-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-1999.02                     AUSCERT Advisory
             Multiple Vulnerabilities in wu-ftpd based daemons
                              19 October 1999

Last Revised: --

- ---------------------------------------------------------------------------

AusCERT has received information that there are vulnerabilities in all
versions of wu-ftpd (prior to 2.6.0) and its derivatives which run on
various platforms.

These vulnerabilities may allow local, remote and anonymous users to gain
root privileges or degrade system performance.

AusCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

This advisory will be updated as more information becomes available.

- ---------------------------------------------------------------------------

1.  Description

   The wu-ftpd program provides file transfer protocol (FTP) services.

   A user may gain privileged access by exploiting a buffer overrun in
   a wu-ftpd daemon which has insufficient bounds checking on expansions
   in message files. This vulnerability may be exploited by creating
   a maliciously crafted message file or manipulating the results of
   remotely supplied information to an existing message file.

   A separate buffer overrun vulnerability is exploitable in the
   'ftpshut' program if it is set with suid-root privilege. This can be
   leveraged by local users to gain root.
   (Please note wu-ftpd does not install 'ftpshut' suid-root by default.)

   Due to inadequate pathname filtering, a user may exploit a resource
   starvation Denial of Service (DoS) vulnerability by issuing a number
   of specific directory listing requests.

   These are new vulnerabilities unlike the ftpd vulnerabilities described
   in AusCERT Advisory AA-1999.01 "wu-ftpd/BeroFTPD MAPPING_CHDIR
   Vulnerability" and CERT Advisory CA-99-03 "FTP Buffer Overflows"
   (reissued as AusCERT ESB-1999.020).

   Sites can determine if this program is installed by using:

      % ftp hostname

   and examining the output of the ftp login banner.

   If no version information appears on the login banner, or to verify
   this information, log into the ftp server as normal then issue the
   following command:

     ftp> quote stat

   Some affected versions of the wu-ftpd daemon allow control over the
   information revealed in the initial login banner however they all
   return their version number in response to the ftp server stat command
   shown above.

2.  Impact

   These vulnerabilities may allow local, remote and anonymous users to
   gain root privileges or degrade system performance.

3.  Solution

   AusCERT recommends that sites prevent the exploitation of these
   vulnerabilities in wu-ftpd by immediately upgrading as described in
   Section 3.2.  Versions known to be vulnerable are listed in Section 3.1

   If no patch or upgrade is available for other derivatives of wu-ftpd,
   AusCERT recommends sites move to the wu-ftpd distribution as described
   in Section 3.2.

   If the functionality provided by wu-ftpd is not required at all, it
   is recommended that sites disable it on their systems.

3.1 Status of variants and versions of wu-ftpd likely to be affected.

   These vulnerabilities are known to be present in the following
   ftpd implementations:

   wu-ftpd:
     Versions effected: All versions prior to wu-ftpd-2.6.0
                        Including all derivative versions from
                         wustl.edu, academ.com, vr.net and wu-ftpd.org.
       (See Section 3.2)

   BeroFTPD:
     Versions effected: All present versions.
                        No vendor patch will be available.
                        BeroFTPD and wu-ftpd have been merged as of
                         wu-ftpd 2.6.0.
       (See Section 3.2)

   RedHat:
     Versions effected: All present versions.
                        No patch is currently available.
       (See Section 3.3)

3.2 Upgrade to latest wu-ftpd.

   These vulnerabilities have been fixed in the 2.6.0 release of wu-ftpd
   which has been made available by the WU-FTPD Development Group.  Sites
   should upgrade to the latest version of wu-ftpd (2.6.0).

   The 2.6.0 release of wu-ftpd is available from:

     ftp://ftp.wu-ftpd.org/pub/wu-ftpd/

   or

     ftp://ftp.auscert.org.au/pub/mirrors/ftp.wu-ftpd.org/wu-ftpd/

   wu-ftpd is also available from mirror sites listed in:

     ftp://ftp.wu-ftpd.org/pub/wu-ftpd/README-MIRRORS

   IMPORTANT NOTE:  The 2.6.0 version has been corrected to increase
   it's conformance to the RFC standards for FTP.  However, as a result,
   some FTP clients which are not completely RFC compliant may cease to
   inter-operate correctly with wu-ftpd 2.6.0 servers.

   It is believed that the W3C libwww ftp implementation is
   non-conforming.  This affects Lynx, CERN, Squid and Midnight Commander.
   The effects of a non-conforming client are a hanging transfer (usually
   when obtaining a directory listing).

   Squid, however, appears to recover and may hide the failure from the
   FTP user and the FTP site administrator; the Squid administrator may
   see a large number of errors in their logs.

   In addition, the popular ftp mirroring program 'mirror' written by
   Lee McLoughlin is also affected.  Versions up to and including the
   current version (2.9) will not work correctly with wu-ftpd 2.6.0
   servers.  Users of the mirror program version 2.9 can apply the following
   patch to mirror to make it compatible with wu-ftpd 2.6.0 servers:

     ftp://ftp.wu-ftpd.org/pub/support/wu-ftpd-2.6.0-mirror-2.9.patch
     ftp://ftp.auscert.org.au/pub/mirrors/ftp.wu-ftpd.org/support/wu-ftpd-2.6.0-mirror-2.9.patch

   Users of mirror prior to version 2.9 should install the 2.9 release
   and apply the above mentioned patch.  The 2.9 version is available
   from:

     ftp://ftp.wu-ftpd.org/pub/support/mirror-2.9.tar.gz
     ftp://ftp.auscert.org.au/pub/mirrors/ftp.wu-ftpd.org/support/mirror-2.9.tar.gz

   As a temporary measure, sites can keep the old (non-conforming)
   functionality of previous ftpd versions by enabling the following
   option during compilation of wu-ftpd 2.6.0:

     o Using GNU autoconf (not available on all platforms):

       Reconfigure adding the --enable-badclients option, make clean and
       make as normal.

     o Using old-style 'build' command:

       Edit config.h.noac, change
           #undef SUPPORT_BROKEN_CLIENTS
       to
           #define SUPPORT_BROKEN_CLIENTS

       Clear any previous build results (build clean) then recompile for
       your platform as normal.

   This option will not be supported in future releases of wu-ftpd.

3.3 Upgrade to latest wu-ftpd RPM when available.

   AusCERT expects that Red Hat will shortly release updated versions of
   wu-ftpd which address this advisory.  Until then sites may wish to
   install wu-ftpd 2.6.0 as described in Section 3.2.

4.  Additional measures

4.1 Disable/Limit writable ftp incoming areas.

   Public writable areas have been a common source of abuse on ftp
   servers.  To limit exposure to similar incidents, sites should review
   and modify their configuration to remove or limit any upload areas.
   This may provide little or no protection against non-anonymous
   accounts.  Caution needs to be taken as this is a complex configuration
   issue.

   For the correct procedures on how to configure upload areas on wu-ftpd
   based implementations, please refer to:

     ftp://ftp.wu-ftpd.org/pub/wu-ftpd/upload.configuration.HOWTO

- ---------------------------------------------------------------------------
AusCERT thanks Gregory A Lundberg of the WU-FTPD Development Group for the
original report and assistance in the preparation of this advisory.
- ---------------------------------------------------------------------------

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation.  The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures.  AusCERT takes no responsibility for the consequences of
applying the contents of this document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AusCERT
Advisories, and other computer security information.

AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: [email protected]
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
               AusCERT personnel answer during Queensland business hours
               which are GMT+10:00 (AEST).
               On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOAyYbih9+71yA2DNAQGsMQP/ef4ZyF0U54gMUr6FPel1W7ffMR5WSPo2
5XyW4lQpUeTJMQiD4Cl8+B50ZSkVwVJ52C4IsAbkDd3CpOLXQZ/SGCrc4u4QHBCn
mQCxLDJbJ4Dhlr+0bfH17ZofhP6Q/qemYxHwoLy0Imt8XtigrwG+z+9FeVl7q2an
VKm1CvWqQDE=
=sp0T
-----END PGP SIGNATURE-----
ey

iQCVAwUBOAyYbih9+71yA2DNAQGsMQP/ef4ZyF0U54gMUr6FPel1W7ffMR5WSPo2
5XyW4lQpUeTJMQiD4Cl8+B50ZSkVwVJ52C4IsAbkDd3CpOLXQZ/SGCrc4u4QHBCn
mQCxLDJbJ4Dhlr+0bfH17ZofhP6Q/qemYxHwoLy0Imt8XtigrwG+z+9FeVl7q2an
VKm1CvWqQDE=
=sp0T
-----END PGP SIGNATURE-----