Bugtraq mailing list archives

Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd)

From: lundberg () WU-FTPD ORG (Gregory A Lundberg)
Date: Sat, 1 Jul 2000 02:43:43 -0400

No need, redhat 6.1's wu-ftpd 2.5.0 uses it's stripped down internal
*printf instead of the library one, and wu-ftpd's internal printf does
not recognise the %n formatting directive crucial to this exploit. It
isn't vulnerable.


Please do not speak with false authority.  It's unlikely whether the exact
exploit(s) publicly posted will work against a given version or platform
other than that claimed in the posting.  That does not mean there is no
problem.

The bug being discussed was present in wu-ftpd-2.0, released April 12,
1993.  A quick look and it does not appear the bug was present in
wuarchive-ftpd version 1.1 nor in the Berkeley BSD ftpd from which wu-ftpd
was based.  (Side note: we're missing some versions in the attic; if you
have anything on our wish list, we'd love to have a copy.)

At this point the following facts exist:

 - A purported exploit has been publicly released and discussed.

 - We have received exactly ONE question concerning a possible break-in
   using WU-FTPD, any version, since the release of version 2.6.0.  While
   the bug was present in the version of the daemon being run at the site,
   security on the machine in question was so lax that no single cause
   could be determined.  It was felt the more likely point of entry was by
   direct sniffing of the root password off the campus LAN.

 - The WU-FTPD Development Group has NOT been contacted by anyone
   (other than the person above, Bugtraq postings and followups) concerning
   this issue.  The original Bugtraq poster has not contacted us.  No
   CERT/FIRST teams have called or emailed.  No vendors shipping their own
   versions of the daemon have contacted us.

 - A member of the WU-FTPD Development Group is also a member of a FIRST
   team.  He was present at FIRST/2000 in Chicago over the past week and
   has made sure several of the teams represented were aware of the issue.

 - The bug used by the purported exploit is a real bug.  As such the
   development group and a number of vendors who ship their own versions of
   the daemon have issued patches or updates.

 - The bug in question has been present in ALL versions of wu-ftpd, from
   ALL vendors, at least since the release of version 2.0 in April, 1993.

 - I, personally, have seen NO scanning for FTP services on my networks.
   While this is admitedly anecdotal evidence, the last exploit against
   WU-FTPD, which _did_ work and _was_ in widespread use, was acompanied by
   a marked increase in such scans on the networks I manage.  I have talked
   with several other network operators and most report no increase in
   scanning; one did report he is seeing some FTP probes on his campus.
   The probes and scans I am seeing are consistent with the most-recent
   CERT Current Activity report (
   http://www.cert.org/current/current_activity.html ).

The following FALSE facts have been circulated, sometimes by vendor
security teams who should know better than to make such statements without
better evidence:

 - "The exploit is in wide use."  At this point, the WU-FTPD Development
   Group has seen no evidence the exploit works or is being used at all.
   Our position, however, is that the exploit ought to work since the bug
   is real.  So, while this is currently a false statement it could become
   true at some point.

 - "No known fix exists."  A patch for the base WU-FTPD version 2.6.0 has
   been available for several days.  I updated it earlier today as a result
   of some user questions concerning line number drift.  Several vendors
   shipping their own versions of the software have also released updates
   and/or patches.  The fix should be applicable against older versions;
   but since those versions have more severe security issues for which
   working exploits are in widespread use, you should upgrade to 2.6.0 and
   apply the patches.

Anyone having any DIRECT evidence of a working exploit is asked to contact
the WU-FTPD Development Group at wuftpd-members () wu-ftpd org or
security () wu-ftpd org

Anyone having a working exploit for THIS bug (especially against an Intel
running Redhat 4.2 or later, the systems I have available) is asked to
forward that exploit to the WU-FTPD Development Group at
wuftpd-members () wu-ftpd org or security () wu-ftpd org or upload it to
ftp://ftp.wu-ftpd.org/incoming/ with a short email to one of the addresses.

CERT/FIRST teams and those with evidence of a wide-spread attack may
contact me directly; additional contact phone numbers appear at the end of
the WU-FTPD FAQ ( http://www.wu-ftpd.org/wu-ftpd-faq.html ).  If I miss
your call (which can happen occassionally) leave a message; I will return
calls to CERT/FIRST teams.

PGP keys for me and the WU-FTPD Development Group are available online at
ftp://ftp.wu-ftpd.org/pub/pgp-keys/

--

Gregory A Lundberg              WU-FTPD Development Group
1441 Elmdale Drive              lundberg () wu-ftpd org
Kettering, OH 45409-1615 USA    1-800-809-2195

Current thread:

Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Bernhard Rosenkraenzer (Jun 30)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Kenn Humborg (Jul 01)
- <Possible follow-ups>
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Gregory A Lundberg (Jun 30)
  - Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Tom Perrine (Jul 02)
  - Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) wayout (Jul 03)