Vulnerability Note VU#639760

WU-FTPD configured to use RFC 931 authentication running in debug mode contains format string vulnerability

Overview

WU-FTPD contains a format string vulnerability that manifests when WU-FTPD is configured to use RFC 931 authentication and is run in debug mode. A crafted identd response could be used to execute arbitrary code on a vulnerable server.

I. Description

A format string vulnerability exists in the Washington University FTP daemon, WU-FTPD. WU-FTPD is a widely deployed FTP daemon that runs on UNIX and Linux systems and is included in a number of distributions. WU-FTPD can be compiled to use RFC 931 authentication using the '--enable-rfc931' configuration option, in which the server requests user information from the ident daemon running on an FTP client host. Note that RFC 1413 (Identification Protocol) obsoletes RFC 931 (Authentication Server). WU-FTPD can also be run in debugging mode using the '-d' option. Under these conditions, WU-FTPD logs connection information using syslog(3) calls without providing format string specifiers or adequately validating client identd responses. As a result, a crafted identd response containing user-supplied format string specifiers is interpreted by syslog(3), possibly overwriting arbitrary locations in memory. By carefully designing such a request an attacker may execute arbitrary code with the privileges of WU-FTPD.

This vulnerability is potentially exploitable by any user who is able to log in to a vulnerable server, including users with anonymous access. The intruder must also be able to control the response of the auth or ident daemon. If successful, an attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root.

Note that this vulnerability does not manifest unless WU-FTPD is configured to use RFC 931 style authentication and is run in debug mode.

II. Impact

A remote attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root.

III. Solution

Apply Patch

Apply the appropriate patch supplied by your vendor. Alternatively, apply the patch provided by WU-FTPD:

ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/missing_format_strings.patch

Disable RFC 931 Authentication
Do not run WU-FTPD configured with '--enable-RFC931'.

Disable Debug Mode
Do not run WU-FTPD with the '-d' option.

Block or Restrict Access
Block or restrict access to the port used by WU-FTPD, typically 21/tcp. It may be possible to use TCP Wrapper or a similar technology to provide improved access control and logging. Additionally, an application-level firewall may be able to filter requests made to WU-FTPD. Note that potential exploit strings would be transmitted from 113/tcp on clients to the WU-FTPD server that requested RFC 931 authentication.

Disable Vulnerable Service
Disable WU-FTPD until a patch can be applied.

Systems Affected

Vendor	Status	Date Updated
Caldera	Unknown	4-Dec-2001
Conectiva	Vulnerable	4-Dec-2001
Debian	Vulnerable	4-Dec-2001
Fujitsu	Not Vulnerable	30-Nov-2001
NcFTP Software	Not Vulnerable	30-Nov-2001
SGI	Not Vulnerable	27-Nov-2001
Sun	Not Vulnerable	30-Nov-2001
WU-FTPD Development Group	Vulnerable	30-Nov-2001

References

ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/missing_format_strings.patch
http://www.debian.org/security/2001/dsa-016
http://www.securityfocus.com/bid/2296

Credit

The CERT Coordination thanks INTEXXIA for bringing this matter to our attention.

This document was written by Art Manion.

Other Information

Date Public	01/23/2001
Date First Published	11/29/2001 02:58:04 AM
Date Last Updated	12/17/2001
CERT Advisory
CVE Name	CVE-2001-0187
US-CERT Technical Alerts
Metric	14.59
Document Revision	19

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader