Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: ciacm023.txt

wu-ftpd File Globbing Heap Corruption Vulnerability




Privacy and Legal Notice

[CIAC] INFORMATION BULLETIN

M-023: Multiple Vendor wu-ftpd File Globbing Heap Corruption Vulnerability

[SecurityFocus Security Alert BID 3581]

November 30, 2001 01:00 GMT
  ------------------------------------------------------------------------
 PROBLEM:           The implementation of file globbing in wu-ftpd
                    contains a heap corruption vulnerability.
 PLATFORM:          Systems running wu-ftpd 2.6.1, 2.6.0, 2.5.0, including
                    many versions of Linux - see below.

                       * NOTE: Version 2.6.2 just released see
                         http://www.wu-ftpd.org/
 DAMAGE:            The vulnerability could allow a remote attacker to
                    gain access to a machine and can allow the attack to
                    force the ftpd server process to execute arbitrary
                    code.
 SOLUTION:          Restrict access to port 21; disable anonymous ftp
                    until patches are available. See below for vendor
                    patches currently available.
  ------------------------------------------------------------------------
 VULNERABILITY      The risk is HIGH. Anonymous ftp is enabled by default
 ASSESSMENT:        on some systems. It is reported that there is an
                    automated attack script for this vulnerability in use.
  ------------------------------------------------------------------------

 LINKS:
   CIAC    http://www.ciac.org/ciac/bulletins/m-023.shtml
 BULLETIN:
 WU-FTPD   ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply-to-2.6.1/ftpglob.patch
 PATCH:
  ------------------------------------------------------------------------

[***** Start SecurityFocus Security Alert BID 3581 *****]

---------------------------------------------------------------------------
                               Security Alert

Subject:      Wu-Ftpd File Globbing Heap Corruption Vulnerability
BUGTRAQ ID:   3581                   CVE ID:         CVE-MAP-NOMATCH
Published:    Nov 27, 2001           Updated:        Nov 28, 2001 01:12:56

Remote:       Yes                    Local:          No
Availability: Always                 Authentication: Not Required
Credibility:  Vendor Confirmed       Ease:           No Exploit Available
Class:        Failure to Handle Exceptional Conditions

Impact:   10.0           Severity: 10.0            Urgency:  8.2

Last Change:  Initial analysis.
---------------------------------------------------------------------------

Vulnerable Systems:

   Washington University wu-ftpd 2.6.1
    + Caldera OpenLinux Server 3.1
    + Caldera OpenLinux Workstation 3.1
    + Cobalt Qube 1.0
    + Conectiva Linux 7.0
    + Conectiva Linux 6.0
    + MandrakeSoft Corporate Server 1.0.1
    + MandrakeSoft Linux Mandrake 8.1
    + MandrakeSoft Linux Mandrake 8.0 ppc
    + MandrakeSoft Linux Mandrake 8.0
    + MandrakeSoft Linux Mandrake 7.2
    + MandrakeSoft Linux Mandrake 7.1
    + MandrakeSoft Linux Mandrake 7.0
    + MandrakeSoft Linux Mandrake 6.1
    + MandrakeSoft Linux Mandrake 6.0
    + RedHat Linux 7.2 noarch
    + RedHat Linux 7.2 ia64
    + RedHat Linux 7.2 i686
    + RedHat Linux 7.2 i586
    + RedHat Linux 7.2 i386
    + RedHat Linux 7.2 athlon
    + RedHat Linux 7.2 alpha
    + RedHat Linux 7.1 noarch
    + RedHat Linux 7.1 ia64
    + RedHat Linux 7.1 i686
    + RedHat Linux 7.1 i586
    + RedHat Linux 7.1 i386
    + RedHat Linux 7.1 alpha
    + RedHat Linux 7.0 sparc
    + RedHat Linux 7.0 i386
    + RedHat Linux 7.0 alpha
    + TurboLinux TL Workstation 6.1
    + TurboLinux Turbo Linux 6.0.5
    + TurboLinux Turbo Linux 6.0.4
    + TurboLinux Turbo Linux 6.0.3
    + TurboLinux Turbo Linux 6.0.2
    + TurboLinux Turbo Linux 6.0.1
    + TurboLinux Turbo Linux 6.0
    + Wirex Immunix OS 7.0-Beta
    + Wirex Immunix OS 7.0
    Washington University wu-ftpd 2.6.0
    + Cobalt Qube 1.0
    + Conectiva Linux 5.1
    + Conectiva Linux 5.0
    + Conectiva Linux 4.2
    + Conectiva Linux 4.1
    + Conectiva Linux 4.0es
    + Conectiva Linux 4.0
    + Debian Linux 2.2 sparc
    + Debian Linux 2.2 powerpc
    + Debian Linux 2.2 arm
    + Debian Linux 2.2 alpha
    + Debian Linux 2.2 68k
    + Debian Linux 2.2
    + RedHat Linux 6.2 sparc
    + RedHat Linux 6.2 i386
    + RedHat Linux 6.2 alpha
    + RedHat Linux 6.1 sparc
    + RedHat Linux 6.1 i386
    + RedHat Linux 6.1 alpha
    + RedHat Linux 6.0 sparc
    + RedHat Linux 6.0 i386
    + RedHat Linux 6.0 alpha
    + RedHat Linux 5.2 sparc
    + RedHat Linux 5.2 i386
    + RedHat Linux 5.2 alpha
    + S.u.S.E. Linux 6.4ppc
    + S.u.S.E. Linux 6.4alpha
    + S.u.S.E. Linux 6.4
    + S.u.S.E. Linux 6.3 ppc
    + S.u.S.E. Linux 6.3 alpha
    + S.u.S.E. Linux 6.3
    + S.u.S.E. Linux 6.2
    + S.u.S.E. Linux 6.1 alpha
    + S.u.S.E. Linux 6.1
    + TurboLinux Turbo Linux 4.0
    + Wirex Immunix OS 6.2
    Washington University wu-ftpd 2.5.0
    + Caldera eDesktop 2.4
    + Caldera eServer 2.3.1
    + Caldera eServer 2.3
    + Caldera OpenLinux 2.4
    + Caldera OpenLinux Desktop 2.3
    + RedHat Linux 6.0 sparc
    + RedHat Linux 6.0 i386
    + RedHat Linux 6.0 alpha

Summary:

   Wu-Ftpd contains a remotely exploitable heap corruption bug.

Impact:

   A remote attacker may execute arbitrary code on the vulnerable server.

Technical Description:

   Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained  by
   Washington University.

   Wu-Ftpd allows for clients to organize files for ftp actions  based  on
   "file globbing" patterns.  File globbing is also used by various
   shells.  The implementation of file globbing included in Wu-Ftpd
   contains a heap corruption vulnerability that may allow for an attacker
   to execute arbitrary code on a server remotely.

   During the processing of a globbing pattern, the Wu-Ftpd implementation
   creates a list of the files that match.  The memory where this data is
   stored is on the heap, allocated using malloc().  The globbing function
   simply returns a pointer to the list.   It is up to the calling
   functions to free the allocated memory.

   If an error occurs processing the pattern, memory will not be allocated
   and a variable indicating this should be set.  The calling functions
   must check the value of this variable before attempting to use the
   globbed filenames (and later freeing the memory).

   When certain globbing patterns are processed, the globbing function does
   not set this variable when an error occurs.  As a result of this,
   Wu-Ftpd may eventually attempt to free uninitialized memory.  There are
   a number of possibly exploitable conditions.

   If this region of memory contained user-controllable data before the
   free call, it may be possible to have an arbitrary word in memory
   overwritten with an arbitrary value.  This can lead to execution of
   arbitrary code if function pointers or return addresses are
   overwritten.

   If anonymous FTP is not enabled, valid user credentials are required to
   exploit this vulnerability.

   This vulnerability was initially scheduled for public release on
   December 3, 2001.  However, Red Hat has made details public as of
   November 27, 2001.  As a result, we are forced to warn other users of
   the vulnerable product, so that they may take appropriate actions.

Attack Scenarios:

   To exploit this vulnerability, an attacker must have either valid
   credentials required to log in as an FTP user, or anonymous access must
   be enabled.

   The attacker must ensure that a maliciously constructed malloc header
   containing the target address and it's replacement value are in the
   right location in the uninitialized part of the heap.  The attacker
   must also place shellcode in server process memory.

   The attacker must send an FTP command containing a specific globbing
   pattern that does not set the error variable.

   When the server attempts to free the memory used to store the globbed
   filenames, the target word in memory will be overwritten.

   If an attacker overwrites a function pointer or return address with a
   pointer to the shellcode, it may be executed by the server process.

Exploits:

   The following (from the CORE advisory) demonstrates the existence of
   this vulnerability:

     ftp> open localhost
     Connected to localhost (127.0.0.1).
     220 sasha FTP server (Version wu-2.6.1-18) ready.
     Name (localhost:root): anonymous
     331 Guest login ok, send your complete e-mail address as password.
     Password:
     230 Guest login ok, access restrictions apply.
     Remote system type is UNIX.
     Using binary mode to transfer files.
     ftp> ls ~{
     227 Entering Passive Mode (127,0,0,1,241,205)
     421 Service not available, remote server has closed connection

     1405 ?        S      0:00 ftpd: accepting connections on port 21
     7611 tty3     S      1:29 gdb /usr/sbin/wu.ftpd
     26256          ?                 S               0:00           ftpd:
   sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
     26265 tty3     R      0:00 bash -c ps ax | grep ftpd
     (gdb) at 26256
     Attaching to program: /usr/sbin/wu.ftpd, process 26256
      Symbols already loaded for /lib/libcrypt.so.1
     Symbols already loaded for /lib/libnsl.so.1
     Symbols already loaded for /lib/libresolv.so.2
     Symbols already loaded for /lib/libpam.so.0
     Symbols already loaded for /lib/libdl.so.2
     Symbols already loaded for /lib/i686/libc.so.6
     Symbols already loaded for /lib/ld-linux.so.2
     Symbols already loaded for /lib/libnss_files.so.2
     Symbols already loaded for /lib/libnss_nisplus.so.2
     Symbols already loaded for /lib/libnss_nis.so.2
     0x40165544 in __libc_read () from /lib/i686/libc.so.6
     (gdb) c
     Continuing.

     Program received signal SIGSEGV, Segmentation fault.
     __libc_free (mem=0x61616161) at malloc.c:3136
     3136    in malloc.c

   Currently the SecurityFocus staff are not aware of any exploits for
   this issue. If you feel we are in error or are aware of more recent
   information,  please mail us at: vuldb@securityfocus.com


Mitigating Strategies:

   This vulnerability is remotely exploitable.  Restricting access to the
   network port, (TCP port 21 is standard for FTP), will block clients
   from unauthorized networks.

   With some operating systems, anonymous FTP is enabled by default.
   Anonymous FTP is often in use on public FTP sites, most often software
   repositories.  It is basically a guest account with access to download
   files from within a restricted environment.  This vulnerability is
   exploitable by clients logged in through anonymous FTP.  Anonymous FTP
   should be disabled immediately until fixes are available, as it would
   allow any host on the Internet who can connect to the service to
   exploit this vulnerability.  It is a good idea to disable it normally
   unless it is absolutely necessary (in which case the FTP server should
   be on a dedicated, isolated host).

   Stack and other memory protection schemes may complicate
   exploitability, and/or prevent commonly available exploits from
   working.   This should not be relied upon for security.  This
   vulnerability involves 'poking' words in memory.  This means that there
   are many different ways that it may be  exploited.  Making the stack
   non-executable or checking the integrity of stack variables may not be
   enough to prevent all possibile methods of exploitation.

   It is advised to disable the service and use alternatives until fixes
   are available.

Solutions:

   Vendor notified on Nov 14, 2001.

   Fixes will be available from the author as well as from vendors who
   ship products that include Wu-Ftpd as core or optional components.

   This vulnerability was initially scheduled for public release on
   December 3, 2001.  Red Hat pre-emptively released an advisory on
   November 27, 2001.  As a result, other vendors may not yet have fixes
   available.

   This record will be updated as fixes from various vendors become
   available.

   For Washington University wu-ftpd 2.6.1:

     Red Hat RPM 6.2 alpha wu-ftpd-2.6.1-0.6x.21.alpha.rpm
     ftp://updates.redhat.com/6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha.rpm

     Red Hat RPM 6.2 sparc wu-ftpd-2.6.1-0.6x.21.sparc.rpm
     ftp://updates.redhat.com/6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc.rpm

     Red Hat RPM 7.0 alpha wu-ftpd-2.6.1-16.7x.1.alpha.rpm
     ftp://updates.redhat.com/7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm

     Red Hat RPM 7.0 i386 wu-ftpd-2.6.1-16.7x.1.i386.rpm
     ftp://updates.redhat.com/7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm

     Red Hat RPM 7.1 alpha wu-ftpd-2.6.1-16.7x.1.alpha.rpm
     ftp://updates.redhat.com/7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm

     Red Hat RPM 7.1 i386 wu-ftpd-2.6.1-16.7x.1.i386.rpm
     ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm

     Red Hat RPM 7.1 ia64 wu-ftpd-2.6.1-16.7x.1.ia64.rpm
     ftp://updates.redhat.com/7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rpm

     Red Hat RPM 7.2 i386 wu-ftpd-2.6.1-20.i386.rpm
     ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm

     Red Hat RPM 6.2 i386 wu-ftpd-2.6.1-0.6x.21.i386.rpm
     ftp://updates.redhat.com/6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rpm

Credit:

   Condition first reported by Matt Power, deemed non-exploitable.
   Rediscovered and exploitability later confirmed by Luciano
   Notarfrancesco and Juan Pablo Martinez Kuhn from Core
   Security Technologies, Buenos Aires, Argentina.

References:

   advisory:
   RedHat RHSA-2001:157-06: Updated wu-ftpd packages are available
   http://www.securityfocus.com/advisories/3680

   web page:
   CORE SDI Homepage (CORE)
   http://www.core-sdi.com

   web page:
   Wu-Ftpd Homepage (Washington University)
   http://www.wu-ftpd.org

ChangeLog:

   Nov 26, 2001: Initial analysis.

---------------------------------------------------------------------------

HOW TO INTERPRET THIS ALERT

             BUGTRAQ ID: This is a unique identifier assigned to the
                         vulnerability by SecurityFocus.com.

                 CVE ID: This is a unique identifier assigned to the
                         vulnerability by the CVE.

              Published: The date the vulnerability was first made public.

                Updated: The date the information was last updated.

                 Remote: Whether this is a remotely exploitable
                         vulnerability.

                  Local: Whether this is a locally exploitable
                         vulnerability.

            Credibility: Describes how credible the information about the
                         vulnerability is. Possible values are:

                         Conflicting Reports: The are multiple conflicting
                         about the existance of the vulnerability.

                         Single Source: There is a single non-reliable
                         source reporting the existence of the
                         vulnerability.

                         Reliable Source: There is a single reliable source
                         reporting the existence of the vulnerability.

                         Conflicting Details: There is consensus on the
                         existence of the vulnerability but not it's
                         details.

                         Multiple Sources: There is consensus on the
                         existence and details of the vulnerability.

                         Vendor Confirmed: The vendor has confirmed the
                         vulnerability.

                  Class: The class of vulnerability.  Possible  values  are:
                         Boundary Condition Error, Access Validation  Error,
                         Origin Validation Error,  Input  Valiadtion  Error,
                         Failure  to  Handle  Exceptional  Conditions,  Race
                         Condition  Error,  Serialization  Error,  Atomicity
                         Error, Environment Error, and Configuration Error.

                   Ease: Rates how easiliy the vulnerability can be
                         exploited.  Possible values are:  No Exploit
                         Available,  Exploit Available, and No Exploit
                         Required.

                 Impact: Rates the impact of the vulnerability.  It's range
                         is 1 through 10.

               Severity: Rates the severity of the vulnerability. It's range
                         is 1 through 10.  It's computed from the impact
                         rating and remote flag. Remote vulnerabiliteis with
                         a high impact rating receive a high severity
                         rating. Local vulnerabilities with a low impact
                         rating receive a low severity rating.

                Urgency: Rates how quickly you should take action to fix or
                         mitigate the vulnerability. It's range is 1 through
                         10. It's computed from the severity rating, the
                         ease rating, and the credibility rating. High
                         severity vulnerabilities with a high ease rating,
                         and a high confidence rating have a higher urgency
                         rating. Low severity vulnerabilities with a low
                         ease rating, and a low confidence rating have a
                         lower urgency rating.

            Last Change: The last change made to the vulnerability
                         information.

     Vulnerable Systems: The list of vulnerable systems. A '+' preceding a
                         system name indicates that one of the system
                         components is vulnerable vulnerable.  For example,
                         Windows 98 ships with Internet Explorer.  So if a
                         vulnerability is found in IE you may see something
                         like:  Microsoft Internet Explorer + Microsoft
                         Windows 98

Non-Vulnerable Systems: The list of non-vulnerable systems.

                Summary: A concise summary of the vulnerability.

                 Impact: The impact of the vulnerability.

  Technical Description: The in-depth description of the vulnerability.

       Attack Scenarios: Ways an attacker may make use of the vulnerability.

               Exploits: Exploit intructions or programs.

  Mitigating Strategies: Ways to mitigate the vulnerability.

              Solutions: Solutions to the vulnerability.

                 Credit: Information about who disclosed the vulnerability.

             References: Sources of information on the vulnerability.

      Related Resources: Resources that might be of additional value.

              ChangeLog: History of changes to the vulnerability record.

---------------------------------------------------------------------------

                      Copyright 2001 SecurityFocus.com
[***** End SecurityFocus Security Alert BID 3581 *****]

  ------------------------------------------------------------------------
CIAC wishes to acknowledge the contributions of SecurityFocus for the
information contained in this bulletin.
  ------------------------------------------------------------------------
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can
be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

  ------------------------------------------------------------------------
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, apparatus,
product, or process disclosed, or represents that its use would not
infringe privately owned rights. Reference herein to any specific
commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation or favoring by the United States Government or
the University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
  ------------------------------------------------------------------------
UCRL-MI-119788
[Privacy and Legal Notice]


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH