Bugtraq mailing list archives
Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd)
From: lundberg () WU-FTPD ORG (Gregory A Lundberg)
Date: Sat, 1 Jul 2000 02:43:43 -0400
No need, redhat 6.1's wu-ftpd 2.5.0 uses it's stripped down internal *printf instead of the library one, and wu-ftpd's internal printf does not recognise the %n formatting directive crucial to this exploit. It isn't vulnerable.
Please do not speak with false authority. It's unlikely whether the exact exploit(s) publicly posted will work against a given version or platform other than that claimed in the posting. That does not mean there is no problem. The bug being discussed was present in wu-ftpd-2.0, released April 12, 1993. A quick look and it does not appear the bug was present in wuarchive-ftpd version 1.1 nor in the Berkeley BSD ftpd from which wu-ftpd was based. (Side note: we're missing some versions in the attic; if you have anything on our wish list, we'd love to have a copy.) At this point the following facts exist: - A purported exploit has been publicly released and discussed. - We have received exactly ONE question concerning a possible break-in using WU-FTPD, any version, since the release of version 2.6.0. While the bug was present in the version of the daemon being run at the site, security on the machine in question was so lax that no single cause could be determined. It was felt the more likely point of entry was by direct sniffing of the root password off the campus LAN. - The WU-FTPD Development Group has NOT been contacted by anyone (other than the person above, Bugtraq postings and followups) concerning this issue. The original Bugtraq poster has not contacted us. No CERT/FIRST teams have called or emailed. No vendors shipping their own versions of the daemon have contacted us. - A member of the WU-FTPD Development Group is also a member of a FIRST team. He was present at FIRST/2000 in Chicago over the past week and has made sure several of the teams represented were aware of the issue. - The bug used by the purported exploit is a real bug. As such the development group and a number of vendors who ship their own versions of the daemon have issued patches or updates. - The bug in question has been present in ALL versions of wu-ftpd, from ALL vendors, at least since the release of version 2.0 in April, 1993. - I, personally, have seen NO scanning for FTP services on my networks. While this is admitedly anecdotal evidence, the last exploit against WU-FTPD, which _did_ work and _was_ in widespread use, was acompanied by a marked increase in such scans on the networks I manage. I have talked with several other network operators and most report no increase in scanning; one did report he is seeing some FTP probes on his campus. The probes and scans I am seeing are consistent with the most-recent CERT Current Activity report ( http://www.cert.org/current/current_activity.html ). The following FALSE facts have been circulated, sometimes by vendor security teams who should know better than to make such statements without better evidence: - "The exploit is in wide use." At this point, the WU-FTPD Development Group has seen no evidence the exploit works or is being used at all. Our position, however, is that the exploit ought to work since the bug is real. So, while this is currently a false statement it could become true at some point. - "No known fix exists." A patch for the base WU-FTPD version 2.6.0 has been available for several days. I updated it earlier today as a result of some user questions concerning line number drift. Several vendors shipping their own versions of the software have also released updates and/or patches. The fix should be applicable against older versions; but since those versions have more severe security issues for which working exploits are in widespread use, you should upgrade to 2.6.0 and apply the patches. Anyone having any DIRECT evidence of a working exploit is asked to contact the WU-FTPD Development Group at wuftpd-members () wu-ftpd org or security () wu-ftpd org Anyone having a working exploit for THIS bug (especially against an Intel running Redhat 4.2 or later, the systems I have available) is asked to forward that exploit to the WU-FTPD Development Group at wuftpd-members () wu-ftpd org or security () wu-ftpd org or upload it to ftp://ftp.wu-ftpd.org/incoming/ with a short email to one of the addresses. CERT/FIRST teams and those with evidence of a wide-spread attack may contact me directly; additional contact phone numbers appear at the end of the WU-FTPD FAQ ( http://www.wu-ftpd.org/wu-ftpd-faq.html ). If I miss your call (which can happen occassionally) leave a message; I will return calls to CERT/FIRST teams. PGP keys for me and the WU-FTPD Development Group are available online at ftp://ftp.wu-ftpd.org/pub/pgp-keys/ -- Gregory A Lundberg WU-FTPD Development Group 1441 Elmdale Drive lundberg () wu-ftpd org Kettering, OH 45409-1615 USA 1-800-809-2195
Current thread:
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Bernhard Rosenkraenzer (Jun 30)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Kenn Humborg (Jul 01)
- <Possible follow-ups>
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Gregory A Lundberg (Jun 30)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Tom Perrine (Jul 02)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) wayout (Jul 03)