Vulnerability Note VU#29823

Format string input validation error in wu-ftpd site_exec() function

Original Release date: 02 Oct 2000 | Last revised: 19 Feb 2001

Overview

A vulnerability involving an input validation error in the "site exec" command has recently been identified in the Washington University ftpd (wu-ftpd) software package. Sites running affected systems are advised to update their wu-ftpd software as soon as possible.

A similar but distinct vulnerability has also been identified that involves a missing format string in several setproctitle() calls. It affects a broader number of ftp daemons. Please see the vendor section of this document for specific information about the status of specific ftpd implementations and solutions.

Description

"Site exec" Vulnerability


A vulnerability has been identified in wu-ftpd and other ftp daemons based on the wu-ftpd source code. Wu-ftpd is a common package used to provide file transfer protocol (ftp) services. This vulnerability is being discussed as the wu-ftpd "site exec" or "lreply" vulnerability in various public forums. Incidents involving the exploitation of this vulnerability which enables remote users to gain root privileges have been reported to the CERT Coordination Center.

The problem is described in AUSCERT Advisory AA-2000.02, "wu-ftpd 'site exec' Vulnerability," which is available from


The wu-ftpd "site exec" vulnerability is the result of missing character-formatting argument in several function calls that implement the "site exec" command functionality. Normally if "site exec" is enabled, a user logged into an ftp server (including the 'ftp' or 'anonymous' user) may execute a restricted subset of quoted commands on the server itself. However, if a malicious user can pass character format strings consisting of carefully constructed *printf() conversion characters (%f, %p, %n, etc) while executing a "site exec" command, the ftp daemon may be tricked into executing arbitrary code as root.

The "site exec" vulnerability appears to have been in the wu-ftpd code since the original wu-ftpd 2.0 came out in 1993. Any vendors who have based their own ftpd distributions on this vulnerable code are also likely to be vulnerable.

The vulnerability appears to be exploitable if a local user account can be used for ftp login. Also, if the "site exec" command functionality is enabled, then anonymous ftp login allows sufficient access for an attack.

setproctitle() Vulnerability

A separate vulnerability involving a missing character-formatting argument in setproctitle(), a call which sets the string used to display process identifier information, is also present in wu-ftpd. Other ftpd implementations have been found to have vulnerable setproctitle() calls as well, including those from proftpd and OpenBSD.

The setproctitle() vulnerability appears to have been present in various ftpd implementations since at least BSD ftpd 5.51 (which predates wuarchive-ftpd 1.0). It has also been confirmed to be present in BSD ftpd 5.60 (the final BSD release). Any vendors who have based their own ftpd distributions on this vulnerable code are also likely to be vulnerable.

It should be noted that many operating systems do not support setproctitle() calls. However, other software engineering defects involving the same type of missing character-formatting argument may be present.

Intruder Activity

One possible indication you are being attacked with either of these vulnerabilities may be the appearance of syslog entries similar to the following:

    Jul  4 17:43:25 victim ftpd[3408]: USER ftp
    Jul  4 17:43:25 victim ftpd[3408]: PASS [malicious shellcode]
    Jul  4 17:43:26 victim ftpd[3408]: ANONYMOUS FTP LOGIN FROM
    attacker.example.com [10.29.23.19], [malicious shellcode]
    Jul  4 17:43:28 victim-site ftpd[3408]: SITE EXEC (lines: 0):
    %.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%
    .f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
    f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f
    %.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%
    .f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
    f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f
    %.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%c%c%c%.f|%p
    Jul  4 17:43:28 victim ftpd[3408]: FTP session closed

Details and exploits for both the "site exec" and setproctitle() vulnerabilities have been posted in various public forums. Please see
The CERT/CC has received reports of both of these vulnerabilities being successfully exploited on the Internet. Please check our Current Activity page for updates regarding intruder activity involving these vulnerabilities.

Impact

By exploiting any of these input validation problems, local or remote users logged into the ftp daemon may be able execute arbitrary code as root. An anonymous ftp user may also be able to execute arbitrary code as root.

Solution

Upgrade your version of ftpd
Please see the vendors records in this vulnerability note for more information about the availability of updated ftpd packages specific for your system.

Apply a patch from your vendor
If you are running vulnerable ftpd implementations and cannot upgrade, you need to apply the appropriate vendor patches and recompile and/or reinstall the ftpd server software.

The vendor section of this document contains information provided by vendors. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly.

Disable ftp services
If neither an upgrade nor a patch can be applied, the CERT/CC recommends disabling all vulnerable wu-ftpd and proftpd servers. While disabling "site exec" command functionality or anonymous ftp access minimizes exposure to the "site exec" vulnerability, neither is a complete solution and may not mitigate against the risks involved with exposure to the setproctitle() vulnerability.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
ConectivaAffected-11 Oct 2000
DebianAffected-11 Oct 2000
Hewlett PackardAffected-11 Oct 2000
NetBSDAffected-11 Oct 2000
OpenBSDAffected-11 Oct 2000
Washington UniversityAffected-11 Oct 2000
BSDINot Affected-11 Oct 2000
FreeBSDNot Affected-11 Oct 2000
FujitsuNot Affected-11 Oct 2000
MicrosoftNot Affected-11 Oct 2000
Porcupine.orgNot Affected-11 Oct 2000
SGINot Affected-11 Oct 2000
SunNot Affected-11 Oct 2000
CalderaUnknown-11 Oct 2000
Compaq Computer CorporationUnknown-11 Oct 2000
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT Coordination Center thanks Gregory Lundberg and Theo de Raadt for their help in developing this document.

This document was written by Jeff S Havrilla.

Other Information

  • CVE IDs: CAN-2000-0573
  • CERT Advisory: CA-2000-13
  • Date Public: 23 Jun 2000
  • Date First Published: 02 Oct 2000
  • Date Last Updated: 19 Feb 2001
  • Severity Metric: 87.72
  • Document Revision: 7

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.