[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] ALERT: remote root exploit in wu-ftpd



Topic
=====
remote root exploit in wu-ftpd (ftp daemon for most Linux distributions)

Problem Description
===================
There is a bug in the wu-ftpd code that can be exploited remotely.
Obviously immediate action is required.
The problem is due to a combination of bugs, one located within the
function responsible for the globbing feature, which fails to properly
signal an error to its caller under certain conditions. The glob function
does not properly handle the string "~{" as an illegal parameter.
The other bug is at the caller, a command parser function, that incorrectly
handles the error status returned by the glob function allowing the
corruption of the process memory space.

If you allow anonymous ftp access to your Linux box, this bug can be
exploited remotely by everybody in the world to gain root access on your
machine. But even if you do not allow  anonymous ftp access, this bug
still allows every user with ftp access to gain root on your machine.

Affected Systems
================
All systems that have wu-ftpd with versions < 2.6.2.

Workaround (recommended!)
=========================
Uninstall wu-ftpd, comment out the ftp line in /etc/inetd.conf or, if
you are using xinetd, disable ftp in the corresponding xinetd configuration
file (usually /etc/xinetd.conf or /etc/xinetd.d/wu-ftpd), and use scp,
sftp, sftp-server from the openssh and openssh-server packages.
ssh, scp, sftp allow you to 

E.g., for RedHat 7.2 this amounts to:
# rpm -e wu-ftpd
# rpm -Uvh openssh-2.9p2-9.i386.rpm openssh-clients-2.9p2-9.i386.rpm \
           openssh-server-2.9p2-9.i386.rpm

The only case for which this workaround does not work is if you must provide
anonymous ftp access. 

Solution
========
Upgrade to wu-ftpd-2.6.2 (which was released on Nov. 30, 2001; you find a copy
of the source code on fraser at /usr/local/src/wu-ftpd/wu-ftpd-2.6.2.tar.gz)
or upgrade to patched version for your distribution.

RedHat 6.x
----------
# rpm -Fvh wu-ftpd-2.6.1-0.6x.21.i386.rpm

RedHat 7.0, 7.1
---------------
# rpm -Fvh wu-ftpd-2.6.1-16.7x.1.i386.rpm

RedHat 7.2
----------
# rpm -Fvh wu-ftpd-2.6.1-20.i386.rpm

Debian
------
Debian is vulnerable to this bug, but has not released updates yet.
I recommend either to switch off ftp access to your machine and wait
until updates are released or compile wu-ftpd-2.6.2 from source.

Mandrake
--------
To my knowledge Mandrake uses proftpd instead of wu-ftpd by default.
proftpd is not vulnerable to this bug. However, Mandrake does provide
a wu-ftpd rpm that is vulnerable. There are no updates for the wu-ftpd
rpm from Mandrake yet. Hence you should either
- use the workaround described above (recommended)
- switch to proftpd, i.e.,
  # rpm -e wu-ftpd
  # rpm -Uvh proftpd-*mdk.i586.rpm
  where proftpd-*mdk.i586.rpm is the newest version of proftpd for your version
  of Mandrake
- compile wu-ftpd-2.6.2 from source.

Caldera OpenLinux 2.3, eServer 2.3.1, eDesktop 2.4
--------------------------------------------------
# rpm -Fvh wu-ftpd-2.6.1-13OL.i386.rpm

Caldera OpenLinux 3.1 Server
----------------------------
# rpm -Fvh wu-ftpd-2.6.1-13.i386.rpm

Caldera OpenLinux 3.1 Workstation
---------------------------------
not vulnerable