the processing of a globbing pattern, the > Wu-Ftpd implementation creates a list of the files that match. > The memory where this data is stored is on the heap, allocated using > malloc(). The globbing function simply returns a pointer to the list. > It is up to the calling functions to free the allocated memory. > > If an error occurs processing the pattern, memory will not be allocated > and a variable indicating this should be set. > The calling functions must check the value of this variable before > attempting to use the globbed filenames (and later freeing the memory). > > Under certain circumstances, the globbing function does not set this > variable > when an error occurs. As a result of this, Wu-Ftpd will eventually attempt > to > free uninitialized memory. > > If this region of memory contained user-controllable data before the free > call, it is possible to have an arbitrary word in memory overwritten with > an > arbitrary value. This can lead to execution of arbitrary code if function > pointers or return addresses are overwritten. > > Details of hwo to exploit this type of problems are in the > public domain and can be found in Phrack Magazine #57 article 9: > > http://www.phrack.org/show.php?p=57&a=9 > > Unsuccessful explotation of the problem does not lead to denial of service > attacks as the ftp server continues normal execution, only the thread > handling the request fails, helping the attacker to success. > > > The following excerpt is a sample verification of the existence of > the problem: > > ftp> open localhost > Connected to localhost (127.0.0.1). > 220 sasha FTP server (Version wu-2.6.1-18) ready. > Name (localhost:root): anonymous > 331 Guest login ok, send your complete e-mail address as password. > Password: > 230 Guest login ok, access restrictions apply. > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> ls ~{ > 227 Entering Passive Mode (127,0,0,1,241,205) > 421 Service not available, remote server has closed connection > > 1405 ? S 0:00 ftpd: accepting connections on port 21 > 7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd > 26256 ? S 0:00 ftpd: > sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > 26265 tty3 R 0:00 bash -c ps ax | grep ftpd > (gdb) at 26256 > Attaching to program: /usr/sbin/wu.ftpd, process 26256 > Symbols already loaded for /lib/libcrypt.so.1 > Symbols already loaded for /lib/libnsl.so.1 > Symbols already loaded for /lib/libresolv.so.2 > Symbols already loaded for /lib/libpam.so.0 > Symbols already loaded for /lib/libdl.so.2 > Symbols already loaded for /lib/i686/libc.so.6 > Symbols already loaded for /lib/ld-linux.so.2 > Symbols already loaded for /lib/libnss_files.so.2 > Symbols already loaded for /lib/libnss_nisplus.so.2 > Symbols already loaded for /lib/libnss_nis.so.2 > 0x40165544 in __libc_read () from /lib/i686/libc.so.6 > (gdb) c > Continuing. > > Program received signal SIGSEGV, Segmentation fault. > __libc_free (mem=0x61616161) at malloc.c:3136 > 3136 in malloc.c > > > Note that the segmentation fault is generated because the program is trying > to free() a user provided (and in this case invalid) memory chunk > referenced > by the value 0x61616161 (or its ASCII equivalent 'aaaa', sent earlier in > the > session as the user password), this should be enough hint on the existence > and exploitability of the bug > > > DISCLAIMER: > > The contents of this advisory are copyright (c) 2001 CORE Security > Technologies and may be distributed freely provided that no fee is charged > for this distribution and proper credit is given. > > $Id: WUFTPD_free_advisory.txt,v 1.5 2001/11/29 02:05:13 iarce Exp $ > > > > --- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <[EMAIL PROTECTED]>
