Popular FTP server in trouble again

ITworld.com –

The apprehension about WU-FTPD is getting hard to ignore. This popular FTP server is included by default in all Linux distributions; it's optional with FreeBSD and is the default FTP server in HP-UX, Hewlett-Packard's proprietary flavor of Unix.

At first, some people claimed that the concern was bogus, that the published exploits (wuftpd2600.c and bobek.c) didn't work, and that they were not seeing an increase in FTP scanning activity. But by July 7, CERT had an advisory out and several large organizations (including San Diego Supercomputing Center and a Dutch networking provider) had reported scanning levels equal to the 1999 WU-FTPD exploit. The Australian CERT has also published an advisory.

The "WU" in WU-FTPD stands for Washington University of St. Louis, where this FTP server was developed based on code taken from the BSD 4.4 distribution. WU-FTPD is popular because it includes features not found in other Unix FTP servers, such as the ability to set up chroot environments (a type of filesystem prison) even for users with local accounts. WU-FTPD is now supported by WU-FTPD Development Group.

WU-FTPD has a checkered past, like other complex network server programs. The first problem to surface had nothing to do with programming mistakes. Someone inserted about 15 lines of code into the master copy of the source, introducing a back door that provided root access via the WU-FTPD server either locally or over a network. If an intruder knew the proper set of three commands, he or she could log in as the root user. This problem was patched in April 1993, although it reappeared briefly that summer when someone reinstalled the backdoor code.

In 1995, Linux distributions were found to be vulnerable to a local elevation-of-privileges exploit involving the SITE EXEC command. This command permits execution of a limited set of commands via the WU-FTPD server. But, through a mistake in configuration, any user with a local account (but not an anonymous user) could execute any command in the

<font face="courier" size=3>/bin</font>
directory (a common command directory) as the superuser, making it pretty easy to take over a Linux system. CERT published advisory CA-95.14 about this problem.

In February 1999, both WU-FTPD and ProFtpd, a related program, were targets of a buffer overflow exploit. The exploit required only anonymous access, though there also had to be a directory writeable by the anonymous user (which is a dangerous problem in itself). If such a directory existed, the exploit created nested subdirectories and placed the shell code within the directory name itself. Changing into one of the subdirectories would cause a buffer overflow, thus providing remote root access, this time to a shell.

The most recent vulnerability involves something akin to a buffer overflow, though there are certain differences. WU-FTPD carefully logs activity, which is one of the reasons it is so popular; but the process of logging the use of the SITE EXEC command opens another vulnerability. It is possible to pass a formatting command that then gets expanded by a subroutine prior to logging SITE EXEC and creates a remote shell run by the root user. As in buffer overflow exploits, shell code must be passed in the attack, and this shell code is specific not just to particular CPU architectures (such as Intel or SPARC), but also to operating system type and version. The WU-FTPD exploits are also sensitive to the shared libraries installed -- for example, a vulnerable version of WU-FTPD on Red Hat Linux 6.1 would not be exploitable, but Red Hat 6.2 would be.

With outsiders now scanning networks for potentially vulnerable WU-FTPD servers (a fairly simple thing to uncover, as it is announced as soon as you connect to the server), it is likely that many servers will become victims of this exploit.

Nor is your safety guaranteed if you use a different FTP server. Versions of Unix FTP servers not based on WU-FTPD (such as the one in OpenBSD) were recently found to have a vulnerability in a formatting string called

size=3 face="courier">setproctitle()</font>
. At this time, there do not appear to be active exploits against this vulnerability, although it could provide remote root access as well.

As always, watch your vendors' security mailing lists for advisories, and keep your systems, especially any public servers (even if they are behind firewalls) patched. This war is far from over.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon