WU-FTPD Security Update

[yua () ARTLOVER COM (Alex Yu)]

-----BEGIN PGP SIGNED MESSAGE-----

                          WU-FTPD Security Update

The WU-FTPD Development Group has been informed there is a vulnerability in
some versions of wu-ftpd.

This vulnerability may allow local & remote users to gain root privileges.

Exploit information involving this vulnerability has been made publicly
available.

The WU-FTPD Development Group recommends sites take the steps outlined
below as soon as possible.

1.  Description

    Due to insufficient bounds checking on directory name lengths which can
    be supplied by users, it is possible to overwrite the static memory
    space of the wu-ftpd daemon while it is executing under certain
    configurations.  By having the ability to create directories and
    supplying carefully designed directory names to the wu-ftpd, users may
    gain privileged access.

2.  Impact

    This vulnerability may allow local & remote users to gain root
    privileges.

3.  Workarounds/Solution

    Sites may prevent the exploitation of the vulnerability in wu-ftpd by
    immediately upgrading and applying available patches.

3.1 Affected versions

    Versions known to be effected are:

        wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15
        wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17
        wu-ftpd-2.5.0

        BeroFTPD, all present versions

        Other derivatives of wu-ftpd may be effected.  See the workarrounds
        (section 3.3) to determine if a derivative is vulnerable.

    Versions know to be not effected are:

        NcFTPd, all versions.
        wu-ftpd-2.4.2 (final, from Academ)
        All Washington University versions.

        (Please note: ALL versions of WU-FTPD prior to
         wu-ftpd-2.4.2-beta-18-vr10 including all WU versions, and all
         Academ 2.4.1 and 2.4.2 betas, are vulnerable to a remote user
         root-leveraging attack. See CERT Advisory CA-99-03 'FTP Buffer
         Overflows' at
         http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html
         and section 3.2)

3.2 Upgrade to latest wu-ftpd and apply patch

    The latest version of wu-ftpd from the WU-FTPD Development Group is
    2.5.0; sites running earlier versions should upgrade to this version as
    soon as possible.

    The WU-FTPD Development Group has a patch available which corrects this
    vulnerabililty.  The patch is available directly from the WU-FTPD
    Development Group's primary distribution site, and will be propogating
    to its mirrors shortly.

    Several other patches to version 2.5.0 are also available.  The WU-FTPD
    Development Group recommends all available patches be applied.

    Patches for version 2.5.0 are available at the primary distribution
    site:

        ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/

    The following patches are available:

        CRITICAL-SECURITY.PATCH

            Alternate name for mapped.path.overrun.patch.

        mapped.path.overrun.patch

            Corrects a problem in the implementation of the MAPPING_CHDIR
            feature which could be used to gain root privileges.  All sites
            should apply this patch as soon as possible.

        not.in.class.patch

            Corrects a problem where anonymous users not in any class could
            gain anonymous access to the server under certain conditions.
            All sites should apply this patch.

        glibc.wtmp.patch

            Corrects a problem with Linux systems where logout from wu-ftpd
            was not properly recorded in the wtmp file.  Sites running
            wu-ftpd on Linux should apply this patch.

        rfc931.timeout.patch

            Corrects some problems with the RFC931 implementation when the
            remote site does not respond.  Under some conditions, wu-ftpd
            would hang, failing to properly time out.  Sites experiencing
            unexplained hanging wu-ftpd processes should apply this patch.

        data-limit.patch

            Corrects a documentation error.  Released as a patch due to the
            number of questions the error caused.  This patch may be safely
            omitted on all sites.

        deny.not.nameserved.patch

            Corrects a problem in the implementation of '!nameserved' when
            attempting to deny access to remote users whose hosts do not
            have proper DNS.  All sites should apply this patch.

    Special note for BeroFTPD:

    BeroFTPD users should be able to apply the mapped.path.overrun.patch to
    their version of wu-ftpd.  (This has been tested by the WU-FTPD
    Development Group on BeroFTPD 1.3.4; it applied cleanly, with some
    drift in line numbers.)  The other patches are for version 2.5.0 of
    wu-ftpd only and should not be applied to BeroFTPD.

3.3 Apply work-around patch and recompile existing source.

    The feature causing this problem can be disabled at compile time in all
    effected versions of the daemon:

    o Locate the following text in config.h:

    /*
     * MAPPING_CHDIR
     * Keep track of the path the user has chdir'd into and respond with
     * that to pwd commands.  This is to avoid having the absolue disk
     * path returned.  This helps avoid returning dirs like '.1/fred'
     * when lots of disks make up the ftp area.
     */

    o If this text is not present, your version of the daemon is NOT
      vulnerable.

    o Change the following line from:

    #define MAPPING_CHDIR

    to

    #undef MAPPING_CHDIR

    o Rebuild and install the new ftpd executable.

- --

Gregory A Lundberg              WU-FTPD Development Group
1441 Elmdale Drive              lundberg () wu-ftpd org
Kettering, OH 45409-1615 USA    1-800-809-2195

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5

iQCVAwUBN8VXQg7NCCRiiFh1AQFMDQP+PM9pWpqGo9xEcn1XdEgfmr1mcqZ2y9gY
geyRyPtv8xsLqbAMcQQ/KsDO3aP4sdT3yMA0EHZKohiAG3Sx38bGBe9geaOdbUxe
jSGzc6yDIxLwegJuWK35V7C8L9BbvFCbednvmXoToshuagcGFY8ZIP2ZyDuwz4EM
VxD1ILqHUww=
=r1tK
-----END PGP SIGNATURE-----