SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#886083

WU-FTPD does not properly handle file name globbing

Overview

SecurityFocus and CORE Security Technologies have reported a vulnerability in WU-FTPD. WU-FTPD does not handle file name globbing properly and may allow an attacker to execute arbitrary code. WU-FTPD is a widely-used FTP daemon that is included in many UNIX and Linux distributions. This vulnerability was discussed on SecurityFocus' vuln-dev mailing list in April 2001.

I. Description

The CERT Coordination Center has received a report from SecurityFocus and CORE Security Technologies about a remote code execution vulnerability in the Washington University FTP daemon, WU-FTPD. The vulnerability manifests in WU-FTPD's handling of file name globbing. The problem is not a typical buffer overflow or format string vulnerability, but a combination of two bugs: WU-FTPD's globbing code does not properly return an error condition when interpreting the string '~{', and later frees memory which may contain user supplied data.

When certain characters are encountered in the file name argument to an FTP command issued by a client, WU-FTPD calls its globbing code, which is implemented in glob.c. The globbing code should parse the argument string, set a variable if it encounters an error condition, and return a pointer to the expanded glob expression. The function that calls glob.c eventually uses free() to free the memory allocated to hold the expanded glob expression. A problem occurs when the globbing code fails to recognize the string '~{' as a malformed argument and does not set the error variable. The pointer returned by the globbing code references memory on the heap that contains arbitrary data instead of the expanded glob expression. If an attacker can place code of their choice in the right position on the heap, WU-FTPD may execute that code when freeing the memory referenced by the pointer that was returned by the globbing code.

This vulnerability is potentially exploitable by any user who is able to log in to a vulnerable server, including users with anonymous access. If successful, an attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root. If unsuccessful, the thread servicing the request will fail, but WU-FTPD will not crash.

Note that BeroFTPD, which shares much of its code base with WU-FTPD, is also vulnerable. BeroFTPD is no longer separately maintained.

II. Impact

A remote attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root.

III. Solution

Apply Patch

Apply the appropriate patch supplied as described in the vendor section below. Alternatively, apply the patch provided by WU-FTPD.

Block or Restrict Access
Block or restrict access to the control port used by WU-FTPD, typically 21/tcp. It may be possible to use TCP Wrapper or a similar technology to provide improved access control and logging. Additionally, an application-level firewall may be able to filter requests made to WU-FTPD.

Disable Anonymous Access
Disable anonymous FTP access. Note that this will only prevent unauthenticated users from attempting to exploit this vulnerability.

Disable Vulnerable Service
Disable WU-FTPD until a patch is can be applied.

Systems Affected

VendorStatusDate Updated
BeroFTPDVulnerable17-Dec-2001
CalderaVulnerable15-Feb-2002
Compaq Computer CorporationUnknown4-Feb-2002
ConectivaVulnerable30-Nov-2001
CrayNot Vulnerable29-Nov-2001
DebianVulnerable4-Dec-2001
FreeBSDVulnerable7-Dec-2001
FujitsuNot Vulnerable30-Nov-2001
Hewlett PackardNot Vulnerable26-Nov-2001
IBMNot Vulnerable27-Nov-2001
ImmunixVulnerable29-Nov-2001
MandrakeSoftVulnerable7-Dec-2001
NcFTP SoftwareNot Vulnerable30-Nov-2001
OpenBSDNot Vulnerable28-Nov-2001
RedHatVulnerable30-Nov-2001
SGINot Vulnerable27-Nov-2001
SunVulnerable30-Nov-2001
SuSEVulnerable29-Nov-2001
TurbolinuxVulnerable4-Feb-2002
WU-FTPD Development GroupVulnerable30-Nov-2001

References


http://www.corest.com/pressroom/advisories_desplegado.php?idxsection=10&idx=172
ftp://ftp.wu-FTPD.org/pub/wu-FTPD/patches/apply_to_current/ftpglob.patch
http://www.securityfocus.com/bid/3581
http://aris.securityfocus.com/alerts/wuFTPD/
http://www.securityfocus.com/archive/82/180823
http://xforce.iss.net/alerts/advise103.php
http://www.wu-FTPD.org/

Credit

The CERT Coordination Center thanks CORE Security Technologies and Greg Lundberg for information used in this document. Matt Power of BindView originally reported this condition on the vuln-dev mailing list.

This document was written by Art Manion.

Other Information

Date Public04/30/2001
Date First Published11/28/2001 01:25:25 PM
Date Last Updated03/28/2002
CERT AdvisoryCA-2001-33
CVE NameCAN-2001-0550
US-CERT Technical Alerts 
Metric21.89
Document Revision35

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader