Security Flaws in Popular FTP Daemon Exposed

 
 
By Dennis Fisher  |  Posted 2001-11-30
 
 
 

The Washington University FTP daemon (WU-FTPD), which is packaged as a part of numerous Linux and Unix distributions, has two serious security flaws that enable a remote attacker to gain root privileges on vulnerable machines.

The two weaknesses in versions 2.5.0, 2.6.0 and 2.6.1 of the server have been the subject of much discussion in the last few days on security mailing lists and Web sites and an exploit for one of the flaws has been making the rounds as well.

The most serious vulnerability—and the one for which there is a published exploit—involves the manner in which the "glob" function in WU-FTPD handles error conditions when it receives commands containing certain strings of characters. When it encounters such a string, the glob code fails to return a proper error condition and enables the function that called it to proceed.

This, in turn, frees up unallocated memory in the heap which may contain user-supplied data, according to an advisory issued by the CERT Coordination Center. If attackers can put addresses and commands in the right places on the heap using FTP commands, they can execute arbitrary code with the privileges of the WU-FTPD, which is typically root.

The flaw is exploitable remotely by any attacker who can establish an account, including anonymous ones, on the FTP server.

There is also a format string vulnerability in WU-FTPD servers running in debug mode and configured to use the RFC 931 Authentication Server Protocol.

This flaw enables an attacker to create a special response to an authentication request from the server, which could overwrite arbitrary memory locations.

"By carefully designing such a request, an attacker may execute arbitrary code with the privileges of WU-FTPD," the CERT advisory warns.

The list of vulnerable Linux distributions is long and can be found in the CERT advisory at var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-2464436-1']); _gaq.push(['_setDomainName', 'none']); _gaq.push(['_setAllowLinker', true]); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); Rocket Fuel