---

Red Hat Security Advisory: wu-ftp security remote exploit

Date: Thu, 21 Oct 1999 17:20:24 -0400 (EDT)
From: Cristian Gafton [email protected]
To: [email protected]
Reply to: [email protected]


Red Hat, Inc. Security Advisory

Synopsis: Security problems in WU-FTPD
Advisory ID: RHSA-1999:043-01
Issue date: 1999-10-21
Updated on:
Keywords: wu-ftp security remote exploit
Cross references:


1. Topic:

Various computer security groups have reported security problems
in the WU-FTPD daemon, the FTP server shipped with all versions of
Red Hat Linux.

2. Problem description:

Three vulnerabilities have been identified in WU-FTPD and other
ftp daemons based on the WU-FTPD source code.

Vulnerability #1: MAPPING_CHDIR Buffer Overflow
Vulnerability #2: Message File Buffer Overflow

Remote and local intruders may be able exploit these
vulnerabilities to execute arbitrary code as the user running the
ftpd daemon, usually root.

Vulnerability #3: SITE NEWER Consumes Memory

Remote and local intruders who can connect to the FTP server can
cause the server to consume excessive amounts of memory, preventing
normal system operation. If intruders can create files on the
system, they may be able exploit this vulnerability to execute
arbitrary code as the user running the ftpd daemon, usually
root.

3. Bug IDs fixed (http://developer.redhat.com/bugzilla
for more info):

N/A

4. Relevant releases/architectures:

Red Hat Linux 4.2 for i386, alpha and sparc
Red Hat Linux 5.2 for i386, alpha and sparc
Red Hat Linux 6.x for i386, alpha and sparc

5. Obsoleted by:

6. Conflicts with:

7. RPMs required:

Red Hat Linux 4.2


Intel:
ftp://updates.redhat.com//4.2/i386/wu-ftpd-2.6.0-0.4.2.i386.rpm

Alpha:

ftp://updates.redhat.com//4.2/alpha/wu-ftpd-2.6.0-0.4.2.alpha.rpm

Sparc:

ftp://updates.redhat.com//4.2/sparc/wu-ftpd-2.6.0-0.4.2.sparc.rpm

Source packages:
ftp://updates.redhat.com//4.2/SRPMS/wu-ftpd-2.6.0-0.4.2.src.rpm

Red Hat Linux 5.2


Intel:
ftp://updates.redhat.com//5.2/i386/wu-ftpd-2.6.0-0.5.x.i386.rpm

Alpha:

ftp://updates.redhat.com//5.2/alpha/wu-ftpd-2.6.0-0.5.x.alpha.rpm

Sparc:

ftp://updates.redhat.com//5.2/sparc/wu-ftpd-2.6.0-0.5.x.sparc.rpm

Source packages:
ftp://updates.redhat.com//5.2/SRPMS/wu-ftpd-2.6.0-0.5.x.src.rpm

Red Hat Linux 6.x


Intel:
ftp://updates.redhat.com//6.0/i386/wu-ftpd-2.6.0-1.i386.rpm

Alpha:
ftp://updates.redhat.com//6.0/alpha/wu-ftpd-2.6.0-1.alpha.rpm

Sparc:
ftp://updates.redhat.com//6.0/sparc/wu-ftpd-2.6.0-1.sparc.rpm

Source packages:
ftp://updates.redhat.com//6.0/SRPMS/wu-ftpd-2.6.0-1.src.rpm

8. Solution:

For each RPM for your particular architecture, run:
rpm -Uvh
where filename is the name of the RPM.

9. Verification:

MD5 sum                           Package Name

c6e1e63399ce8497b6ff7c9945954690  i386/wu-ftpd-2.6.0-0.4.2.i386.rpm
05c278b6507fbac44443a8be434adeed  alpha/wu-ftpd-2.6.0-0.4.2.alpha.rpm
0ecd4ff150450607ce4b69982419ef07  sparc/wu-ftpd-2.6.0-0.4.2.sparc.rpm
acb4144d477075480fd89112112658a9  SRPMS/wu-ftpd-2.6.0-0.4.2.src.rpm

13349a3192515d85c06dc873344a10bd  i386/wu-ftpd-2.6.0-0.5.x.i386.rpm
c6e97b13e6924d96f40cf4da8e8d217b  alpha/wu-ftpd-2.6.0-0.5.x.alpha.rpm
35a32345c364e216e7437b1485c95160  sparc/wu-ftpd-2.6.0-0.5.x.sparc.rpm
b9bdb8ca91e296e07344e1c1915078dd  SRPMS/wu-ftpd-2.6.0-0.5.x.src.rpm

dcd5d04df11849007aa3c4fb398cfbfb  i386/wu-ftpd-2.6.0-1.i386.rpm
a0b3a1a0dcfbdfd1443d0aecd960e907  alpha/wu-ftpd-2.6.0-1.alpha.rpm
7511f1f96b3044207cbe11d34f75ff7a  sparc/wu-ftpd-2.6.0-1.sparc.rpm
7e30ea42e82908752b943621580f6f1c  SRPMS/wu-ftpd-2.6.0-1.src.rpm

These packages are GPG signed by Red Hat, Inc. for security. Our
key is available at:

http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
rpm –checksig

If you only wish to verify that each package has not been
corrupted or tampered with, examine only the md5sum with the
following command:
rpm –checksig –nogpg

10. References:

CERT Advisory CA-99-13 Multiple Vulnerabilities in WU-FTPD
http://www.cert.org

AUSCERT Advisory AA-1999.01

ftp://www.auscert.org.au/security/advisory/AA-1999.01.wu-ftpd.mapping_chdir.vul

AUSCERT Advisory AA-1999.02

ftp://www.auscert.org.au/security/advisory/AA-1999.02.multi.wu-ftpd.vuls

Cristian
Cristian Gafton — [email protected] — Red Hat,
Inc.