search menu icon-carat-right cmu-wordmark

CERT Coordination Center


WU-FTPD configured to use RFC 931 authentication running in debug mode contains format string vulnerability

Vulnerability Note VU#639760

Original Release Date: 2001-11-29 | Last Revised: 2001-12-17

Overview

WU-FTPD contains a format string vulnerability that manifests when WU-FTPD is configured to use RFC 931 authentication and is run in debug mode. A crafted identd response could be used to execute arbitrary code on a vulnerable server.

Description

A format string vulnerability exists in the Washington University FTP daemon, WU-FTPD. WU-FTPD is a widely deployed FTP daemon that runs on UNIX and Linux systems and is included in a number of distributions. WU-FTPD can be compiled to use RFC 931 authentication using the '--enable-rfc931' configuration option, in which the server requests user information from the ident daemon running on an FTP client host. Note that RFC 1413 (Identification Protocol) obsoletes RFC 931 (Authentication Server). WU-FTPD can also be run in debugging mode using the '-d' option. Under these conditions, WU-FTPD logs connection information using syslog(3) calls without providing format string specifiers or adequately validating client identd responses. As a result, a crafted identd response containing user-supplied format string specifiers is interpreted by syslog(3), possibly overwriting arbitrary locations in memory. By carefully designing such a request an attacker may execute arbitrary code with the privileges of WU-FTPD.

This vulnerability is potentially exploitable by any user who is able to log in to a vulnerable server, including users with anonymous access. The intruder must also be able to control the response of the auth or ident daemon. If successful, an attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root.

Note that this vulnerability does not manifest unless WU-FTPD is configured to use RFC 931 style authentication and is run in debug mode.

Impact

A remote attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root.

Solution

Apply Patch
Apply the appropriate patch supplied by your vendor. Alternatively, apply the patch provided by WU-FTPD:

ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/missing_format_strings.patch

Disable RFC 931 AuthenticationDo not run WU-FTPD configured with '--enable-RFC931'.Disable Debug ModeDo not run WU-FTPD with the '-d' option.Block or Restrict AccessBlock or restrict access to the port used by WU-FTPD, typically 21/tcp. It may be possible to use TCP Wrapper or a similar technology to provide improved access control and logging. Additionally, an application-level firewall may be able to filter requests made to WU-FTPD. Note that potential exploit strings would be transmitted from 113/tcp on clients to the WU-FTPD server that requested RFC 931 authentication.Disable Vulnerable ServiceDisable WU-FTPD until a patch can be applied.

Vendor Information

639760
Expand all

Conectiva

Updated:  December 04, 2001

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE   : wu-ftpd
SUMMARY   : Additional format string fixes for wu-ftpd
DATE      : 2001-11-30 19:02:00
ID        : CLA-2001:443
RELEVANT
RELEASES  : 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0

- -------------------------------------------------------------------------

DESCRIPTION
"wu-ftpd" is one of the ftp servers shipped with Conectiva Linux and
many other distributions.

 This is a follow-up to the CLSA-2001:442 announcement, where a
critical security problem was fixed. The wu-ftpd developers now
released[1] an official fix for that problem, but with two additional
corrections:
- format string fixes: some new format string bugs have been
patched;
- additional checks: null-pointer checks have been added to some
parts of the code.

 These two new fixes, as well as another one related to PASV mode[2]
(not security related), have been applied to the updated packages
presented through this advisory.


SOLUTION
It is recommended that all wu-ftpd users apply the update.


 REFERENCES
1.ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.1/ftpglob.patch
2.ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.1/pasv-port-allow-correction.patch


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/wu-ftpd-2.6.1-6U50_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/wu-ftpd-2.6.1-6U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/wu-ftpd-2.6.1-6U51_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/wu-ftpd-2.6.1-6U51_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/wu-ftpd-2.6.1-6U60_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/wu-ftpd-2.6.1-6U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/wu-ftpd-2.6.1-6U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/wu-ftpd-2.6.1-6U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/wu-ftpd-2.6.1-6U50_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/wu-ftpd-2.6.1-6U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/wu-ftpd-2.6.1-6U50_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/wu-ftpd-2.6.1-6U50_2cl.i386.rpm


ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
  (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
- after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8B/Z442jd0JmAcZARAhwpAKCtq6his3yR1Yksy06W9aYHIIshRQCfXZL8
3TruJyx+gGBN0uXkCt4bIdA=
=hB4B
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  November 27, 2001 Updated:  December 04, 2001

Status

  Vulnerable

Vendor Statement

Debian released Debian Security Advisory DSA-016 in January 2001.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

WU-FTPD Development Group

Notified:  November 22, 2001 Updated:  November 30, 2001

Status

  Vulnerable

Vendor Statement

WU-FTPD has released a patch in July 2000 that addresses this issue in WU-FTPD 2.6.1:

ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.1/missing_format_strings.patch
WU-FTPD 2.6.2 is available and addresses this issue:
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  November 27, 2001 Updated:  November 30, 2001

Status

  Not Vulnerable

Vendor Statement

Regarding VU#886083 and VU#639760 (WU-FTPD vulnerabilities), UXP/V is not vulnerable, because UXP/V does not support WU-FTPD.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NcFTP Software

Notified:  November 27, 2001 Updated:  November 30, 2001

Status

  Not Vulnerable

Vendor Statement

All versions of NcFTPd Server are not vulnerable to the problems described by VU#886083 and VU#639760.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  November 27, 2001 Updated:  November 27, 2001

Status

  Not Vulnerable

Vendor Statement

SGI does not ship IRIX with WU-FTPd, so IRIX is not vulnerable to these issues.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun

Notified:  November 27, 2001 Updated:  November 30, 2001

Status

  Not Vulnerable

Vendor Statement

Sun does not ship WU-FTPD, thus Solaris is not affected by these issues.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Caldera

Notified:  November 27, 2001 Updated:  December 04, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The CERT Coordination thanks INTEXXIA for bringing this matter to our attention.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2001-0187
Severity Metric: 14.59
Date Public: 2001-01-23
Date First Published: 2001-11-29
Date Last Updated: 2001-12-17 19:48 UTC
Document Revision: 19

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.