Wu-ftpd Vulnerability Privacy and Legal Notice

CIAC INFORMATION BULLETIN

J-065: Wu-ftpd Vulnerability

September 1, 1999 23:00 GMT 
PROBLEM:       The WU-FTPD Development Group has been informed there is a 
               vulnerability in some versions of wu-ftpd.             
PLATFORM:      All platforms using:
               wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15
               wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17
               wu-ftpd-2.5.0
               BeroFTPD, all present versions 
               Other derivatives of wu-ftpd may be effected.  
DAMAGE:        Exploiting this vulnerability may lead to a root compromise.
SOLUTION:      Upgrade to latest version and apply patch.

VULNERABILITY  Risk is high. Exploit information involving this vulnerability 
ASSESSMENT:    has been made publicly available.   This vulnerability can 
               lead to a root compromise. 



[  Start WU-FTPD Development Group Advisory  ]


                          WU-FTPD Security Update

The WU-FTPD Development Group has been informed there is a vulnerability in
some versions of wu-ftpd.

This vulnerability may allow local & remote users to gain root privileges.

Exploit information involving this vulnerability has been made publicly
available.

The WU-FTPD Development Group recommends sites take the steps outlined
below as soon as possible.

1.  Description

    Due to insufficient bounds checking on directory name lengths which can
    be supplied by users, it is possible to overwrite the static memory
    space of the wu-ftpd daemon while it is executing under certain
    configurations.  By having the ability to create directories and
    supplying carefully designed directory names to the wu-ftpd, users may
    gain privileged access.

2.  Impact

    This vulnerability may allow local & remote users to gain root
    privileges.

3.  Workarounds/Solution

    Sites may prevent the exploitation of the vulnerability in wu-ftpd by
    immediately upgrading and applying available patches.

3.1 Affected versions

    Versions known to be effected are:

        wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15
        wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17
        wu-ftpd-2.5.0

        BeroFTPD, all present versions

	Other derivatives of wu-ftpd may be effected.  See the workarrounds
	(section 3.3) to determine if a derivative is vulnerable.

    Versions know to be not effected are:

        NcFTPd, all versions.
        wu-ftpd-2.4.2 (final, from Academ)
        All Washington University versions.

	(Please note: ALL versions of WU-FTPD prior to
	 wu-ftpd-2.4.2-beta-18-vr10 including all WU versions, and all
	 Academ 2.4.1 and 2.4.2 betas, are vulnerable to a remote user
         root-leveraging attack. See CERT Advisory CA-99-03 'FTP Buffer
         Overflows' at
	 http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html
         and section 3.2)

3.2 Upgrade to latest wu-ftpd and apply patch

    The latest version of wu-ftpd from the WU-FTPD Development Group is
    2.5.0; sites running earlier versions should upgrade to this version as
    soon as possible.

    The WU-FTPD Development Group has a patch available which corrects this
    vulnerabililty.  The patch is available directly from the WU-FTPD
    Development Group's primary distribution site, and will be propogating
    to its mirrors shortly.

    Several other patches to version 2.5.0 are also available.  The WU-FTPD
    Development Group recommends all available patches be applied.

    Patches for version 2.5.0 are available at the primary distribution
    site:

        ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/

    The following patches are available:

        CRITICAL-SECURITY.PATCH

 

[  End WU-FTPD Development Group Advisory  ]
CIAC wishes to acknowledge the contributions of WU-FTPD Development Group for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]