7597991 2001-11-29 18:44 -0500 /341 rader/ CERT Advisory <cert-advisory@cert.org>
Sänt av: owner-root@lysator.liu.se
Importerad: 2001-11-30 03:32 av Brevbäraren
Extern mottagare: cert-advisory@cert.org
Mottagare: Bellman -- The Recursive Hacker <14766>
Mottaget: 2001-11-30 09:29
Mottagare: Bugtraq (import) <19968>
Sänt: 2001-11-30 21:54
Ärende: CERT Advisory CA-2001-33 Multiple Vulnerabilities in WU-FTPD
------------------------------------------------------------
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Message-ID: <CA-2001-33.1@cert.org>
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2001-33 Multiple Vulnerabilities in WU-FTPD
Original release date: November 29, 2001
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* Systems running WU-FTPD and its derivatives
Overview
WU-FTPD is a widely deployed software package used to provide
File Transport Protocol (FTP) services on UNIX and Linux
systems. There are two vulnerabilities in WU-FTPD that expose
a system to potential remote root compromise by anyone with access
to the FTP service. These vulnerabilities have recently received
increased scrutiny.
I. Description
There are two remote code execution vulnerabilities in the Washington
University FTP daemon (WU-FTPD). Both of these vulnerabilities have
been discussed in public forums and have received widespread exposure.
VU#886083: WU-FTPD does not properly handle glob command
WU-FTPD features globbing capabilities that allow a user to
specify multiple file names and locations using typical shell
notation. See CERT Advisory CA-2001-07 for a more complete
explanation of globbing.
WU-FTPD implements its own globbing code instead of using
libraries in the underlying operating system. When the globbing
code is called, it allocates memory on the heap to store a list
of file names that match the expanded glob expression. The
globbing code is designed to recognize invalid syntax and
return an error condition to the calling function. However, when
it encounters a specific string, the globbing code fails to
properly return the error condition. Therefore, the calling
function proceeds as if the glob syntax were correct and later
frees unallocated memory that can contain user-supplied data. If
intruders can place addresses and shellcode in the right locations
on the heap using FTP commands, they may be able to cause
WU-FTPD to execute arbitrary code by later issuing a command
that is mishandled by the globbing code.
This vulnerability is potentially exploitable by any user who is
able to log in to a vulnerable server, including users with
anonymous access. If the exploit is successful, an attacker
may be able to execute arbitrary code with the privileges of
WU-FTPD, typically root. If the exploit is unsuccessful, the
thread servicing the request will fail, but the WU-FTPD process
will continue to run.
This vulnerability has been assigned the identifier
CAN-2001-0550 by the Common Vulnerabilities and Exposures (CVE)
group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0550
CORE Security Technologies has published a Vulnerability
Report on this issue:
http://www.corest.com/pressroom/advisories_desplegado.php?
dxsection=10&idx=17
VU#639760: WU-FTPD configured to use RFC 931 authentication
running in debug mode contains format string vulnerability
WU-FTPD can perform RFC 931 authentication when accepting
inbound connections from clients. RFC 931 defines the
Authentication Server Protocol, and is obsoleted by RFC 1413
which defines the Identity Protocol. RFC 931 is commonly known as
"auth" or "authd", and RFC 1413 is commonly known "ident" or
"identd". Both are named after the daemon that commonly provides
the service.
When using RFC 931 authentication, WU-FTPD will request ident
information before authorizing a connection request from a client. The
auth or ident service running on the client returns user-specific
information, allowing WU-FTPD to make authentication decisions based
on data in the ident response.
WU-FTPD can also be run in debugging mode, which provides
detailed information about its operation.
When WU-FTPD is configured to perform RFC 931 authentication and is
run in debug mode, it logs connection information using syslog(3)
function calls. The logging code does not include format string
specifiers in some syslog(3) calls, nor does the code perform adequate
input validation on the contents of the identd response received from
a client. As a result, a crafted identd response containing
user-supplied format string specifiers is interpreted by syslog(3),
possibly overwriting arbitrary locations in memory. By carefully
designing such a request, an attacker may execute arbitrary code with
the privileges of WU-FTPD.
This vulnerability is potentially exploitable by any user who is
able to log in to a vulnerable server, including users with
anonymous access. The intruder must also be able to control
their response to the ident request. If successful, an attacker
may be able to execute arbitrary code with the privileges of
WU-FTPD, typically root.
Note that this vulnerability does not manifest unless
WU-FTPD is configured to use RFC 931 authentication and is run in
debug mode.
This vulnerability has been assigned the identifier
CAN-2001-0187 by the Common Vulnerabilities and Exposures (CVE)
group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0187
II. Impact
Both of these vulnerabilities can be exploited remotely by any
user with access to the FTP service, including anonymous
access. Both vulnerabilities allow an intruder to execute
arbitrary code with the privileges of WU-FTPD, typically
root. An exploit attempt that does not succeed in executing code
may crash WU-FTPD or end the connection used by the intruder.
For additional information about the impacts of each of
these vulnerabilities, please consult the CERT Vulnerability
Notes Database (http://www.kb.cert.org/vuls).
III. Solution
Apply patches from your vendor
Appendix A contains information for this advisory provided by
vendors. As they report new information to the CERT/CC, we
will update this section and note the changes in our revision
history. If a particular vendor is not listed below, we have
not received their comments. Please contact your vendor directly.
Restrict access to WU-FTPD
As a general practice, the CERT/CC recommends disabling services
and access that are not explicitly required. You may wish to
disable WU-FTPD until you are able to apply a patch.
If you cannot disable the service, you can limit your exposure to
these vulnerabilities by blocking or restricting access to the control
channel (by default, port 21/tcp) used by WU-FTPD. In the case of the
format string vulnerability (VU#639760), an exploit would be
transmitted from port 113/tcp on the attacking host to the WU-FTPD
server that made the identd request. Note that blocking access from
untrusted networks such as the Internet does not protect your systems
against attacks from within your network.
Disable anonymous FTP access
Although disabling anonymous FTP access does not prevent attacks
from occurring, it does prevent unauthenticated users from
attempting to exploit the globbing vulnerability (VU#886083).
Appendix A. Vendor Information
This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments. Note that this advisory discusses two distinct
vulnerabilities, and vendor statements may address one or both.
Caldera
Caldera has released Security Advisory CSSA-2001-041.0:
http://www.caldera.com/support/security/advisories/CSSA-2001-04
1.0.txt
Cray
Cray, Inc. is not vulnerable since the ftp supplied with UNICOS
and UNICOS/mk is not based on the Washington University
version. Cray did check their ftp code and does not see this
exploit.
Debian
Debian addressed VU#639760 with Debian Security Advisory
DSA-016 in January 2001:
http://www.debian.org/security/2001/dsa-016
Hewlett-Packard Company
HP's HP-UX is immune to this issue. It was fixed in conjunction
with the last "globbing" issue announced in CERT Advisory
CA-2001-07, released April 10, 2001. The lab did a complete
check/scan of the globbing software, and fixed this issue then as
well. Customers should apply the patches listed in HP Security
Bulletin #162 released July 19,2001:
HPSBUX0107-162 Security Vulnerability in ftpd and ftp
Hewlett-Packard Security Bulletins are available at the IT
Resource Center web site (registration required):
http://www.itresourcecenter.hp.com/
IBM Corporation
IBM's AIX operating system does not use WU-FTPD, hence is
not vulnerable to the exploit described by CORE ST.
Immunix
Immunix has released Security Advisory IMNX-2001-70-036-01:
http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-
036-01
OpenBSD
OpenBSD does not use WU-FTPD.
RedHat Inc.
RedHat has released Errata Advisory RHSA-2001-147:
http://www.redhat.com/support/errata/RHSA-2001-147.html
SGI
SGI does not ship IRIX with wu-ftpd, so IRIX is not
vulnerable to these issues.
SuSE
SuSE has released SuSE Security Announcement SuSE-SA:2001:043.
WU-FTPD
The WU-FTPD Development Group has provided source code patches that
address both of these issues.
* VU#886083:
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/ftpglob
.patch
* VU#639760:
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/missing
_format_strings.patch
_________________________________________________________________
The CERT Coordination Center thanks CORE Security Technologies and the
WU-FTPD Development Group for their help
_________________________________________________________________
Author: Art Manion
_________________________________________________________________
References
* http://www.kb.cert.org/vuls/id/886083
* http://www.kb.cert.org/vuls/id/639760
* http://www.kb.cert.org/vuls
* http://www.ietf.org/rfc/rfc931.txt
* http://www.ietf.org/rfc/rfc1413.txt
* http://www.ietf.org/rfc/rfc959.txt
* http://www.corest.com/pressroom/advisories_desplegado.php?idxsecti
on=10&idx=172
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2001-33.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for
more information.
Getting security information
CERT publications and other security information are available
from our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and
bulletins, send email to majordomo@cert.org. Please include in
the body of your message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the
U.S. Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.
Revision History
November 29, 2001: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPAbHnaCVPMXQI2HJAQHA3wQAxL4GR+SowiE0IMczh+V7ENB5n2fo/1Yc
zmI69F4rkOqQQXflsUrVcpPgDkKH2UIrlxREShj/gDqG+gcpyKig2OiqvzlOyb3e
qdDScjFer80EhGlzgTKOoQE0L0RNU5tTD86jfxr8oATY+wjcLYm4Sos+HrnW78CZ
UeM2P0vy/Oo=
=oAMd
-----END PGP SIGNATURE-----
(7597991) /CERT Advisory <cert-advisory@cert.org>/(Ombruten)