Vulnerability Note VU#886083

The CERT Coordination Center has received a report from SecurityFocus and CORE Security Technologies about a remote code execution vulnerability in the Washington University FTP daemon, WU-FTPD. The vulnerability manifests in WU-FTPD's handling of file name globbing. The problem is not a typical buffer overflow or format string vulnerability, but a combination of two bugs: WU-FTPD's globbing code does not properly return an error condition when interpreting the string '~{', and later frees memory which may contain user supplied data.

When certain characters are encountered in the file name argument to an FTP command issued by a client, WU-FTPD calls its globbing code, which is implemented in glob.c. The globbing code should parse the argument string, set a variable if it encounters an error condition, and return a pointer to the expanded glob expression. The function that calls glob.c eventually uses free() to free the memory allocated to hold the expanded glob expression. A problem occurs when the globbing code fails to recognize the string '~{' as a malformed argument and does not set the error variable. The pointer returned by the globbing code references memory on the heap that contains arbitrary data instead of the expanded glob expression. If an attacker can place code of their choice in the right position on the heap, WU-FTPD may execute that code when freeing the memory referenced by the pointer that was returned by the globbing code.

This vulnerability is potentially exploitable by any user who is able to log in to a vulnerable server, including users with anonymous access. If successful, an attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root. If unsuccessful, the thread servicing the request will fail, but WU-FTPD will not crash.

Note that BeroFTPD, which shares much of its code base with WU-FTPD, is also vulnerable. BeroFTPD is no longer separately maintained.

A remote attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root.

Apply Patch
Apply the appropriate patch supplied as described in the vendor section below. Alternatively, apply the patch provided by WU-FTPD.

Block or Restrict Access
Block or restrict access to the control port used by WU-FTPD, typically 21/tcp. It may be possible to use TCP Wrapper or a similar technology to provide improved access control and logging. Additionally, an application-level firewall may be able to filter requests made to WU-FTPD.

Disable Anonymous Access
Disable anonymous FTP access. Note that this will only prevent unauthenticated users from attempting to exploit this vulnerability.

Disable Vulnerable Service
Disable WU-FTPD until a patch is can be applied.