From owner-freebsd-security Fri Nov 30 0:53:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu60.gwdg.de (gwdu60.gwdg.de [134.76.98.60]) by hub.freebsd.org (Postfix) with ESMTP id 20C8E37B416 for ; Fri, 30 Nov 2001 00:53:14 -0800 (PST) Received: from localhost (kheuer@localhost) by gwdu60.gwdg.de (8.11.6/8.11.6) with ESMTP id fAU8rDQ55205 for ; Fri, 30 Nov 2001 09:53:13 +0100 (CET) (envelope-from kheuer@gwdu60.gwdg.de) Date: Fri, 30 Nov 2001 09:53:13 +0100 (CET) From: Konrad Heuer To: freebsd-security@freebsd.org Subject: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability (fwd) Message-ID: <20011130095138.F55193-100000@gwdu60.gwdg.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Any opinions whether wu-ftpd on FreeBSD is vulnerable too? To my mind, it seems so. Best regards Konrad Heuer Personal Bookmarks: Gesellschaft f=FCr wissenschaftliche Datenverarbeitung mbH G=D6ttingen http://www.freebsd.org Am Fa=DFberg, D-37077 G=D6ttingen http://www.daemonnews.o= rg Deutschland (Germany) kheuer@gwdu60.gwdg.de ---------- Forwarded message ---------- Date: Thu, 29 Nov 2001 14:27:44 -0500 From: X-Force To: alert@iss.net Subject: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerabilit= y Resent-Date: Fri, 30 Nov 2001 09:45:55 +0100 (CET) Resent-From: Konrad Heuer Resent-To: Resent-Subject: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert November 29, 2001 WU-FTPD Heap Corruption Vulnerability Synopsis: Internet Security Systems (ISS) X-Force has learned of the public release of a proof of concept exploit for a vulnerability in Washington University's FTP daemon (WU-FTPD). This FTP daemon is packaged as a part of many Linux distributions. This vulnerability, which was originally reported in April 2001, may allow remote attackers who are able to login to the FTP service to execute arbitrary commands on a target system without any specific knowledge of that host. Affected Versions: Washington University wu-ftpd 2.6.1: - - Caldera OpenLinux Server 3.1, OpenLinux Workstation 3.1 - - Cobalt Qube 1.0 - - Conectiva Linux 7.0, 6.0 - - MandrakeSoft Corporate Server 1.0.1 - - MandrakeSoft Mandrake Linux 8.1, 8.0 ppc, 8.0, 7.2, 7.1, 7.0, 6.1, 6.0 - - Red Hat Linux 7.2 noarch, 7.2 ia64, 7.2 i686, 7.2 i586, 7.2 i386, 7.2 athlon, 7.2 alpha - - Red Hat Linux 7.1 noarch, 7.1 ia64, 7.1 i686, 7.1 i586, 7.1 i386, 7.1 alpha - - Red Hat Linux 7.0 sparc, 7.0 i386, 7.0 alpha - - Turbolinux TL Workstation 6.1 - - Turbolinux 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0 - - WireX Immunix OS 7.0-Beta, 7.0 Washington University wu-ftpd 2.6.0: - - Cobalt Qube 1.0 - - Conectiva Linux 5.1, 5.0, 4.2, 4.1, 4.0es, 4.0 - - Debian Linux 2.2 sparc, 2.2 powerpc, 2.2 arm, 2.2 alpha, 2.2 68k, 2.2 - - Red Hat Linux 6.2 sparc, 6.2 i386, 6.2 alpha - - Red Hat Linux 6.1 sparc, 6.1 i386, 6.1 alpha - - Red Hat Linux 6.0 sparc, 6.0 i386, 6.0 alpha - - Red Hat Linux 5.2 sparc, 5.2 i386, 5.2 alpha - - SuSE Linux 6.4ppc, 6.4alpha, 6.4 - - SuSE Linux 6.3 ppc, 6.3 alpha, 6.3 - - SuSE Linux 6.2 - - SuSE Linux 6.1 alpha, 6.1 - - Turbolinux 4.0 - - WireX Immunix OS 6.2 Washington University wu-ftpd 2.5.0: - - Caldera eDesktop 2.4, eServer 2.3.1, eServer 2.3 - - Caldera OpenLinux 2.4, OpenLinux Desktop 2.3 - - Red Hat Linux 6.0 sparc, 6.0 i386, 6.0 alpha Description: The WU-FTPD daemon allows users to transfer files to and from the system running the service, using the File Transport Protocol (FTP). Many popular Linux distributions are shipped with WU-FTPD running by default. A vulnerability exists that may allow attackers to execute arbitrary code with the privileges of the FTP daemon (most often root), resulting in a complete system compromise. The attacker must be able to successfully login to the service with any account (including anonymous) in order to perform the exploit. This vulnerability is caused by the failure of the "globbing" code to signal errors on specially crafted expressions, resulting in a corruption of heap memory, which may be exploited by attackers to overwrite an arbitrary location in memory. The term "globbing" refers to the action taken by the glob() function, which is implemented in glibc library. WU-FTPD implements its own version of glob(). The glob() function is responsible for interpreting user-supplied filenames and returning valid pathnames. The glob() function interprets special metacharacters such as the asterisk (*) or "wildcard" character when returning valid pathnames. Other metacharacters (including ? [ ] { } ~ ') are also incorrectly interpreted by the glob() function. The vulnerability exists as a result of improper handling of these metacharacters in the WU-FTPD glob() implementation. Recommendations: ISS X-Force recommends that all system administrators disable the FTP service if it is not explicitly required. Patches for this vulnerability are being made available. Contact your vendor for more information. X- Force further recommends that administrators disable "anonymous" access to critical FTP servers if the feature is not required. ISS X-Force will provide detection and assessment support for this vulnerability in upcoming X-Press Updates for RealSecure Network Sensor and Internet Scanner. Detection support for this attack will also be added in a future update for BlackICE products. Additional Information: This vulnerability was initially discovered by Matt Power. The issue was confirmed and investigated further by Luciano Notarfrancesco and Juan Pablo Martinez Kuhn of Core Security Technologies: http://www.corest.com The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2001-0550 to this issue. This is a candidate for inclusion in the CVE list http://cve.mitre.org, which standardizes names for security problems. ISS X-Force Database, http://xforce.iss.net/static/7611.php ______ About Internet Security Systems (ISS) Internet Security Systems is a leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 8,000 customers worldwide including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. telecommunications companies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBPAaL/TRfJiV99eG9AQHpaAQAsl86+pGc/rjlTG/VhDv28IJO+IgSORq4 55zaa4RuZ6y8KBDHkyweCsFT3Jf4J4dJwBbrIJXFP+2S4NokWxTSt3zrnQwRMzRp u4+y2y0TfgQWwAQPXVeMaCKGZ39kmVqfhi++I3QesRYC4LVuKJYtWM8snOM75ZTk fKCuStDNppo=3D =3DbVGu -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message