Linux servers at risk from wu-ftp vulnerability

Source: ZDNet

Looks like there's a new vulnerability in wu-ftp, a widely used FTP server program for Linux which has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out. The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet. The full bugtraq posting is in the read more and the ZDNet article on the whole situation is here.

---------------------------------------------------------------------------
Security Alert

Subject: Wu-Ftpd File Globbing Heap Corruption Vulnerability
BUGTRAQ ID: 3581 CVE ID: CVE-MAP-NOMATCH
Published: Nov 27, 2001 Updated: Nov 28, 2001 01:12:56

Remote: Yes Local: No
Availability: Always Authentication: Not Required
Credibility: Vendor Confirmed Ease: No Exploit Available
Class: Failure to Handle Exceptional Conditions

Impact: 10.0 Severity: 10.0 Urgency: 8.2

Last Change: Initial analysis.
---------------------------------------------------------------------------

Vulnerable Systems:

Washington University wu-ftpd 2.6.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1
+ Cobalt Qube 1.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Linux Mandrake 8.1
+ MandrakeSoft Linux Mandrake 8.0 ppc
+ MandrakeSoft Linux Mandrake 8.0
+ MandrakeSoft Linux Mandrake 7.2
+ MandrakeSoft Linux Mandrake 7.1
+ MandrakeSoft Linux Mandrake 7.0
+ MandrakeSoft Linux Mandrake 6.1
+ MandrakeSoft Linux Mandrake 6.0
+ RedHat Linux 7.2 noarch
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i686
+ RedHat Linux 7.2 i586
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 athlon
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 noarch
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i686
+ RedHat Linux 7.1 i586
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ TurboLinux TL Workstation 6.1
+ TurboLinux Turbo Linux 6.0.5
+ TurboLinux Turbo Linux 6.0.4
+ TurboLinux Turbo Linux 6.0.3
+ TurboLinux Turbo Linux 6.0.2
+ TurboLinux Turbo Linux 6.0.1
+ TurboLinux Turbo Linux 6.0
+ Wirex Immunix OS 7.0-Beta
+ Wirex Immunix OS 7.0
Washington University wu-ftpd 2.6.0
+ Cobalt Qube 1.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
+ Conectiva Linux 4.1
+ Conectiva Linux 4.0es
+ Conectiva Linux 4.0
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 i386
+ RedHat Linux 6.0 alpha
+ RedHat Linux 5.2 sparc
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 alpha
+ S.u.S.E. Linux 6.4ppc
+ S.u.S.E. Linux 6.4alpha
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.3 ppc
+ S.u.S.E. Linux 6.3 alpha
+ S.u.S.E. Linux 6.3
+ S.u.S.E. Linux 6.2
+ S.u.S.E. Linux 6.1 alpha
+ S.u.S.E. Linux 6.1
+ TurboLinux Turbo Linux 4.0
+ Wirex Immunix OS 6.2
Washington University wu-ftpd 2.5.0
+ Caldera eDesktop 2.4
+ Caldera eServer 2.3.1
+ Caldera eServer 2.3
+ Caldera OpenLinux 2.4
+ Caldera OpenLinux Desktop 2.3
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 i386
+ RedHat Linux 6.0 alpha

Summary:

Wu-Ftpd contains a remotely exploitable heap corruption bug.

Impact:

A remote attacker may execute arbitrary code on the vulnerable server.

Technical Description:

Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained by
Washington University.

Wu-Ftpd allows for clients to organize files for ftp actions based on
"file globbing" patterns. File globbing is also used by various
shells. The implementation of file globbing included in Wu-Ftpd
contains a heap corruption vulnerability that may allow for an attacker
to execute arbitrary code on a server remotely.

During the processing of a globbing pattern, the Wu-Ftpd implementation
creates a list of the files that match. The memory where this data is
stored is on the heap, allocated using malloc(). The globbing function
simply returns a pointer to the list. It is up to the calling
functions to free the allocated memory.

If an error occurs processing the pattern, memory will not be allocated
and a variable indicating this should be set. The calling functions
must check the value of this variable before attempting to use the
globbed filenames (and later freeing the memory).

When certain globbing patterns are processed, the globbing function does
not set this variable when an error occurs. As a result of this,
Wu-Ftpd may eventually attempt to free uninitialized memory. There are
a number of possibly exploitable conditions.

If this region of memory contained user-controllable data before the
free call, it may be possible to have an arbitrary word in memory
overwritten with an arbitrary value. This can lead to execution of
arbitrary code if function pointers or return addresses are
overwritten.

If anonymous FTP is not enabled, valid user credentials are required to
exploit this vulnerability.

This vulnerability was initially scheduled for public release on
December 3, 2001. However, Red Hat has made details public as of
November 27, 2001. As a result, we are forced to warn other users of
the vulnerable product, so that they may take appropriate actions.

Attack Scenarios:

To exploit this vulnerability, an attacker must have either valid
credentials required to log in as an FTP user, or anonymous access must
be enabled.

The attacker must ensure that a maliciously constructed malloc header
containing the target address and it's replacement value are in the
right location in the uninitialized part of the heap. The attacker
must also place shellcode in server process memory.

The attacker must send an FTP command containing a specific globbing
pattern that does not set the error variable.

When the server attempts to free the memory used to store the globbed
filenames, the target word in memory will be overwritten.

If an attacker overwrites a function pointer or return address with a
pointer to the shellcode, it may be executed by the server process.

Exploits:

The following (from the CORE advisory) demonstrates the existence of
this vulnerability:

ftp> open localhost
Connected to localhost (127.0.0.1).
220 sasha FTP server (Version wu-2.6.1-18) ready.
Name (localhost:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
227 Entering Passive Mode (127,0,0,1,241,205)
421 Service not available, remote server has closed connection

1405 ? S 0:00 ftpd: accepting connections on port 21
7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd
26256 ? S 0:00 ftpd:
sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
26265 tty3 R 0:00 bash -c ps ax | grep ftpd
(gdb) at 26256
Attaching to program: /usr/sbin/wu.ftpd, process 26256
Symbols already loaded for /lib/libcrypt.so.1
Symbols already loaded for /lib/libnsl.so.1
Symbols already loaded for /lib/libresolv.so.2
Symbols already loaded for /lib/libpam.so.0
Symbols already loaded for /lib/libdl.so.2
Symbols already loaded for /lib/i686/libc.so.6
Symbols already loaded for /lib/ld-linux.so.2
Symbols already loaded for /lib/libnss_files.so.2
Symbols already loaded for /lib/libnss_nisplus.so.2
Symbols already loaded for /lib/libnss_nis.so.2
0x40165544 in __libc_read () from /lib/i686/libc.so.6
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
__libc_free (mem=0x61616161) at malloc.c:3136
3136 in malloc.c

Currently the SecurityFocus staff are not aware of any exploits for
this issue. If you feel we are in error or are aware of more recent
information, please mail us at: vuldb@securityfocus.com

Mitigating Strategies:

This vulnerability is remotely exploitable. Restricting access to the
network port, (TCP port 21 is standard for FTP), will block clients
from unauthorized networks.

With some operating systems, anonymous FTP is enabled by default.
Anonymous FTP is often in use on public FTP sites, most often software
repositories. It is basically a guest account with access to download
files from within a restricted environment. This vulnerability is
exploitable by clients logged in through anonymous FTP. Anonymous FTP
should be disabled immediately until fixes are available, as it would
allow any host on the Internet who can connect to the service to
exploit this vulnerability. It is a good idea to disable it normally
unless it is absolutely necessary (in which case the FTP server should
be on a dedicated, isolated host).

Stack and other memory protection schemes may complicate
exploitability, and/or prevent commonly available exploits from
working. This should not be relied upon for security. This
vulnerability involves 'poking' words in memory. This means that there
are many different ways that it may be exploited. Making the stack
non-executable or checking the integrity of stack variables may not be
enough to prevent all possibile methods of exploitation.

It is advised to disable the service and use alternatives until fixes
are available.

Solutions:

Vendor notified on Nov 14, 2001.

Fixes will be available from the author as well as from vendors who
ship products that include Wu-Ftpd as core or optional components.

This vulnerability was initially scheduled for public release on
December 3, 2001. Red Hat pre-emptively released an advisory on
November 27, 2001. As a result, other vendors may not yet have fixes
available.

This record will be updated as fixes from various vendors become
available.

For Washington University wu-ftpd 2.6.1:

Red Hat RPM 6.2 alpha wu-ftpd-2.6.1-0.6x.21.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha.rpm

Red Hat RPM 6.2 sparc wu-ftpd-2.6.1-0.6x.21.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc.rpm

Red Hat RPM 7.0 alpha wu-ftpd-2.6.1-16.7x.1.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm

Red Hat RPM 7.0 i386 wu-ftpd-2.6.1-16.7x.1.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm

Red Hat RPM 7.1 alpha wu-ftpd-2.6.1-16.7x.1.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm

Red Hat RPM 7.1 i386 wu-ftpd-2.6.1-16.7x.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm

Red Hat RPM 7.1 ia64 wu-ftpd-2.6.1-16.7x.1.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rpm

Red Hat RPM 7.2 i386 wu-ftpd-2.6.1-20.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm

Red Hat RPM 6.2 i386 wu-ftpd-2.6.1-0.6x.21.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rpm

Credit:

Condition first reported by Matt Power, deemed non-exploitable.
Rediscovered and exploitability later confirmed by Luciano Notarfrancesco and Juan Pablo Martinez Kuhn from Core
Security Technologies, Buenos Aires, Argentina.

References:

advisory:
RedHat RHSA-2001:157-06: Updated wu-ftpd packages are available
http://www.securityfocus.com/advisories/3680

web page:
CORE SDI Homepage (CORE)
http://www.core-sdi.com

web page:
Wu-Ftpd Homepage (Washington University)
http://www.wu-ftpd.org