-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CERT Advisory CA-2000-13 Two Input Validation Problems In FTPD

  Original release date: July 7, 2000
  Last revised: --
  Source: CERT/CC

  A complete revision history is at the end of this file.

Systems Affected

    * Any system running wu-ftpd 2.6.0 or earlier
    * Any system running ftpd derived from wu-ftpd 2.0 or later
    * Some systems running ftpd derived from BSD ftpd 5.51 or BSD ftpd
      5.60 (the final BSD release)

Overview

  A vulnerability involving an input validation error in the "site exec"
  command has recently been identified in the Washington University ftpd
  (wu-ftpd) software package. Sites running affected systems are advised
  to update their wu-ftpd software as soon as possible.

  A similar but distinct vulnerability has also been identified that
  involves a missing format string in several setproctitle() calls. It
  affects a broader number of ftp daemons. Please see Appendix A of this
  document for specific information about the status of specific ftpd
  implementations and solutions.

I. Description

"Site exec" Vulnerability

  A vulnerability has been identified in wu-ftpd and other ftp daemons
  based on the wu-ftpd source code. Wu-ftpd is a common package used to
  provide file transfer protocol (ftp) services. This vulnerability is
  being discussed as the wu-ftpd "site exec" or "lreply" vulnerability
  in various public forums. Incidents involving the exploitation of this
  vulnerability-which enables remote users to gain root privileges-have
  been reported to the CERT Coordination Center.

  The problem is described in AUSCERT Advisory AA-2000.02, "wu-ftpd
  'site exec' Vulnerability," which is available from

  ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02

  The wu-ftpd "site exec" vulnerability is the result of missing
  character-formatting argument in several function calls that implement
  the "site exec" command functionality. Normally if "site exec" is
  enabled, a user logged into an ftp server (including the 'ftp' or
  'anonymous' user) may execute a restricted subset of quoted commands
  on the server itself. However, if a malicious user can pass character
  format strings consisting of carefully constructed *printf()
  conversion characters (%f, %p, %n, etc) while executing a "site exec"
  command, the ftp daemon may be tricked into executing arbitrary code
  as root.

  The "site exec" vulnerability appears to have been in the wu-ftpd code
  since the original wu-ftpd 2.0 came out in 1993. Any vendors who have
  based their own ftpd distributions on this vulnerable code are also
  likely to be vulnerable.

  The vulnerability appears to be exploitable if a local user account
  can be used for ftp login. Also, if the "site exec" command
  functionality is enabled, then anonymous ftp login allows sufficient
  access for an attack.

setproctitle() Vulnerability

  A separate vulnerability involving a missing character-formatting
  argument in setproctitle(), a call which sets the string used to
  display process identifier information, is also present in wu-ftpd.
  Other ftpd implementations have been found to have vulnerable
  setproctitle() calls as well, including those from proftpd and
  OpenBSD.

  The setproctitle() vulnerability appears to have been present in
  various ftpd implementations since at least BSD ftpd 5.51 (which
  predates wuarchive-ftpd 1.0). It has also been confirmed to be present
  in BSD ftpd 5.60 (the final BSD release). Any vendors who have based
  their own ftpd distributions on this vulnerable code are also likely
  to be vulnerable.

  It should be noted that many operating systems do not support
  setproctitle() calls. However, other software engineering defects
  involving the same type of missing character-formatting argument may
  be present.

Intruder Activity

  One possible indication you are being attacked with either of these
  vulnerabilities may be the appearance of syslog entries similar to the
  following:

Jul  4 17:43:25 victim ftpd[3408]: USER ftp
Jul  4 17:43:25 victim ftpd[3408]: PASS [malicious shellcode]
Jul  4 17:43:26 victim ftpd[3408]: ANONYMOUS FTP LOGIN FROM
attacker.example.com [10.29.23.19], [malicious shellcode]
Jul  4 17:43:28 victim-site ftpd[3408]: SITE EXEC (lines: 0):
%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%
f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f
%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%
f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f
%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%c%c%c%.f|%p
Jul  4 17:43:28 victim ftpd[3408]: FTP session closed

  Details and exploits for both the "site exec" and setproctitle()
  vulnerabilities have been posted in various public forums. Please see

  http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=1387
  http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=1438
  http://ciac.llnl.gov/ciac/bulletins/k-054.shtml

  The CERT/CC has received reports of both of these vulnerabilities
  being successfully exploited on the Internet. Please check our Current
  Activity page for updates regarding intruder activity involving these
  vulnerabilities.

II. Impact

  By exploiting any of these input validation problems, local or remote
  users logged into the ftp daemon may be able execute arbitrary code as
  root. An anonymous ftp user may also be able to execute arbitrary code
  as root.

III. Solution

Upgrade your version of ftpd

  Please see Appendix A of this advisory for more information about the
  availability of updated ftpd packages specific for your system.

Apply a patch from your vendor

  If you are running vulnerable ftpd implementations and cannot upgrade,
  you need to apply the appropriate vendor patches and recompile and/or
  reinstall the ftpd server software.

  Appendix A contains information provided by vendors for this advisory.
  We will update the appendix as we receive more information. If you do
  not see your vendor's name, the CERT/CC did not hear from that vendor.
  Please contact your vendor directly.

Disable ftp services

  If neither an upgrade nor a patch can be applied, the CERT/CC
  recommends disabling all vulnerable wu-ftpd and proftpd servers. While
  disabling "site exec" command functionality or anonymous ftp access
  minimizes exposure to the "site exec" vulnerability, neither is a
  complete solution and may not mitigate against the risks involved with
  exposure to the setproctitle() vulnerability.

Appendix A. Vendor Information

BSDI

  Current versions of BSD/OS do not include any version of wu-ftpd. The
  BSDI ftpd is not vulnerable to the reported problems; it is not based
  on the wu-ftpd code.

  The version of ftpd in modern versions of BSD/OS is not vulnerable to
  the generic setproctitle() vulnerabilities.

Caldera Systems, Inc

  Please see CSSA-2000-020.0 regarding the wu-ftpd issue and OpenLinux:

  ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-020.0.txt

  Copyright � 2000 Caldera Systems, Inc.

Conectiva S.A.

  Please see:

  http://www.securityfocus.com/templates/archive.pike?list=1&[email protected]

Debian GNU/Linux

  Please see the following regarding the wu-ftpd "site exec" issue:

  http://www.debian.org/security/2000/20000623

  Copyright � 1997-2000 SPI

FreeBSD, Inc.

  Please see FreeBSD-SA-00:29, Security Advisory for wu-ftpd in the
  ports collection, for complete information. In part it states:

    The wu-ftpd port is not installed by default, nor is it "part of
    FreeBSD" as such: it is part of the FreeBSD ports collection,
    which contains over 3400 third-party applications in a
    ready-to-install format. The ports collections shipped with
    FreeBSD 3.5 and 4.0 contains this problem since it was
    discovered after the release. FreeBSD makes no claim about the
    security of these third-party applications, although an effort
    is underway to provide a security audit of the most
    security-critical ports.

  [With respect to setproctitle()] it turns out that FreeBSD fixed this
  bug in the system ftpd back in 1996, so it is not present in all
  versions of FreeBSD since 2.2.0.

  We also ship optional third-party ftpds in the ports collection: we
  had patched wu-ftpd and believed it to be fixed (it was the subject of
  advisory SA-00:29), but in light of the other recent email from CERT.
  We will re-check to make sure all of the vulnerabilities were patched.
  Proftpd is also currently vulnerable but [has been patched]. Other
  third-party ftpds may or may not be vulnerable at this time (we advise
  users to install ports at their own risk), and we will release
  security advisories as they are discovered and fixed.

Hewlett-Packard Company

  HP is vulnerable, patches in process, watch for the HP security
  bulletin to be issued.

MandrakeSoft Inc.

  Please see the MANDRAKE 7.1 update section for wu-ftpd information at:

  http://www.linux-mandrake.com/en/fupdates.php3

Microsoft Coporation

  The IIS FTP service is not is not affected by these issues.

MIT Kerberos Development Team

  It seems that the MIT Kerberos ftpd is based on BSD ftpd revision
  5.40, and has never contained any serious format string related bugs
  for some reason. It is possible that by defining an undocumented CPP
  macro SETPROCTITLE, calls to setproctitle() can be made, however,
  there is an internally declared setproctitle() function that does not
  take a format string as its argument, and is hence not vulnerable.

ProFTPD Project

  Upgrade to ProFTPD 1.2.0

  Please see the discussion concerning setproctitle() at

  http://www.proftpd.org/proftpd-l-archive/00-07/msg00059.html
  http://www.proftpd.org/proftpd-l-archive/00-07/msg00060.html
  http://bugs.proftpd.net/show_bug.cgi?id=121
  http://www.proftpd.net/security.html

OpenBSD

  The setproctitle bug is in OpenBSD. Please see:

  http://www.openbsd.org/errata.html#ftpd

Redhat

  Please see RHSA-2000-039-02 regarding the wu-ftpd issue:

  http://www.redhat.com/support/errata/RHSA-2000-039-02.html

  Copyright � 2000 Red Hat, Inc. All rights reserved.

Slackware Linux Project

  Please see the patches made available regarding the wu-ftpd issue, at:

  ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/wu-ftpd-patch.README

Sun Microsystems

  [...] Our engineering team and they do not feel that Solaris is
  vulnerable.

SuSE Ltd.

  Please see SuSE Security Announcement #53 regarding the wu-ftpd issue,
  at:

  http://www.suse.de/de/support/security/suse_security_announce_53.txt

WU-FTPD Development Group

  The WU-FTPD Development Group's primary distribution site is mirrored
  world-wide. A list of mirrors is available from:

  http://www.wu-ftpd.org/mirrors.txt

  If possible, please use a mirror to obtain patches or the latest
  version.

Upgrade your version of wu-ftpd

  The latest release of wu-ftpd, version 2.6.1, has been released to
  address these and several other security issues:

  ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz
  ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz.asc
  ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z
  ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z.asc

Apply a patch

  The wu-ftpd developers have published the following patch for wu-ftpd
  2.6.0:

  ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.0/lreply-buffer-overflow.patch
  _________________________________________________________________

  The CERT Coordination Center thanks Gregory Lundberg and Theo de Raadt
  for their help in developing this advisory.
  _________________________________________________________________

  Author: Jeffrey S. Havrilla
  ______________________________________________________________________

  This document is available from:
  http://www.cert.org/advisories/CA-2000-13.html
  ______________________________________________________________________

CERT/CC Contact Information

  Email: [email protected]
         Phone: +1 412-268-7090 (24-hour hotline)
         Fax: +1 412-268-6989
         Postal address:
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890
         U.S.A.

  CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
  Monday through Friday; they are on call for emergencies during other
  hours, on U.S. holidays, and on weekends.

Using encryption

  We strongly urge you to encrypt sensitive information sent by email.
  Our public PGP key is available from

  http://www.cert.org/CERT_PGP.key

  If you prefer to use DES, please call the CERT hotline for more
  information.

Getting security information

  CERT publications and other security information are available from
  our web site

  http://www.cert.org/

  To be added to our mailing list for advisories and bulletins, send
  email to [email protected] and include SUBSCRIBE
  your-email-address in the subject of your message.

  * "CERT" and "CERT Coordination Center" are registered in the U.S.
  Patent and Trademark Office.
  ______________________________________________________________________

  NO WARRANTY
  Any material furnished by Carnegie Mellon University and the Software
  Engineering Institute is furnished on an "as is" basis. Carnegie
  Mellon University makes no warranties of any kind, either expressed or
  implied as to any matter including, but not limited to, warranty of
  fitness for a particular purpose or merchantability, exclusivity or
  results obtained from use of the material. Carnegie Mellon University
  does not make any warranty of any kind with respect to freedom from
  patent, trademark, or copyright infringement.
  _________________________________________________________________

  Conditions for use, disclaimers, and sponsorship information

  Copyright 2000 Carnegie Mellon University

  Revision History
July  7, 2000:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBOWYdxVr9kb5qlZHQEQJRpgCfZA2ep1eMkg5B4aqBZbZOtKeXWDoAnRSe
ct12Oprnm91UvyxUJv9gdW1v
=Cs9w
-----END PGP SIGNATURE-----