5261233 2000-07-08 01:30 /403 rader/ Postmaster
Mottagare: Bugtraq (import) <11648>
Ärende: CERT Advisory CA-2000-1, wu-ftpd 2.6.0
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <20000707154921.A29342@underground.org>
Date: Fri, 7 Jul 2000 15:49:21 -0700
Reply-To: Aleph One <aleph1@UNDERGROUND.ORG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CERT Advisory CA-2000-13 Two Input Validation Problems In FTPD
Original release date: July 7, 2000
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Any system running wu-ftpd 2.6.0 or earlier
* Any system running ftpd derived from wu-ftpd 2.0 or later
* Some systems running ftpd derived from BSD ftpd 5.51 or BSD ftpd
5.60 (the final BSD release)
Overview
A vulnerability involving an input validation error in the "site
exec" command has recently been identified in the Washington
University ftpd (wu-ftpd) software package. Sites running affected
systems are advised to update their wu-ftpd software as soon as
possible.
A similar but distinct vulnerability has also been identified that
involves a missing format string in several setproctitle()
calls. It affects a broader number of ftp daemons. Please see
Appendix A of this document for specific information about the
status of specific ftpd implementations and solutions.
I. Description
"Site exec" Vulnerability
A vulnerability has been identified in wu-ftpd and other ftp
daemons based on the wu-ftpd source code. Wu-ftpd is a common
package used to provide file transfer protocol (ftp)
services. This vulnerability is being discussed as the wu-ftpd
"site exec" or "lreply" vulnerability in various public
forums. Incidents involving the exploitation of this
vulnerability-which enables remote users to gain root
privileges-have been reported to the CERT Coordination Center.
The problem is described in AUSCERT Advisory AA-2000.02, "wu-ftpd
'site exec' Vulnerability," which is available from
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02
The wu-ftpd "site exec" vulnerability is the result of missing
character-formatting argument in several function calls that
implement the "site exec" command functionality. Normally if "site
exec" is enabled, a user logged into an ftp server (including the
'ftp' or 'anonymous' user) may execute a restricted subset of
quoted commands on the server itself. However, if a malicious user
can pass character format strings consisting of carefully
constructed *printf() conversion characters (%f, %p, %n, etc)
while executing a "site exec" command, the ftp daemon may be
tricked into executing arbitrary code as root.
The "site exec" vulnerability appears to have been in the wu-ftpd
code since the original wu-ftpd 2.0 came out in 1993. Any vendors
who have based their own ftpd distributions on this vulnerable
code are also likely to be vulnerable.
The vulnerability appears to be exploitable if a local user
account can be used for ftp login. Also, if the "site exec"
command functionality is enabled, then anonymous ftp login allows
sufficient access for an attack.
setproctitle() Vulnerability
A separate vulnerability involving a missing character-formatting
argument in setproctitle(), a call which sets the string used to
display process identifier information, is also present in wu-ftpd.
Other ftpd implementations have been found to have vulnerable
setproctitle() calls as well, including those from proftpd and
OpenBSD.
The setproctitle() vulnerability appears to have been present in
various ftpd implementations since at least BSD ftpd 5.51 (which
predates wuarchive-ftpd 1.0). It has also been confirmed to be
present in BSD ftpd 5.60 (the final BSD release). Any vendors who
have based their own ftpd distributions on this vulnerable code
are also likely to be vulnerable.
It should be noted that many operating systems do not support
setproctitle() calls. However, other software engineering defects
involving the same type of missing character-formatting argument
may be present.
Intruder Activity
One possible indication you are being attacked with either of
these vulnerabilities may be the appearance of syslog entries
similar to the following:
Jul 4 17:43:25 victim ftpd[3408]: USER ftp
Jul 4 17:43:25 victim ftpd[3408]: PASS [malicious shellcode]
Jul 4 17:43:26 victim ftpd[3408]: ANONYMOUS FTP LOGIN FROM
attacker.example.com [10.29.23.19], [malicious shellcode]
Jul 4 17:43:28 victim-site ftpd[3408]: SITE EXEC (lines: 0):
%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%
.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f
%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%
.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f
%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%c%c%c%.f|%p
Jul 4 17:43:28 victim ftpd[3408]: FTP session closed
Details and exploits for both the "site exec" and setproctitle()
vulnerabilities have been posted in various public forums. Please
see
http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=1387
http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=1438
http://ciac.llnl.gov/ciac/bulletins/k-054.shtml
The CERT/CC has received reports of both of these vulnerabilities
being successfully exploited on the Internet. Please check our
Current Activity page for updates regarding intruder activity
involving these vulnerabilities.
II. Impact
By exploiting any of these input validation problems, local or
remote users logged into the ftp daemon may be able execute
arbitrary code as root. An anonymous ftp user may also be able to
execute arbitrary code as root.
III. Solution
Upgrade your version of ftpd
Please see Appendix A of this advisory for more information about
the availability of updated ftpd packages specific for your system.
Apply a patch from your vendor
If you are running vulnerable ftpd implementations and cannot
upgrade, you need to apply the appropriate vendor patches and
recompile and/or reinstall the ftpd server software.
Appendix A contains information provided by vendors for this
advisory. We will update the appendix as we receive more
information. If you do not see your vendor's name, the CERT/CC did
not hear from that vendor. Please contact your vendor directly.
Disable ftp services
If neither an upgrade nor a patch can be applied, the CERT/CC
recommends disabling all vulnerable wu-ftpd and proftpd
servers. While disabling "site exec" command functionality or
anonymous ftp access minimizes exposure to the "site exec"
vulnerability, neither is a complete solution and may not mitigate
against the risks involved with exposure to the setproctitle()
vulnerability.
Appendix A. Vendor Information
BSDI
Current versions of BSD/OS do not include any version of
wu-ftpd. The BSDI ftpd is not vulnerable to the reported problems;
it is not based on the wu-ftpd code.
The version of ftpd in modern versions of BSD/OS is not vulnerable
to the generic setproctitle() vulnerabilities.
Caldera Systems, Inc
Please see CSSA-2000-020.0 regarding the wu-ftpd issue and
OpenLinux:
ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-020.0.txt
Copyright © 2000 Caldera Systems, Inc.
Conectiva S.A.
Please see:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000623212826.A13925@conectiva.com.br
Debian GNU/Linux
Please see the following regarding the wu-ftpd "site exec" issue:
http://www.debian.org/security/2000/20000623
Copyright © 1997-2000 SPI
FreeBSD, Inc.
Please see FreeBSD-SA-00:29, Security Advisory for wu-ftpd in the
ports collection, for complete information. In part it states:
The wu-ftpd port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection,
which contains over 3400 third-party applications in a
ready-to-install format. The ports collections shipped with
FreeBSD 3.5 and 4.0 contains this problem since it was
discovered after the release. FreeBSD makes no claim about the
security of these third-party applications, although an effort
is underway to provide a security audit of the most
security-critical ports.
[With respect to setproctitle()] it turns out that FreeBSD fixed
this bug in the system ftpd back in 1996, so it is not present in
all versions of FreeBSD since 2.2.0.
We also ship optional third-party ftpds in the ports collection:
we had patched wu-ftpd and believed it to be fixed (it was the
subject of advisory SA-00:29), but in light of the other recent
email from CERT. We will re-check to make sure all of the
vulnerabilities were patched. Proftpd is also currently
vulnerable but [has been patched]. Other third-party ftpds may or
may not be vulnerable at this time (we advise users to install
ports at their own risk), and we will release security advisories
as they are discovered and fixed.
Hewlett-Packard Company
HP is vulnerable, patches in process, watch for the HP security
bulletin to be issued.
MandrakeSoft Inc.
Please see the MANDRAKE 7.1 update section for wu-ftpd information
at:
http://www.linux-mandrake.com/en/fupdates.php3
Microsoft Coporation
The IIS FTP service is not is not affected by these issues.
MIT Kerberos Development Team
It seems that the MIT Kerberos ftpd is based on BSD ftpd revision
5.40, and has never contained any serious format string related
bugs for some reason. It is possible that by defining an
undocumented CPP macro SETPROCTITLE, calls to setproctitle() can
be made, however, there is an internally declared setproctitle()
function that does not take a format string as its argument, and
is hence not vulnerable.
ProFTPD Project
Upgrade to ProFTPD 1.2.0
Please see the discussion concerning setproctitle() at
http://www.proftpd.org/proftpd-l-archive/00-07/msg00059.html
http://www.proftpd.org/proftpd-l-archive/00-07/msg00060.html
http://bugs.proftpd.net/show_bug.cgi?id=121
http://www.proftpd.net/security.html
OpenBSD
The setproctitle bug is in OpenBSD. Please see:
http://www.openbsd.org/errata.html#ftpd
Redhat
Please see RHSA-2000-039-02 regarding the wu-ftpd issue:
http://www.redhat.com/support/errata/RHSA-2000-039-02.html
Copyright © 2000 Red Hat, Inc. All rights reserved.
Slackware Linux Project
Please see the patches made available regarding the wu-ftpd issue,
at:
ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/wu-ftpd-patch.README
Sun Microsystems
[...] Our engineering team and they do not feel that Solaris is
vulnerable.
SuSE Ltd.
Please see SuSE Security Announcement #53 regarding the wu-ftpd
issue, at:
http://www.suse.de/de/support/security/suse_security_announce_53.txt
WU-FTPD Development Group
The WU-FTPD Development Group's primary distribution site is
mirrored world-wide. A list of mirrors is available from:
http://www.wu-ftpd.org/mirrors.txt
If possible, please use a mirror to obtain patches or the latest
version.
Upgrade your version of wu-ftpd
The latest release of wu-ftpd, version 2.6.1, has been released to
address these and several other security issues:
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz.asc
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z.asc
Apply a patch
The wu-ftpd developers have published the following patch for
wu-ftpd 2.6.0:
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.0/lreply-buffer-overflow.patch
_________________________________________________________________
The CERT Coordination Center thanks Gregory Lundberg and Theo de
Raadt for their help in developing this advisory.
_________________________________________________________________
Author: Jeffrey S. Havrilla
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2000-13.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY Any material furnished by Carnegie Mellon University
and the Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of
any kind with respect to freedom from patent, trademark, or
copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2000 Carnegie Mellon University
Revision History
July 7, 2000: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBOWYdxVr9kb5qlZHQEQJRpgCfZA2ep1eMkg5B4aqBZbZOtKeXWDoAnRSe
ct12Oprnm91UvyxUJv9gdW1v
=Cs9w
-----END PGP SIGNATURE-----
(5261233) ------------------------------------------(Ombruten)