Vulnerability Note VU#886083

WU-FTPD does not properly handle file name globbing

Original Release date: 28 Nov 2001 | Last revised: 28 Mar 2002

Overview

SecurityFocus and CORE Security Technologies have reported a vulnerability in WU-FTPD. WU-FTPD does not handle file name globbing properly and may allow an attacker to execute arbitrary code. WU-FTPD is a widely-used FTP daemon that is included in many UNIX and Linux distributions. This vulnerability was discussed on SecurityFocus' vuln-dev mailing list in April 2001.

Description

The CERT Coordination Center has received a report from SecurityFocus and CORE Security Technologies about a remote code execution vulnerability in the Washington University FTP daemon, WU-FTPD. The vulnerability manifests in WU-FTPD's handling of file name globbing. The problem is not a typical buffer overflow or format string vulnerability, but a combination of two bugs: WU-FTPD's globbing code does not properly return an error condition when interpreting the string '~{', and later frees memory which may contain user supplied data.

When certain characters are encountered in the file name argument to an FTP command issued by a client, WU-FTPD calls its globbing code, which is implemented in glob.c. The globbing code should parse the argument string, set a variable if it encounters an error condition, and return a pointer to the expanded glob expression. The function that calls glob.c eventually uses free() to free the memory allocated to hold the expanded glob expression. A problem occurs when the globbing code fails to recognize the string '~{' as a malformed argument and does not set the error variable. The pointer returned by the globbing code references memory on the heap that contains arbitrary data instead of the expanded glob expression. If an attacker can place code of their choice in the right position on the heap, WU-FTPD may execute that code when freeing the memory referenced by the pointer that was returned by the globbing code.

This vulnerability is potentially exploitable by any user who is able to log in to a vulnerable server, including users with anonymous access. If successful, an attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root. If unsuccessful, the thread servicing the request will fail, but WU-FTPD will not crash.

Note that BeroFTPD, which shares much of its code base with WU-FTPD, is also vulnerable. BeroFTPD is no longer separately maintained.

Impact

A remote attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root.

Solution

Apply Patch
Apply the appropriate patch supplied as described in the vendor section below. Alternatively, apply the patch provided by WU-FTPD.


Block or Restrict Access
Block or restrict access to the control port used by WU-FTPD, typically 21/tcp. It may be possible to use TCP Wrapper or a similar technology to provide improved access control and logging. Additionally, an application-level firewall may be able to filter requests made to WU-FTPD.

Disable Anonymous Access
Disable anonymous FTP access. Note that this will only prevent unauthenticated users from attempting to exploit this vulnerability.

Disable Vulnerable Service
Disable WU-FTPD until a patch is can be applied.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
BeroFTPDAffected-17 Dec 2001
CalderaAffected21 Nov 200115 Feb 2002
ConectivaAffected-30 Nov 2001
DebianAffected21 Nov 200104 Dec 2001
FreeBSDAffected21 Nov 200107 Dec 2001
ImmunixAffected-29 Nov 2001
MandrakeSoftAffected21 Nov 200107 Dec 2001
RedHatAffected21 Nov 200130 Nov 2001
SunAffected21 Nov 200130 Nov 2001
SuSEAffected-29 Nov 2001
TurbolinuxAffected-04 Feb 2002
WU-FTPD Development GroupAffected20 Nov 200130 Nov 2001
CrayNot Affected21 Nov 200129 Nov 2001
FujitsuNot Affected21 Nov 200130 Nov 2001
Hewlett PackardNot Affected21 Nov 200126 Nov 2001
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT Coordination Center thanks CORE Security Technologies and Greg Lundberg for information used in this document. Matt Power of BindView originally reported this condition on the vuln-dev mailing list.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2001-0550
  • CERT Advisory: CA-2001-33
  • Date Public: 30 Apr 2001
  • Date First Published: 28 Nov 2001
  • Date Last Updated: 28 Mar 2002
  • Severity Metric: 21.89
  • Document Revision: 35

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.