__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Vulnerability in Linux wu-ftpd June 26, 2000 17:00 GMT Number K-054 ______________________________________________________________________________ PROBLEM: Due to improper implementation of the 'site exec' command, it is possible to execute arbitrary code. PLATFORM: Caldera OpenLinux Desktop 2.3 (with wu-ftpd-2.5.0-7 and prior) OpenLinux eServer 2.3 (with wu-ftpd-2.5.0-7 and prior) OpenLinux eBuilder 2.3 (with wu-ftpd-2.5.0-7 and prior) OpenLinux eDesktop 2.4 (with wu-ftpd-2.5.0-7 and prior) Debian: Debian GNU/Linux 2.1 (slink, potato and woody) Red Hat Red Hat Linux 5.2 - i386 alpha sparc Red Hat Linux 6.2 - i386 alpha sparc DAMAGE: This vulnerability may allow local, remote and anonymous users to gain root privileges. SOLUTION: Immediately apply fixes as recommended in the advisory. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The vulnerability and exploit have been ASSESSMENT: discussed in public forums. ______________________________________________________________________________ [****** Start AusCERT Advisory ******] -----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AA-2000.02 AUSCERT Advisory wu-ftpd "site exec" Vulnerability 26 June 2000 Last Revised: -- - --------------------------------------------------------------------------- AusCERT has received information that there is a vulnerability in some versions of wu-ftpd (up to and including 2.6.0) which run on various platforms. This vulnerability may allow local, remote and anonymous users to gain root privileges. Information about this vulnerability and an exploit has been made publicly available. AusCERT recommends that sites take the steps outlined in section 3 as soon as possible. This advisory will be updated as more information becomes available. - --------------------------------------------------------------------------- 1. Description The wu-ftpd program provides file transfer protocol (FTP) services. Due to insufficient checking in the formatting of the "site exec" command, it is possible to coerce the wu-ftpd daemon to execute arbitrary code. Sites can determine if this program is installed by using: % ftp hostname and examining the output of the ftp login banner. If no version information appears on the login banner, or to verify the information on the login banner is correct, log into the ftp server as normal then issue the following command: ftp> quote stat All affected versions of the wu-ftpd daemon allow control over the information revealed in the initial login banner, however they all return their version number in response to the ftp server "stat" command as shown above. 2. Impact This vulnerability may allow local, remote and anonymous users to gain root privileges. 3. Workarounds/Solution AusCERT recommends that sites prevent the exploitation of the vulnerability in wu-ftpd by immediately upgrading and applying the available patch as described in Section 3.2. Versions known to be vulnerable are listed in Section 3.1 If the functionality provided by wu-ftpd is not required at all, it is recommended that sites disable it on their systems. 3.1 Status of variants and versions of wu-ftpd likely to be affected. This vulnerability is known to be present on the following ftpd implementations: wu-ftpd: Versions effected: wu-ftpd-2.6.0 (and prior versions) (See Section 3.2) Red Hat: Versions effected: All present versions. Vendor patch is available. (See Section 3.3) Caldera: Versions effected: All present versions. Vendor patch is available. (See Section 3.4) Debian: Versions effected: All present versions. Vendor patch is available. (See Section 3.5) 3.2 Upgrade to latest wu-ftpd and apply patch. A patch to remove this vulnerability from the 2.6.0 release of wu-ftpd has been made available by the WU-FTPD Development Group. Sites should upgrade to the latest version of wu-ftpd (2.6.0) and apply this patch. The 2.6.0 release of wu-ftpd is available from: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/ The security patch that needs to be applied to wu-ftpd 2.6.0 is available from: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.0/lreply-buffer- overflow.patch 3.3 Upgrade to latest wu-ftpd Red Hat RPM. Red Hat have released updated versions of wu-ftpd which address this vulnerability. More information (including RPM's) can be found at: http://www.redhat.com/support/errata/RHSA-2000-039-02.html The RPM's they have made available contain the patch mentioned in section 3.2. 3.4 Upgrade to latest wu-ftpd Caldera RPM. Caldera have released updated versions of wu-ftpd which address this vulnerability. More information (including RPM's) can be found at: ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-020.0.txt The RPM's they have made available contain the patch mentioned in section 3.2. 3.5 Upgrade to latest wu-ftpd Debian package. Debian have released updated versions of wu-ftpd which address this vulnerability. More information (including packages) can be found at: http://www.debian.org/security/2000/20000623 The packages they have made available contain the patch mentioned in section 3.2. - --------------------------------------------------------------------------- AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AusCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AusCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AusCERT Advisories, and other computer security information. AusCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOVeGxyh9+71yA2DNAQE8swP7BKpCEejbWGtLhvZ+kGZgY9CQL10IwXH7 Fxx2QR1UpsKtNBscsShO5rhQ7OoImJ+ND/K/MtuIofP1VSv1DsifIVbftfPX/v0A ZQufcQQTlvX49WfpZAMuhb/QZGw8tGAgoWsATBbH+e1VHEZjm5LZ8IbEokqzpWVU PWfyyEx5+38= =8Js6 -----END PGP SIGNATURE----- [****** End AusCERT Advisory ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of AusCERT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) K-043: Buffer Overrun Vulnerabilities in Kerberos K-044: Microsoft: Vulnerabilities in Internet Explorer K-045: SGI Vulnerability in infosrch.cgi K-046: 386-BSD Based Operating Systems - IPCS Vulnerability K-048: Permissions Problems with FrontPage Extensions K-049: Microsoft IE "SSL Certificate Validation" Vulnerability K-050: NXT BIND 8.2.x Overflow Vulnerability K-051: DoS Vulnerabilities in Kerberos 4 KDC Programs K-052: AIX cdmount Vulnerability K-053: Linux setuid Kernel Fix