Vulnerability Note VU#639760
WU-FTPD configured to use RFC 931 authentication running in debug mode contains format string vulnerability
WU-FTPD contains a format string vulnerability that manifests when WU-FTPD is configured to use RFC 931 authentication and is run in debug mode. A crafted identd response could be used to execute arbitrary code on a vulnerable server.
A format string vulnerability exists in the Washington University FTP daemon, WU-FTPD. WU-FTPD is a widely deployed FTP daemon that runs on UNIX and Linux systems and is included in a number of distributions. WU-FTPD can be compiled to use RFC 931 authentication using the '--enable-rfc931' configuration option, in which the server requests user information from the ident daemon running on an FTP client host. Note that RFC 1413 (Identification Protocol) obsoletes RFC 931 (Authentication Server). WU-FTPD can also be run in debugging mode using the '-d' option. Under these conditions, WU-FTPD logs connection information using syslog(3) calls without providing format string specifiers or adequately validating client identd responses. As a result, a crafted identd response containing user-supplied format string specifiers is interpreted by syslog(3), possibly overwriting arbitrary locations in memory. By carefully designing such a request an attacker may execute arbitrary code with the privileges of WU-FTPD.
This vulnerability is potentially exploitable by any user who is able to log in to a vulnerable server, including users with anonymous access. The intruder must also be able to control the response of the auth or ident daemon. If successful, an attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root.
A remote attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root.
Disable RFC 931 Authentication
Do not run WU-FTPD configured with '--enable-RFC931'.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Conectiva||Affected||-||04 Dec 2001|
|Debian||Affected||27 Nov 2001||04 Dec 2001|
|WU-FTPD Development Group||Affected||22 Nov 2001||30 Nov 2001|
|Fujitsu||Not Affected||27 Nov 2001||30 Nov 2001|
|NcFTP Software||Not Affected||27 Nov 2001||30 Nov 2001|
|SGI||Not Affected||27 Nov 2001||27 Nov 2001|
|Sun||Not Affected||27 Nov 2001||30 Nov 2001|
|Caldera||Unknown||27 Nov 2001||04 Dec 2001|
CVSS Metrics (Learn More)
The CERT Coordination thanks INTEXXIA for bringing this matter to our attention.
This document was written by Art Manion.
- CVE IDs: CVE-2001-0187
- Date Public: 23 Jan 2001
- Date First Published: 29 Nov 2001
- Date Last Updated: 17 Dec 2001
- Severity Metric: 14.59
- Document Revision: 19
If you have feedback, comments, or additional information about this vulnerability, please send us email.