ISS X-Force Database: wuftp-format-string-stack-overwrite(4773): WU-FTPD allows remote code execution with special SITE EXEC commands

WU-FTPD allows remote code execution with special SITE EXEC commands

wuftp-format-string-stack-overwrite (4773)

High Risk

Description:

Washington University's WU-FTPD could allow an attacker to execute arbitrary commands on the system as root over a local, remote, or anonymous FTP session. Due to insufficient input validation, an attacker can send a specially-crafted string to the SITE EXEC command to overwrite data on the stack, such as the return address. By including executable code in the string, the attacker could execute this code on the server as root.

Consequences:

Gain Access

Remedy:

Upgrade to the latest version of WU-FTPD (2.6.1 or later), available from the WU-FTPD Development Group Web site. See References.

For Conectiva Linux:
Upgrade to the latest version of WU-FTPD (2.6.0-10 or later), as listed in Conectiva Linux Security Announcement - WU-FTPD. See References.

For Caldera OpenLinux:
Upgrade to the latest version of WU-FTPD (2.5.0-7 or later), as listed in Caldera Systems, Inc. Security Advisory CSSA-2000-020.0. See References.

For Debian Linux:
Upgrade to the latest version of WU-FTPD (2.4.2.16-13.1 or later for slink, and 2.6.0-5.1 or later for potato and woody), as listed in Debian Security Advisory 20000623. See References.

For FreeBSD:
Upgrade to the latest version of WU-FTPD (2.6.0 dated 2000-06-24 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-00:29. See References.

For Red Hat Linux 5.2:
Upgrade to the latest version of WU-FTPD (2.6.0-2.5.x or later), as listed in RHSA-2000:039-02. See References.

For Red Hat Linux 6.2:
Upgrade to the latest version of WU-FTPD (2.6.0-14.6x or later), as listed in RHSA-2000:039-02. See References.

For SuSE Linux:
Upgrade to the latest version of WU-FTPD (2.6.0-121 or -122 or later), as listed in SuSE Security Announcement 27.06.2000. See References.

For Mandrake Linux:
Upgrade to the latest version of WU-FTPD (2.6.0-7 or later), as listed in Mandrake-Linux Updates. See References.

For OpenBSD:
Apply the 019_ftpd.patch, as listed in OpenBSD Security Advisory, July 5, 2000. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

AusCERT Advisory AA-2000.02: wu-ftpd "site exec" Vulnerability.
BugTraq Mailing List, Fri Jul 07 2000 - 13:43:35 CDT: New Released Version of the WuFTPD Sploit.
BugTraq Mailing List, Fri Jun 23 2000 - 04:18:22 CDT: ftpd: the advisory version.
Caldera International, Inc. Security Advisory CSSA-2000-020.0: wu-ftpd vulnerability.
CERT Advisory CA-2000-13: Two Input Validation Problems In FTPD.
CIAC Information Bulletin K-054: Vulnerability in Linux wu-ftpd.
Conectiva Linux Announcement CLSA-2000:232: wu-ftpd.
Debian Security Advisory 20000623: wu-ftp: remote root exploit in wu-ftp.
FreeBSD Security Advisory FreeBSD-SA-00:29: wu-ftpd port contains remote root compromise [REVISED].
MandrakeSoft Web site: Linux-Mandrake Updates.
OpenBSD Security Advisory, July 5, 2000: Just like pretty much all the other unix ftp daemons on the planet, ftpd had a remote root hole in it..
RHSA-2000:039-02: wu-ftpd.
SGI Security Advisory 20000701-01-I: Two Input Validation Vulnerabilities in ftpd.
SuSE Security Announcement #53: wuftpd < 2.6.0-121.
BID-1387: Wu-Ftpd Remote Format String Stack Overwrite Vulnerability
BID-1505: HP-UX 11.0 ftpd SITE EXEC Format String Vulnerability
CVE-2000-0573: The lreply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary commands via the SITE EXEC command.
US-CERT VU#29823: Format string input validation error in wu-ftpd site_exec() function

Platforms Affected:

Washington University WU-FTPD 2.4
Washington University WU-FTPD 2.4.1
Washington University WU-FTPD 2.5
Washington University WU-FTPD 2.6.0

Reported:

Jun 22, 2000

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page