1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
<HTML>
<HEAD>
<TITLE>Tutorial - WU-FTPD Vulnerability</TITLE>
<LINK REV="made" HREF="mailto:satan@fish.com">
</HEAD>
<BODY BGCOLOR="#FFFFFF">
<H1><IMG SRC="../../images/satan.gif">WU-FTPD Vulnerability</H1>
<HR>
<H3>Summary</H3>
Root access via the wuarchive FTPD server.
<H3>Impact</H3>
Unauthorized remote root access to system.
<H3>Background</H3>
The wuarchive FTPD daemon (or WU-FTPD) is a highly modified version
(and significantly larger) version of FTPD that provides extra logging,
limited remote command support, and other features to the standard
BSD version of FTPD. The additional code adds greatly to the complexity,
and multiple significant software bugs have been found in it.
<H3>The problem</H3>
There is a race condition in the code, as well as a bug in the
<i>SITE EXEC</i> command, that allows anyone (remote or local) root
access on a host running a vulnerable FTPD daemon.
Support for anonymous FTP is not required to exploit this vulnerability.
<H3>Fix</H3>
<ul>
<li> Don't use extended or modified FTPD daemons unless they are necessary -
venders code is typically more stable and secure.
<li> Upgrade to a more recent version of WU-FTPD; it can be found at the
<a href="ftp://wuarchive.wustl.edu/packages/wuarchive-ftpd"> wuarchive ftp site</a>.
<li> Restrict FTP access by using a tcp wrapper.
</ul>
<H3>See also</H3>
<ul>
<li> <a href="ftp://ftp.cert.org/pub/cert_advisories/CA-93:06.wuarchive.ftpd.vulnerability"> Cert Advisory 93:06</a>.
<li> <a href="ftp://ftp.cert.org/pub/cert_advisories/CA-94:07.wuarchive.ftpd.trojan.horse"> Cert Advisory 94:07</a>.
</ul>
</BODY>
</HTML>
|
