-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-1999.01                        AUSCERT Advisory
                  wu-ftpd/BeroFTPD MAPPING_CHDIR Vulnerability

                                27 August 1999

Last Revised: --

- ---------------------------------------------------------------------------

AusCERT has received information that there is a vulnerability in some
versions of wu-ftpd and its derivatives which run on various platforms.

This vulnerability may allow local, remote and anonymous users to gain
root privileges.

Information about this vulnerability has been made publicly available.

AusCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

This advisory will be updated as more information becomes available.

- ---------------------------------------------------------------------------

1.  Description

   The wu-ftpd program provides file transfer protocol (FTP) services.

   Due to insufficient bounds checking on directory name lengths which
   can be supplied by users, it is possible to overwrite the static memory
   space of the wu-ftpd daemon while it is executing under certain
   configurations.  By having the ability to create directories and
   supplying carefully designed directory names to wu-ftpd, users may
   gain privileged access.  This exploit utilises the MAPPING_CHDIR
   feature in vulnerable ftp daemons.  This is a new vulnerability unlike
   the ftpd buffer overflows described in CERT Advisory CA-99-03 "FTP
   Buffer Overflows" (reissued as AusCERT ESB-1999.020).

   Sites can determine if this program is installed by using:

      % ftp hostname

   and examining the output of the ftp login banner.

   If no version information appears on the login banner, or to verify
   this information, log into the ftp server as normal then issue the
   following command:

     ftp> quote stat

   All effected versions of the wu-ftpd daemon allow control over the
   information revealed in the initial login banner however they all
   return their version number in response to the ftp server stat command
   shown above.

2.  Impact

   This vulnerability may allow local, remote and anonymous users to gain
   root privileges.

3.  Workarounds/Solution

   AusCERT recommends that sites prevent the exploitation of the
   vulnerability in wu-ftpd by immediately upgrading and applying
   available patches as described in Section 3.2.  Versions known to be
   vulnerable are listed in Section 3.1

   If no patch is available for other derivatives of wu-ftpd, AusCERT
   recommends modifying existing source to disable the MAPPING_CHDIR
   feature as described in Section 3.4.

   If the functionality provided by wu-ftpd is not required at all, it
   is recommended that sites disable it on their systems.

3.1 Status of variants and versions of wu-ftpd likely to be affected.

   This vulnerability is known to be present on the following ftpd
   implementations:

   wu-ftpd:
     Versions effected:

       wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15
       wu-ftpd-2.4.2-vr16 through wu-ftpd-2.4.2-vr17
       wu-ftpd-2.5.0
       (See Section 3.2)

     Versions not effected:
       wu-ftpd-2.4.2 (final, from Academ) and all WU versions

       Please note: ALL versions of WU-FTPD prior to
       wu-ftpd-2.4.2-beta-18-vr10 including all WU versions, and all
       Academ 2.4.1 and 2.4.2 betas, are subject to the remote root
       compromise vulnerability described in CERT Advisory CA-99-03 "FTP
       Buffer Overflows" at
        http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html
       (See Section 3.2)

   BeroFTPD:
     Versions effected: All present versions.
                        No vendor patch currently available.
       (For a workaround see Section 3.4)

       The patch listed in Section 3.2 can be applied to the latest
       version (1.3.4) of BeroFTPD after minor modification to account
       for different line numbers.  The latest version of BeroFTPD is
       available from:

         ftp://ftp.beroftpd.unix.eu.org/pub/BeroFTPD/

   RedHat:
     Versions effected: All present versions.
                        Vendor patch is available.
       (See Section 3.3)

   NcFTPd:
     Versions effected: None.

3.2 Upgrade to latest wu-ftpd and apply patch.

   A patch to remove this vulnerability from the 2.5.0 release of wu-ftpd
   has been made available by the WU-FTPD Development Group. Sites should
   upgrade to the latest version of wu-ftpd (2.5.0) and apply this patch.

   The 2.5.0 release of wu-ftpd is available from:

     ftp://ftp.wu-ftpd.org/pub/wu-ftpd/

   The security patch that needs to be applied to wu-ftpd 2.5.0 is available
   from:

     ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/mapped.path.overrun.patch

3.3 Upgrade to latest wu-ftpd RPM.

   Red Hat have released updated versions of wu-ftpd which address this
   vulnerability. More information (including RPM's) can be found at:

   Red Hat Linux 6.0:

     http://www.redhat.com/corp/support/errata/RHSA1999031_01.html

   Red Hat Linux 5.x:

    http://www.redhat.com/corp/support/errata/rh52-errata-general.html#wu-ftpd

   Red Hat Linux 4.x:

    http://www.redhat.com/corp/support/errata/rh42-errata-general.html#wu-ftpd

   The RPM's they have made available contain all of the patches mentioned in
   sections 3.2 and 4.2.

3.4 Disable MAPPING_CHDIR feature and recompile existing source.

   The feature causing this problem can be disabled at compile time in
   all effected versions of the daemon:

   o Locate the following text in config.h:

   /*
    * MAPPING_CHDIR
    * Keep track of the path the user has chdir'd into and respond with
    * that to pwd commands.  This is to avoid having the absolue disk
    * path returned.  This helps avoid returning dirs like '.1/fred'
    * when lots of disks make up the ftp area.
    */

   o If this text is not present, your version of the daemon is NOT
     vulnerable.

   o Change the following line from:

       #define MAPPING_CHDIR

     to

       #undef MAPPING_CHDIR

   o Rebuild and install the new ftpd executable.

4.  Additional measures

4.1 Disable/Limit writable ftp incoming areas.

   Public writable areas have been a common source of abuse on ftp
   servers.  To limit exposure to similar incidents, sites should review
   and modify their configuration to remove or limit any upload areas.
   This may provide little or no protection against non-anonymous
   accounts.  Caution needs to be taken as this is a complex configuration
   issue.

   For the correct procedures on how to configure upload areas on wu-ftpd
   based implementations, please refer to:

     ftp://ftp.wu-ftpd.org/pub/wu-ftpd/upload.configuration.HOWTO

4.2 Apply additional patches to wu-ftpd.

   Other important patches for wu-ftpd 2.5.0 which may effect your site's
   security configuration can be found at:

     ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/

   The WU-FTPD Development Group recommends all available patches be
   applied.

   After applying the above patches, rebuild and install the new ftpd
   executable.

- ---------------------------------------------------------------------------
AusCERT thanks Gregory A Lundberg of the WU-FTPD Development Group and
Michal Zalewski for the original report and assistance in the preparation
of this advisory.
- ---------------------------------------------------------------------------

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation.  The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures.  AusCERT takes no responsibility for the consequences of
applying the contents of this document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AusCERT
Advisories, and other computer security information.

AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: [email protected]
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
               AusCERT personnel answer during Queensland business hours
               which are GMT+10:00 (AEST).
               On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOAydxyh9+71yA2DNAQHNBwP+Lpi96cZp32OLBKA1/vU9WwhU+BTBvyLe
h4GXH0d/859Yy5/++vIStvyNtDl4FfXQdIjmZsPmrofw52MAxI3eS1PD6ixztSdW
VxZ6deVV6YHL3ETmiv2/hvPNAT0NdHV03OCC0bevo4ltTCECvmcnXPe+CvN2ins8
gzAIRKP1St0=
=5UNJ
-----END PGP SIGNATURE-----
rt/AUSCERT_PGP.key

iQCVAwUBOAydxyh9+71yA2DNAQHNBwP+Lpi96cZp32OLBKA1/vU9WwhU+BTBvyLe
h4GXH0d/859Yy5/++vIStvyNtDl4FfXQdIjmZsPmrofw52MAxI3eS1PD6ixztSdW
VxZ6deVV6YHL3ETmiv2/hvPNAT0NdHV03OCC0bevo4ltTCECvmcnXPe+CvN2ins8
gzAIRKP1St0=
=5UNJ
-----END PGP SIGNATURE-----

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.