Rule:
--
Sid:
1378 (FTP wu-ftp bad file completion attempt)
--
Summary:
wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a "~{" argument to commands such as CWD, which is not proper
ly handled by the glob function.
--
Impact:
High -- Properly executed will allow root access
--
Detailed Information:
Wu-Ftpd allows for clients to organize files for ftp actions based on "file globbing" patterns. File globbing is also used by variou
s shells. The implementation of file globbing included in Wu-Ftpd contains a heap corruption vulnerability that may allow for an att
acker to execute arbitrary code on a server remotely.
--
Attack Scenarios:
Allowing ftp connection to non trusted users would allow this exploit to be executed as long as the server is running the proper ver
sion.
--
Ease of Attack:
Relatively easy the following is a example:
Name (localhost:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
227 Entering Passive Mode (127,0,0,1,241,205)
421 Service not available, remote server has closed connection
1405 ? S 0:00 ftpd: accepting connections on port 21
7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd
26256 ? S 0:00 ftpd: sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
26265 tty3 R 0:00 bash -c ps ax | grep ftpd
--
False Positives:
None Known
--
False Negatives:
None Known
--
Corrective Action:
Upgrade your version of wu-ftpd to One greater than
wu-ftpd, 2.6.1
wu-ftpd, 2.6.0
wu-ftpd, 2.5.0
ftpd-BSD, 0.3.2
ftpd-BSD, 0.3.3
--
Contributors:
Neal Timm nrtimm@var-log.com
--
Additional References:
Bugtraq -- http://www.securityfocus.com/bid/3581/info/
CVE -- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0550
|
