December 12, 2000, 12:59 PM — The apprehension about WU-FTPD is getting hard to ignore. This popular FTP server is
included by default in all Linux distributions; it's optional with FreeBSD and is the
default FTP server in HP-UX, Hewlett-Packard's proprietary flavor of Unix.
At first, some people claimed that the concern was bogus, that the published
exploits (wuftpd2600.c and bobek.c) didn't work, and that they were not seeing an
increase in FTP scanning activity. But by July 7, CERT had href="http://www.cert.org/advisories/CA-2000-13.html">an advisory out and several
large organizations (including San Diego Supercomputing Center and a Dutch networking
provider) had reported scanning levels equal to the 1999 WU-FTPD exploit. The
Australian CERT has also published href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02">an advisory.
The "WU" in WU-FTPD stands for Washington University of St. Louis, where this FTP
server was developed based on code taken from the BSD 4.4 distribution. WU-FTPD is
popular because it includes features not found in other Unix FTP servers, such as the
ability to set up chroot environments (a type of filesystem prison) even for users with
local accounts. WU-FTPD is now supported by WU-FTPD
WU-FTPD has a checkered past, like other complex network server programs. The first
problem to surface had nothing to do with programming mistakes. Someone inserted about
15 lines of code into the master copy of the source, introducing a back door that
provided root access via the WU-FTPD server either locally or over a network. If an
intruder knew the proper set of three commands, he or she could log in as the root
user. This problem was patched in April 1993, although it reappeared briefly that
summer when someone reinstalled the backdoor code.
In 1995, Linux distributions were found to be vulnerable to a local
elevation-of-privileges exploit involving the SITE EXEC command. This command permits
execution of a limited set of commands via the WU-FTPD server. But, through a mistake
in configuration, any user with a local account (but not an anonymous user) could
execute any command in the
/bin directory (a common
command directory) as the superuser, making it pretty easy to take over a Linux system.
CERT published advisory CA-95.14 about this