Date: Thu, 26 Aug 1999 12:06:21 -0400

Date: Thu, 26 Aug 1999 12:06:21 -0400
From: Gregory A Lundberg <[email protected]>
To: WU-FTPD Discussion List <[email protected]>,
WU-FTPD Announcements <[email protected]>,
WU-FTPD Questions <[email protected]>
Subject: WU-FTPD Security Update

-----BEGIN PGP SIGNED MESSAGE-----

WU-FTPD Security Update

The WU-FTPD Development Group has been informed there is a vulnerability in
some versions of wu-ftpd.

This vulnerability may allow local & remote users to gain root privileges.

Exploit information involving this vulnerability has been made publicly
available.

The WU-FTPD Development Group recommends sites take the steps outlined
below as soon as possible.

1. Description

Due to insufficient bounds checking on directory name lengths which can
be supplied by users, it is possible to overwrite the static memory
space of the wu-ftpd daemon while it is executing under certain
configurations. By having the ability to create directories and
supplying carefully designed directory names to the wu-ftpd, users may
gain privileged access.

2. Impact

This vulnerability may allow local & remote users to gain root
privileges.

3. Workarounds/Solution

Sites may prevent the exploitation of the vulnerability in wu-ftpd by
immediately upgrading and applying available patches.

3.1 Affected versions

Versions known to be effected are:

wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15
wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17
wu-ftpd-2.5.0

BeroFTPD, all present versions

Other derivatives of wu-ftpd may be effected. See the workarrounds
(section 3.3) to determine if a derivative is vulnerable.

Versions know to be not effected are:

NcFTPd, all versions.
wu-ftpd-2.4.2 (final, from Academ)
All Washington University versions.

(Please note: ALL versions of WU-FTPD prior to
wu-ftpd-2.4.2-beta-18-vr10 including all WU versions, and all
Academ 2.4.1 and 2.4.2 betas, are vulnerable to a remote user
root-leveraging attack. See CERT Advisory CA-99-03 'FTP Buffer
Overflows' at
http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html
and section 3.2)

3.2 Upgrade to latest wu-ftpd and apply patch

The latest version of wu-ftpd from the WU-FTPD Development Group is
2.5.0; sites running earlier versions should upgrade to this version as
soon as possible.

The WU-FTPD Development Group has a patch available which corrects this
vulnerabililty. The patch is available directly from the WU-FTPD
Development Group's primary distribution site, and will be propogating
to its mirrors shortly.

Several other patches to version 2.5.0 are also available. The WU-FTPD
Development Group recommends all available patches be applied.

Patches for version 2.5.0 are available at the primary distribution
site:

ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/

The following patches are available:

CRITICAL-SECURITY.PATCH

Alternate name for mapped.path.overrun.patch.

mapped.path.overrun.patch

Corrects a problem in the implementation of the MAPPING_CHDIR
feature which could be used to gain root privileges. All sites
should apply this patch as soon as possible.

not.in.class.patch

Corrects a problem where anonymous users not in any class could
gain anonymous access to the server under certain conditions.
All sites should apply this patch.

glibc.wtmp.patch

Corrects a problem with Linux systems where logout from wu-ftpd
was not properly recorded in the wtmp file. Sites running
wu-ftpd on Linux should apply this patch.

rfc931.timeout.patch

Corrects some problems with the RFC931 implementation when the
remote site does not respond. Under some conditions, wu-ftpd
would hang, failing to properly time out. Sites experiencing
unexplained hanging wu-ftpd processes should apply this patch.

data-limit.patch

Corrects a documentation error. Released as a patch due to the
number of questions the error caused. This patch may be safely
omitted on all sites.

deny.not.nameserved.patch

Corrects a problem in the implementation of '!nameserved' when
attempting to deny access to remote users whose hosts do not
have proper DNS. All sites should apply this patch.

Special note for BeroFTPD:

BeroFTPD users should be able to apply the mapped.path.overrun.patch to
their version of wu-ftpd. (This has been tested by the WU-FTPD
Development Group on BeroFTPD 1.3.4; it applied cleanly, with some
drift in line numbers.) The other patches are for version 2.5.0 of
wu-ftpd only and should not be applied to BeroFTPD.

3.3 Apply work-around patch and recompile existing source.

The feature causing this problem can be disabled at compile time in all
effected versions of the daemon:

o Locate the following text in config.h:

/*
* MAPPING_CHDIR
* Keep track of the path the user has chdir'd into and respond with
* that to pwd commands. This is to avoid having the absolue disk
* path returned. This helps avoid returning dirs like '.1/fred'
* when lots of disks make up the ftp area.
*/

o If this text is not present, your version of the daemon is NOT
vulnerable.

o Change the following line from:

#define MAPPING_CHDIR

to

#undef MAPPING_CHDIR

o Rebuild and install the new ftpd executable.

- --

Gregory A Lundberg WU-FTPD Development Group
1441 Elmdale Drive [email protected]
Kettering, OH 45409-1615 USA 1-800-809-2195

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5

iQCVAwUBN8VXQg7NCCRiiFh1AQFMDQP+PM9pWpqGo9xEcn1XdEgfmr1mcqZ2y9gY
geyRyPtv8xsLqbAMcQQ/KsDO3aP4sdT3yMA0EHZKohiAG3Sx38bGBe9geaOdbUxe
jSGzc6yDIxLwegJuWK35V7C8L9BbvFCbednvmXoToshuagcGFY8ZIP2ZyDuwz4EM
VxD1ILqHUww=
=r1tK
-----END PGP SIGNATURE-----