Date: Thu, 26 Aug 1999 12:06:21 -0400 From: Gregory A Lundberg To: WU-FTPD Discussion List , WU-FTPD Announcements , WU-FTPD Questions Subject: WU-FTPD Security Update -----BEGIN PGP SIGNED MESSAGE----- WU-FTPD Security Update The WU-FTPD Development Group has been informed there is a vulnerability in some versions of wu-ftpd. This vulnerability may allow local & remote users to gain root privileges. Exploit information involving this vulnerability has been made publicly available. The WU-FTPD Development Group recommends sites take the steps outlined below as soon as possible. 1. Description Due to insufficient bounds checking on directory name lengths which can be supplied by users, it is possible to overwrite the static memory space of the wu-ftpd daemon while it is executing under certain configurations. By having the ability to create directories and supplying carefully designed directory names to the wu-ftpd, users may gain privileged access. 2. Impact This vulnerability may allow local & remote users to gain root privileges. 3. Workarounds/Solution Sites may prevent the exploitation of the vulnerability in wu-ftpd by immediately upgrading and applying available patches. 3.1 Affected versions Versions known to be effected are: wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15 wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17 wu-ftpd-2.5.0 BeroFTPD, all present versions Other derivatives of wu-ftpd may be effected. See the workarrounds (section 3.3) to determine if a derivative is vulnerable. Versions know to be not effected are: NcFTPd, all versions. wu-ftpd-2.4.2 (final, from Academ) All Washington University versions. (Please note: ALL versions of WU-FTPD prior to wu-ftpd-2.4.2-beta-18-vr10 including all WU versions, and all Academ 2.4.1 and 2.4.2 betas, are vulnerable to a remote user root-leveraging attack. See CERT Advisory CA-99-03 'FTP Buffer Overflows' at http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html and section 3.2) 3.2 Upgrade to latest wu-ftpd and apply patch The latest version of wu-ftpd from the WU-FTPD Development Group is 2.5.0; sites running earlier versions should upgrade to this version as soon as possible. The WU-FTPD Development Group has a patch available which corrects this vulnerabililty. The patch is available directly from the WU-FTPD Development Group's primary distribution site, and will be propogating to its mirrors shortly. Several other patches to version 2.5.0 are also available. The WU-FTPD Development Group recommends all available patches be applied. Patches for version 2.5.0 are available at the primary distribution site: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/ The following patches are available: CRITICAL-SECURITY.PATCH Alternate name for mapped.path.overrun.patch. mapped.path.overrun.patch Corrects a problem in the implementation of the MAPPING_CHDIR feature which could be used to gain root privileges. All sites should apply this patch as soon as possible. not.in.class.patch Corrects a problem where anonymous users not in any class could gain anonymous access to the server under certain conditions. All sites should apply this patch. glibc.wtmp.patch Corrects a problem with Linux systems where logout from wu-ftpd was not properly recorded in the wtmp file. Sites running wu-ftpd on Linux should apply this patch. rfc931.timeout.patch Corrects some problems with the RFC931 implementation when the remote site does not respond. Under some conditions, wu-ftpd would hang, failing to properly time out. Sites experiencing unexplained hanging wu-ftpd processes should apply this patch. data-limit.patch Corrects a documentation error. Released as a patch due to the number of questions the error caused. This patch may be safely omitted on all sites. deny.not.nameserved.patch Corrects a problem in the implementation of '!nameserved' when attempting to deny access to remote users whose hosts do not have proper DNS. All sites should apply this patch. Special note for BeroFTPD: BeroFTPD users should be able to apply the mapped.path.overrun.patch to their version of wu-ftpd. (This has been tested by the WU-FTPD Development Group on BeroFTPD 1.3.4; it applied cleanly, with some drift in line numbers.) The other patches are for version 2.5.0 of wu-ftpd only and should not be applied to BeroFTPD. 3.3 Apply work-around patch and recompile existing source. The feature causing this problem can be disabled at compile time in all effected versions of the daemon: o Locate the following text in config.h: /* * MAPPING_CHDIR * Keep track of the path the user has chdir'd into and respond with * that to pwd commands. This is to avoid having the absolue disk * path returned. This helps avoid returning dirs like '.1/fred' * when lots of disks make up the ftp area. */ o If this text is not present, your version of the daemon is NOT vulnerable. o Change the following line from: #define MAPPING_CHDIR to #undef MAPPING_CHDIR o Rebuild and install the new ftpd executable. - -- Gregory A Lundberg WU-FTPD Development Group 1441 Elmdale Drive lundberg@wu-ftpd.org Kettering, OH 45409-1615 USA 1-800-809-2195 -----BEGIN PGP SIGNATURE----- Version: PGP 6.5 iQCVAwUBN8VXQg7NCCRiiFh1AQFMDQP+PM9pWpqGo9xEcn1XdEgfmr1mcqZ2y9gY geyRyPtv8xsLqbAMcQQ/KsDO3aP4sdT3yMA0EHZKohiAG3Sx38bGBe9geaOdbUxe jSGzc6yDIxLwegJuWK35V7C8L9BbvFCbednvmXoToshuagcGFY8ZIP2ZyDuwz4EM VxD1ILqHUww= =r1tK -----END PGP SIGNATURE-----