WU-FTPD glob function error handling heap corruption

wuftp-glob-heap-corruption (7611)

High Risk

Description:

Washington University's FTP daemon (WU-FTPD) could allow a remote attacker to cause a heap corruption, caused by a vulnerability in the glob function. The glob function fails to properly signal an error to its caller and the ftpglob function fails to set the globerr variable under certain situations. A remote attacker can send to the FTP server a command followed by the tilde and open bracket characters (~{) to cause the corruption of process memory space, which would allow the execution of arbitrary code on the system with root privileges. In order to exploit this vulnerability, the attacker must have a valid FTP account, or the FTP server must be configured to allow anonymous logins.

Platforms Affected:

• Conectiva, Linux 5.0
• Conectiva, Linux 5.1
• Conectiva, Linux 6.0
• Conectiva, Linux 7.0
• Conectiva, Linux ecommerce
• Conectiva, Linux prg_graficos
• David Madore, FTPd-BSD 0.3.2
• David Madore, FTPd-BSD 0.3.3
• Debian, Debian Linux 2.2
• FreeBSD, FreeBSD Ports Collection
• Immunix, Immunix OS 7.0
• MandrakeSoft, Mandrake Linux 7.1
• MandrakeSoft, Mandrake Linux 7.2
• MandrakeSoft, Mandrake Linux 8.0
• MandrakeSoft, Mandrake Linux 8.1
• MandrakeSoft, Mandrake Linux Corporate Server 1.0.1
• RedHat, Linux 6.2
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• SCO, Caldera OpenLinux 2.3
• SCO, Caldera OpenLinux eBuilder
• SCO, Caldera OpenLinux eDesktop 2.4
• SCO, Caldera OpenLinux eServer 2.3.1
• SCO, Caldera OpenLinux Server 3.1
• SCO, Caldera OpenServer 5.0.6a and prior
• SCO, Caldera OpenUnix 8.0.0
• SCO, Caldera UnixWare 7
• SuSE, SuSE Linux 6.3
• SuSE, SuSE Linux 6.4
• SuSE, SuSE Linux 7.0
• SuSE, SuSE Linux 7.1
• SuSE, SuSE Linux 7.2
• SuSE, SuSE Linux 7.3
• Washington University, WU-FTPD 2.5
• Washington University, WU-FTPD 2.6.0
• Washington University, WU-FTPD 2.6.1

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
WuftpGlobHeapCorruption
wuftp-glob-heap-corruption

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
FTP_Glob_TildeBrace_Vulns

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 21

For Manual Protection:

For Red Hat Linux 6.2:
Upgrade to the latest version of wu-ftpd (2.6.1-0.6x.21 or later), as listed in Red Hat Linux Errata Advisory RHSA-2001:157-06. See References.

For Red Hat Linux 7.0 and 7.1:
Upgrade to the latest version of wu-ftpd (2.6.1-16.7x.1 or later), as listed in Red Hat Linux Errata Advisory RHSA-2001:157-06. See References.

For Red Hat Linux 7.2:
Upgrade to the latest version of wu-ftpd (2.6.1-20 or later), as listed in Red Hat Linux Errata Advisory RHSA-2001:157-06. See References.

For Caldera OpenLinux 2.3, eServer 2.3.1, eDesktop 2.4, and eBuilder:
Upgrade to the latest version of wu-ftpd (2.6.1-13OL or later), as listed in Caldera International, Inc. Security Advisory CSSA-2001-041.0. See References.

For Caldera OpenLinux Server 3.1:
Upgrade to the latest version of wu-ftpd (2.6.1-13 or later), as listed in Caldera International, Inc. Security Advisory CSSA-2001-041.0. See References.

For Immunix OS 7.0:
Upgrade to the latest version of wu-ftpd (2.6.1-6_imnx_4 or later), as listed in Immunix OS Security Advisory IMNX-2001-70-036-01. See References.

For SuSE Linux 6.3 (Intel Platform):
Upgrade to the latest version of wu-ftpd (2.6.0-347 or later), as listed in SuSE Security Announcement SuSE-SA:2001:043. See References.

For SuSE Linux 6.4, 7.0, 7.2, and 7.3 (Intel Platform):
Upgrade to the latest version of wu-ftpd (2.6.0-344 or later), as listed in SuSE Security Announcement SuSE-SA:2001:043. See References.

For SuSE Linux 7.1 (Intel Platform):
Upgrade to the latest version of wu-ftpd (2.6.0-346 or later), as listed in SuSE Security Announcement SuSE-SA:2001:043. See References.

For SuSE Linux 7.0 (Sparc Platform):
Upgrade to the latest version of wu-ftpd (2.6.0-241 or later), as listed in SuSE Security Announcement SuSE-SA:2001:043. See References.

For SuSE Linux 7.1 (Sparc Platform):
Upgrade to the latest version of wu-ftpd (2.6.0-242 or later), as listed in SuSE Security Announcement SuSE-SA:2001:043. See References.

For SuSE Linux 7.3 (Sparc Platform):
Upgrade to the latest version of wu-ftpd (2.6.0-240 or later), as listed in SuSE Security Announcement SuSE-SA:2001:043. See References.

For SuSE Linux 6.3 (AXP Alpha Platform):
Upgrade to the latest version of wu-ftpd (2.6.0-250 or later), as listed in SuSE Security Announcement SuSE-SA:2001:043. See References.

For SuSE Linux 6.4 and 7.0 (AXP Alpha Platform):
Upgrade to the latest version of wu-ftpd (2.6.0-251 or later), as listed in SuSE Security Announcement SuSE-SA:2001:043. See References.

For SuSE Linux 7.1 (AXP Alpha Platform):
Upgrade to the latest version of wu-ftpd (2.6.0-252 or later), as listed in SuSE Security Announcement SuSE-SA:2001:043. See References.

For SuSE Linux 6.4 (PPC Power PC Platform):
Upgrade to the latest version of wu-ftpd (2.6.0-278 or later), as listed in SuSE Security Announcement SuSE-SA:2001:043. See References.

For SuSE Linux 7.0 (PPC Power PC Platform):
Upgrade to the latest version of wu-ftpd (2.6.0-279 or later), as listed in SuSE Security Announcement SuSE-SA:2001:043. See References.

For SuSE Linux 7.1 and 7.3 (PPC Power PC Platform):
Upgrade to the latest version of wu-ftpd (2.6.0-277 or later), as listed in SuSE Security Announcement SuSE-SA:2001:043. See References.

For Conectiva Linux 5.0, prg graficos, and ecommerce:
Upgrade to the latest version of wu-ftpd (2.6.1-6U50 or later), as listed in Conectiva Linux Security Announcement CLA-2001:442. See References.

For Conectiva Linux 5.1:
Upgrade to the latest version of wu-ftpd (2.6.1-6U51 or later), as listed in Conectiva Linux Security Announcement CLA-2001:442. See References.

For Conectiva Linux 6.0:
Upgrade to the latest version of wu-ftpd (2.6.1-6U60 or later), as listed in Conectiva Linux Security Announcement CLA-2001:442. See References.

For Conectiva Linux 7.0:
Upgrade to the latest version of wu-ftpd (2.6.1-6U70 or later), as listed in Conectiva Linux Security Announcement CLA-2001:442. See References.

For Mandrake Linux 7.1 and Corporate Server 1.0.1:
Upgrade to the latest version of wu-ftpd (2.6.1-8.7mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:090 : wu-ftpd. See References.

For Mandrake Linux 7.2:
Upgrade to the latest version of wu-ftpd (2.6.1-8.8mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:090 : wu-ftpd. See References.

For Mandrake Linux 8.0 and 8.1:
Upgrade to the latest version of wu-ftpd (2.6.1-11.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:090 : wu-ftpd. See References.

For Caldera UnixWare 7 and OpenUnix 8.0.0:
Apply the appropriate patch for your system, as listed in Caldera International, Inc. Security Advisory CSSA-2001-SCO.36.2 See References.

For Debian GNU/Linux 2.2:
Upgrade to the latest version of wu-ftpd (2.6.0-6 or later), as listed in DSA-087-1. See References.

For Caldera OpenServer 5.0.6a:
Apply the appropriate fixed binaries for your system, as listed in Caldera International, Inc. Security Advisory CSSA-2002-SCO.1. See References.

For FreeBSD Ports Collection prior to 2001-11-28:
Upgrade to the latest wu-ftpd package (2.6.1_7 or later) as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-01:64. See References.

For other distributions:
Contact your vendor for patch or upgrade information.

Consequences:

Gain Privileges

References:

• BugTraq Mailing List, Wed Nov 28 2001 - 11:05:28 CST, *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability at http://archives.neohapsis.com/archives/bugtraq/2001-11/0232.html.
• BugTraq Mailing List, Wed Nov 28 2001 - 17:59:45 CST, WU-FTPD 2.6.1 diff glob.c patch at http://archives.neohapsis.com/archives/bugtraq/2001-11/0253.html.
• Caldera International, Inc. Security Advisory CSSA-2001-041.0, Linux - Vulnerability in wu-ftpd at ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2001-041.0.txt.
• Caldera International, Inc. Security Advisory CSSA-2001-SCO.36.2, REVISED: Open UNIX, UnixWare 7: wu-ftpd ftpglob() vulnerability at ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.36.2/CSSA-2001-SCO.36.2.txt.
• Caldera International, Inc. Security Advisory CSSA-2002-SCO.1, OpenServer: wu-ftpd ftpglob() vulnerability at ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.1/CSSA-2002-SCO.1.txt.
• CERT Advisory CA-2001-33, Multiple Vulnerabilities in WU-FTPD at http://www.cert.org/advisories/CA-2001-33.html.
• CIAC Information Bulletin M-023, Multiple Vendor wu-ftdp File Globbing Heap Corruption Vulnerability at http://www.ciac.org/ciac/bulletins/m-023.shtml.
• Conectiva Linux Announcement CLSA-2001:442, wu-ftpd at http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000442.
• CORE SECURITY TECHNOLOGIES CORE-20011001, WU-FTPD Improper Ftpglob Error Handling Vulnerability at http://www.corest.com/common/showdoc.php?idx=172&idxseccion=10.
• FreeBSD Security Advisory FreeBSD-SA-01:64, wu-ftpd port contains remote root compromise at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:64.wu-ftpd.asc.
• Hewlett-Packard Company Security Bulletin HPSBUX0107-162, Security Vulnerability in ftpd and ftp at http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0003.html. (From Neohapsis archive)
• Immunix OS Security Advisory IMNX-2001-70-036-01, wu-ftpd at http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-036-01.
• Internet Security Systems Security Alert #103, WU-FTPD Heap Corruption Vulnerability at http://www.iss.net/xforce/alerts/id/advise103.
• National Infrastructure Protection Center Advisory 01-027, "Significant Vulnerability Identified In Common Linux File Transport Protocol Program" at http://www.nipc.gov/warnings/advisories/2001/01-027.htm.
• SuSE Security Announcement SuSE-SA:2001:043, wuftpd at http://archives.neohapsis.com/archives/bugtraq/2001-11/0246.html.
• Vuln-Dev Mailing List, 2001-05-01 1:00:20, some ftpd implementations mishandle CWD ~{ at http://marc.theaimsgroup.com/?l=vuln-dev&m=98868721826475&w=2.
• WU-FTPD Web site, WU-FTPD Development Group at http://www.wu-ftpd.org/.
• BID-3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability
• CVE-2001-0550: wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a ~{ argument to commands such as CWD, which is not properly handled by the glob function (ftpglob).
• CVE-2001-0935: Vulnerability in wu-ftpd 2.6.0, and possibly earlier versions, which is unrelated to the ftpglob bug described in CVE-2001-0550.
• DSA-087: wu-ftpd -- remote root exploit
• MDKSA-2001:090: Updated wu-ftpd packages fix potential remote root compromise
• RHSA-2001-157: Updated wu-ftpd packages are available
• US-CERT VU#886083: WU-FTPD does not properly handle file name globbing

Reported:

Nov 27, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page