-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-1999.01                        AUSCERT Advisory
		   wu-ftpd/BeroFTPD MAPPING_CHDIR Vulnerability

                                 27 August 1999

Last Revised: --

- ---------------------------------------------------------------------------

AusCERT has received information that there is a vulnerability in some
versions of wu-ftpd and its derivatives which run on various platforms.

This vulnerability may allow local, remote and anonymous users to gain
root privileges.

Information about this vulnerability has been made publicly available.

AusCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

This advisory will be updated as more information becomes available.

- ---------------------------------------------------------------------------

1.  Description

    The wu-ftpd program provides file transfer protocol (FTP) services.

    Due to insufficient bounds checking on directory name lengths which
    can be supplied by users, it is possible to overwrite the static memory
    space of the wu-ftpd daemon while it is executing under certain
    configurations.  By having the ability to create directories and
    supplying carefully designed directory names to wu-ftpd, users may
    gain privileged access.  This exploit utilises the MAPPING_CHDIR
    feature in vulnerable ftp daemons.  This is a new vulnerability unlike
    the ftpd buffer overflows described in CERT Advisory CA-99-03 "FTP
    Buffer Overflows" (reissued as AusCERT ESB-1999.020).

    Sites can determine if this program is installed by using:

       % ftp hostname

    and examining the output of the ftp login banner.

    If no version information appears on the login banner, or to verify
    this information, log into the ftp server as normal then issue the
    following command:
  
      ftp> quote stat

    All effected versions of the wu-ftpd daemon allow control over the
    information revealed in the initial login banner however they all
    return their version number in response to the ftp server stat command
    shown above.

2.  Impact

    This vulnerability may allow local, remote and anonymous users to gain
    root privileges.

3.  Workarounds/Solution

    AusCERT recommends that sites prevent the exploitation of the
    vulnerability in wu-ftpd by immediately upgrading and applying
    available patches as described in Section 3.2.  Versions known to be
    vulnerable are listed in Section 3.1

    If no patch is available for other derivatives of wu-ftpd, AusCERT
    recommends modifying existing source to disable the MAPPING_CHDIR
    feature as described in Section 3.4.

    If the functionality provided by wu-ftpd is not required at all, it
    is recommended that sites disable it on their systems.

3.1 Status of variants and versions of wu-ftpd likely to be affected.

    This vulnerability is known to be present on the following ftpd
    implementations:

    wu-ftpd:
      Versions effected:

        wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15
        wu-ftpd-2.4.2-vr16 through wu-ftpd-2.4.2-vr17
        wu-ftpd-2.5.0
        (See Section 3.2)

      Versions not effected:
        wu-ftpd-2.4.2 (final, from Academ) and all WU versions

	Please note: ALL versions of WU-FTPD prior to
	wu-ftpd-2.4.2-beta-18-vr10 including all WU versions, and all
	Academ 2.4.1 and 2.4.2 betas, are subject to the remote root
	compromise vulnerability described in CERT Advisory CA-99-03 "FTP
	Buffer Overflows" at
	 http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html
	(See Section 3.2)

    BeroFTPD:
      Versions effected: All present versions.
                         No vendor patch currently available.
        (For a workaround see Section 3.4)

	The patch listed in Section 3.2 can be applied to the latest 
	version (1.3.4) of BeroFTPD after minor modification to account 
	for different line numbers.  The latest version of BeroFTPD is 
	available from:

	  ftp://ftp.beroftpd.unix.eu.org/pub/BeroFTPD/

    RedHat:
      Versions effected: All present versions.
                         Vendor patch is available.
        (See Section 3.3)

    NcFTPd:
      Versions effected: None.

3.2 Upgrade to latest wu-ftpd and apply patch.

    A patch to remove this vulnerability from the 2.5.0 release of wu-ftpd
    has been made available by the WU-FTPD Development Group. Sites should
    upgrade to the latest version of wu-ftpd (2.5.0) and apply this patch.

    The 2.5.0 release of wu-ftpd is available from:

      ftp://ftp.wu-ftpd.org/pub/wu-ftpd/

    The security patch that needs to be applied to wu-ftpd 2.5.0 is available
    from:

      ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/mapped.path.overrun.patch

3.3 Upgrade to latest wu-ftpd RPM.

    Red Hat have released updated versions of wu-ftpd which address this
    vulnerability. More information (including RPM's) can be found at:

    Red Hat Linux 6.0:

      http://www.redhat.com/corp/support/errata/RHSA1999031_01.html

    Red Hat Linux 5.x:

     http://www.redhat.com/corp/support/errata/rh52-errata-general.html#wu-ftpd

    Red Hat Linux 4.x:

     http://www.redhat.com/corp/support/errata/rh42-errata-general.html#wu-ftpd

    The RPM's they have made available contain all of the patches mentioned in
    sections 3.2 and 4.2.

3.4 Disable MAPPING_CHDIR feature and recompile existing source.

    The feature causing this problem can be disabled at compile time in
    all effected versions of the daemon:

    o Locate the following text in config.h:

    /*
     * MAPPING_CHDIR
     * Keep track of the path the user has chdir'd into and respond with
     * that to pwd commands.  This is to avoid having the absolue disk
     * path returned.  This helps avoid returning dirs like '.1/fred'
     * when lots of disks make up the ftp area.
     */

    o If this text is not present, your version of the daemon is NOT
      vulnerable.

    o Change the following line from:

        #define MAPPING_CHDIR

      to

        #undef MAPPING_CHDIR

    o Rebuild and install the new ftpd executable.

4.  Additional measures

4.1 Disable/Limit writable ftp incoming areas.

    Public writable areas have been a common source of abuse on ftp
    servers.  To limit exposure to similar incidents, sites should review
    and modify their configuration to remove or limit any upload areas.
    This may provide little or no protection against non-anonymous
    accounts.  Caution needs to be taken as this is a complex configuration
    issue.

    For the correct procedures on how to configure upload areas on wu-ftpd
    based implementations, please refer to:

      ftp://ftp.wu-ftpd.org/pub/wu-ftpd/upload.configuration.HOWTO

4.2 Apply additional patches to wu-ftpd.

    Other important patches for wu-ftpd 2.5.0 which may effect your site's
    security configuration can be found at:

      ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/

    The WU-FTPD Development Group recommends all available patches be
    applied.

    After applying the above patches, rebuild and install the new ftpd
    executable.

- ---------------------------------------------------------------------------
AusCERT thanks Gregory A Lundberg of the WU-FTPD Development Group and
Michal Zalewski for the original report and assistance in the preparation
of this advisory.
- ---------------------------------------------------------------------------

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation.  The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures.  AusCERT takes no responsibility for the consequences of
applying the contents of this document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AusCERT
Advisories, and other computer security information.

AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane        
Qld  4072     
AUSTRALIA       


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOAydxyh9+71yA2DNAQHNBwP+Lpi96cZp32OLBKA1/vU9WwhU+BTBvyLe
h4GXH0d/859Yy5/++vIStvyNtDl4FfXQdIjmZsPmrofw52MAxI3eS1PD6ixztSdW
VxZ6deVV6YHL3ETmiv2/hvPNAT0NdHV03OCC0bevo4ltTCECvmcnXPe+CvN2ins8
gzAIRKP1St0=
=5UNJ
-----END PGP SIGNATURE-----
rt/AUSCERT_PGP.key

iQCVAwUBOAydxyh9+71yA2DNAQHNBwP+Lpi96cZp32OLBKA1/vU9WwhU+BTBvyLe
h4GXH0d/859Yy5/++vIStvyNtDl4FfXQdIjmZsPmrofw52MAxI3eS1PD6ixztSdW
VxZ6deVV6YHL3ETmiv2/hvPNAT0NdHV03OCC0bevo4ltTCECvmcnXPe+CvN2ins8
gzAIRKP1St0=
=5UNJ
-----END PGP SIGNATURE-----