-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-1999.02                     AUSCERT Advisory
              Multiple Vulnerabilities in wu-ftpd based daemons
                               19 October 1999

Last Revised: --

- ---------------------------------------------------------------------------

AusCERT has received information that there are vulnerabilities in all
versions of wu-ftpd (prior to 2.6.0) and its derivatives which run on
various platforms.

These vulnerabilities may allow local, remote and anonymous users to gain
root privileges or degrade system performance.

AusCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

This advisory will be updated as more information becomes available.

- ---------------------------------------------------------------------------

1.  Description

    The wu-ftpd program provides file transfer protocol (FTP) services.

    A user may gain privileged access by exploiting a buffer overrun in
    a wu-ftpd daemon which has insufficient bounds checking on expansions
    in message files. This vulnerability may be exploited by creating
    a maliciously crafted message file or manipulating the results of
    remotely supplied information to an existing message file.

    A separate buffer overrun vulnerability is exploitable in the
    'ftpshut' program if it is set with suid-root privilege. This can be
    leveraged by local users to gain root.
    (Please note wu-ftpd does not install 'ftpshut' suid-root by default.)

    Due to inadequate pathname filtering, a user may exploit a resource
    starvation Denial of Service (DoS) vulnerability by issuing a number
    of specific directory listing requests.

    These are new vulnerabilities unlike the ftpd vulnerabilities described
    in AusCERT Advisory AA-1999.01 "wu-ftpd/BeroFTPD MAPPING_CHDIR
    Vulnerability" and CERT Advisory CA-99-03 "FTP Buffer Overflows"
    (reissued as AusCERT ESB-1999.020).

    Sites can determine if this program is installed by using:

       % ftp hostname

    and examining the output of the ftp login banner.

    If no version information appears on the login banner, or to verify
    this information, log into the ftp server as normal then issue the
    following command:
  
      ftp> quote stat

    Some affected versions of the wu-ftpd daemon allow control over the
    information revealed in the initial login banner however they all
    return their version number in response to the ftp server stat command
    shown above.

2.  Impact

    These vulnerabilities may allow local, remote and anonymous users to
    gain root privileges or degrade system performance.

3.  Solution

    AusCERT recommends that sites prevent the exploitation of these
    vulnerabilities in wu-ftpd by immediately upgrading as described in
    Section 3.2.  Versions known to be vulnerable are listed in Section 3.1

    If no patch or upgrade is available for other derivatives of wu-ftpd,
    AusCERT recommends sites move to the wu-ftpd distribution as described
    in Section 3.2.

    If the functionality provided by wu-ftpd is not required at all, it
    is recommended that sites disable it on their systems.

3.1 Status of variants and versions of wu-ftpd likely to be affected.

    These vulnerabilities are known to be present in the following
    ftpd implementations:

    wu-ftpd:
      Versions effected: All versions prior to wu-ftpd-2.6.0
			 Including all derivative versions from
			  wustl.edu, academ.com, vr.net and wu-ftpd.org.
        (See Section 3.2)

    BeroFTPD:
      Versions effected: All present versions.
                         No vendor patch will be available.
			 BeroFTPD and wu-ftpd have been merged as of
			  wu-ftpd 2.6.0.
        (See Section 3.2)

    RedHat:
      Versions effected: All present versions.
                         No patch is currently available.
        (See Section 3.3)

3.2 Upgrade to latest wu-ftpd.

    These vulnerabilities have been fixed in the 2.6.0 release of wu-ftpd
    which has been made available by the WU-FTPD Development Group.  Sites
    should upgrade to the latest version of wu-ftpd (2.6.0).

    The 2.6.0 release of wu-ftpd is available from:

      ftp://ftp.wu-ftpd.org/pub/wu-ftpd/

    or

      ftp://ftp.auscert.org.au/pub/mirrors/ftp.wu-ftpd.org/wu-ftpd/

    wu-ftpd is also available from mirror sites listed in:

      ftp://ftp.wu-ftpd.org/pub/wu-ftpd/README-MIRRORS

    IMPORTANT NOTE:  The 2.6.0 version has been corrected to increase
    it's conformance to the RFC standards for FTP.  However, as a result,
    some FTP clients which are not completely RFC compliant may cease to
    inter-operate correctly with wu-ftpd 2.6.0 servers.

    It is believed that the W3C libwww ftp implementation is
    non-conforming.  This affects Lynx, CERN, Squid and Midnight Commander.
    The effects of a non-conforming client are a hanging transfer (usually
    when obtaining a directory listing).

    Squid, however, appears to recover and may hide the failure from the
    FTP user and the FTP site administrator; the Squid administrator may
    see a large number of errors in their logs.

    In addition, the popular ftp mirroring program 'mirror' written by
    Lee McLoughlin is also affected.  Versions up to and including the
    current version (2.9) will not work correctly with wu-ftpd 2.6.0
    servers.  Users of the mirror program version 2.9 can apply the following
    patch to mirror to make it compatible with wu-ftpd 2.6.0 servers:

      ftp://ftp.wu-ftpd.org/pub/support/wu-ftpd-2.6.0-mirror-2.9.patch
      ftp://ftp.auscert.org.au/pub/mirrors/ftp.wu-ftpd.org/support/wu-ftpd-2.6.0-mirror-2.9.patch

    Users of mirror prior to version 2.9 should install the 2.9 release
    and apply the above mentioned patch.  The 2.9 version is available
    from:

      ftp://ftp.wu-ftpd.org/pub/support/mirror-2.9.tar.gz
      ftp://ftp.auscert.org.au/pub/mirrors/ftp.wu-ftpd.org/support/mirror-2.9.tar.gz

    As a temporary measure, sites can keep the old (non-conforming)
    functionality of previous ftpd versions by enabling the following
    option during compilation of wu-ftpd 2.6.0:

      o Using GNU autoconf (not available on all platforms):

        Reconfigure adding the --enable-badclients option, make clean and
        make as normal.

      o Using old-style 'build' command:

        Edit config.h.noac, change
            #undef SUPPORT_BROKEN_CLIENTS
        to
            #define SUPPORT_BROKEN_CLIENTS

        Clear any previous build results (build clean) then recompile for
        your platform as normal.

    This option will not be supported in future releases of wu-ftpd.

3.3 Upgrade to latest wu-ftpd RPM when available.

    AusCERT expects that Red Hat will shortly release updated versions of
    wu-ftpd which address this advisory.  Until then sites may wish to
    install wu-ftpd 2.6.0 as described in Section 3.2.

4.  Additional measures

4.1 Disable/Limit writable ftp incoming areas.

    Public writable areas have been a common source of abuse on ftp
    servers.  To limit exposure to similar incidents, sites should review
    and modify their configuration to remove or limit any upload areas.
    This may provide little or no protection against non-anonymous
    accounts.  Caution needs to be taken as this is a complex configuration
    issue.

    For the correct procedures on how to configure upload areas on wu-ftpd
    based implementations, please refer to:

      ftp://ftp.wu-ftpd.org/pub/wu-ftpd/upload.configuration.HOWTO

- ---------------------------------------------------------------------------
AusCERT thanks Gregory A Lundberg of the WU-FTPD Development Group for the
original report and assistance in the preparation of this advisory.
- ---------------------------------------------------------------------------

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation.  The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures.  AusCERT takes no responsibility for the consequences of
applying the contents of this document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AusCERT
Advisories, and other computer security information.

AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane        
Qld  4072     
AUSTRALIA       


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOAyYbih9+71yA2DNAQGsMQP/ef4ZyF0U54gMUr6FPel1W7ffMR5WSPo2
5XyW4lQpUeTJMQiD4Cl8+B50ZSkVwVJ52C4IsAbkDd3CpOLXQZ/SGCrc4u4QHBCn
mQCxLDJbJ4Dhlr+0bfH17ZofhP6Q/qemYxHwoLy0Imt8XtigrwG+z+9FeVl7q2an
VKm1CvWqQDE=
=sp0T
-----END PGP SIGNATURE-----
ey

iQCVAwUBOAyYbih9+71yA2DNAQGsMQP/ef4ZyF0U54gMUr6FPel1W7ffMR5WSPo2
5XyW4lQpUeTJMQiD4Cl8+B50ZSkVwVJ52C4IsAbkDd3CpOLXQZ/SGCrc4u4QHBCn
mQCxLDJbJ4Dhlr+0bfH17ZofhP6Q/qemYxHwoLy0Imt8XtigrwG+z+9FeVl7q2an
VKm1CvWqQDE=
=sp0T
-----END PGP SIGNATURE-----