__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Multiple Vendor wu-ftdp File Globbing Heap Corruption Vulnerability [SecurityFocus Security Alert BID 3581] November 30, 2001 01:00 GMT Number M-023 ______________________________________________________________________________ PROBLEM: The implementation of file globbing in wu-ftpd contains a heap corruption vulnerability. PLATFORM: Systems running wu-ftpd 2.6.1, 2.6.0, 2.5.0, including many versions of Linux - see below. NOTE: Version 2.6.2 just released see http://www.wu-ftpd.org/ DAMAGE: The vulnerability could allow a remote attacker to gain access to a machine and can allow the attack to force the ftpd server process to execute arbitrary code. SOLUTION: Restrict access to port 21; disable anonymous ftp until patches are available. See below for vendor patches currently available. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Anonymous ftp is enabled by default on some ASSESSMENT: systems. It is reported that there is an automated attack script for this vulnerability in use. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-023.shtml WU-FTPD LINK: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply-to-2.6.1/ ftpglob.patch. ______________________________________________________________________________ [***** Start SecurityFocus Security Alert BID 3581 *****] --------------------------------------------------------------------------- Security Alert Subject: Wu-Ftpd File Globbing Heap Corruption Vulnerability BUGTRAQ ID: 3581 CVE ID: CVE-MAP-NOMATCH Published: Nov 27, 2001 Updated: Nov 28, 2001 01:12:56 Remote: Yes Local: No Availability: Always Authentication: Not Required Credibility: Vendor Confirmed Ease: No Exploit Available Class: Failure to Handle Exceptional Conditions Impact: 10.0 Severity: 10.0 Urgency: 8.2 Last Change: Initial analysis. --------------------------------------------------------------------------- Vulnerable Systems: Washington University wu-ftpd 2.6.1 + Caldera OpenLinux Server 3.1 + Caldera OpenLinux Workstation 3.1 + Cobalt Qube 1.0 + Conectiva Linux 7.0 + Conectiva Linux 6.0 + MandrakeSoft Corporate Server 1.0.1 + MandrakeSoft Linux Mandrake 8.1 + MandrakeSoft Linux Mandrake 8.0 ppc + MandrakeSoft Linux Mandrake 8.0 + MandrakeSoft Linux Mandrake 7.2 + MandrakeSoft Linux Mandrake 7.1 + MandrakeSoft Linux Mandrake 7.0 + MandrakeSoft Linux Mandrake 6.1 + MandrakeSoft Linux Mandrake 6.0 + RedHat Linux 7.2 noarch + RedHat Linux 7.2 ia64 + RedHat Linux 7.2 i686 + RedHat Linux 7.2 i586 + RedHat Linux 7.2 i386 + RedHat Linux 7.2 athlon + RedHat Linux 7.2 alpha + RedHat Linux 7.1 noarch + RedHat Linux 7.1 ia64 + RedHat Linux 7.1 i686 + RedHat Linux 7.1 i586 + RedHat Linux 7.1 i386 + RedHat Linux 7.1 alpha + RedHat Linux 7.0 sparc + RedHat Linux 7.0 i386 + RedHat Linux 7.0 alpha + TurboLinux TL Workstation 6.1 + TurboLinux Turbo Linux 6.0.5 + TurboLinux Turbo Linux 6.0.4 + TurboLinux Turbo Linux 6.0.3 + TurboLinux Turbo Linux 6.0.2 + TurboLinux Turbo Linux 6.0.1 + TurboLinux Turbo Linux 6.0 + Wirex Immunix OS 7.0-Beta + Wirex Immunix OS 7.0 Washington University wu-ftpd 2.6.0 + Cobalt Qube 1.0 + Conectiva Linux 5.1 + Conectiva Linux 5.0 + Conectiva Linux 4.2 + Conectiva Linux 4.1 + Conectiva Linux 4.0es + Conectiva Linux 4.0 + Debian Linux 2.2 sparc + Debian Linux 2.2 powerpc + Debian Linux 2.2 arm + Debian Linux 2.2 alpha + Debian Linux 2.2 68k + Debian Linux 2.2 + RedHat Linux 6.2 sparc + RedHat Linux 6.2 i386 + RedHat Linux 6.2 alpha + RedHat Linux 6.1 sparc + RedHat Linux 6.1 i386 + RedHat Linux 6.1 alpha + RedHat Linux 6.0 sparc + RedHat Linux 6.0 i386 + RedHat Linux 6.0 alpha + RedHat Linux 5.2 sparc + RedHat Linux 5.2 i386 + RedHat Linux 5.2 alpha + S.u.S.E. Linux 6.4ppc + S.u.S.E. Linux 6.4alpha + S.u.S.E. Linux 6.4 + S.u.S.E. Linux 6.3 ppc + S.u.S.E. Linux 6.3 alpha + S.u.S.E. Linux 6.3 + S.u.S.E. Linux 6.2 + S.u.S.E. Linux 6.1 alpha + S.u.S.E. Linux 6.1 + TurboLinux Turbo Linux 4.0 + Wirex Immunix OS 6.2 Washington University wu-ftpd 2.5.0 + Caldera eDesktop 2.4 + Caldera eServer 2.3.1 + Caldera eServer 2.3 + Caldera OpenLinux 2.4 + Caldera OpenLinux Desktop 2.3 + RedHat Linux 6.0 sparc + RedHat Linux 6.0 i386 + RedHat Linux 6.0 alpha Summary: Wu-Ftpd contains a remotely exploitable heap corruption bug. Impact: A remote attacker may execute arbitrary code on the vulnerable server. Technical Description: Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained by Washington University. Wu-Ftpd allows for clients to organize files for ftp actions based on "file globbing" patterns. File globbing is also used by various shells. The implementation of file globbing included in Wu-Ftpd contains a heap corruption vulnerability that may allow for an attacker to execute arbitrary code on a server remotely. During the processing of a globbing pattern, the Wu-Ftpd implementation creates a list of the files that match. The memory where this data is stored is on the heap, allocated using malloc(). The globbing function simply returns a pointer to the list. It is up to the calling functions to free the allocated memory. If an error occurs processing the pattern, memory will not be allocated and a variable indicating this should be set. The calling functions must check the value of this variable before attempting to use the globbed filenames (and later freeing the memory). When certain globbing patterns are processed, the globbing function does not set this variable when an error occurs. As a result of this, Wu-Ftpd may eventually attempt to free uninitialized memory. There are a number of possibly exploitable conditions. If this region of memory contained user-controllable data before the free call, it may be possible to have an arbitrary word in memory overwritten with an arbitrary value. This can lead to execution of arbitrary code if function pointers or return addresses are overwritten. If anonymous FTP is not enabled, valid user credentials are required to exploit this vulnerability. This vulnerability was initially scheduled for public release on December 3, 2001. However, Red Hat has made details public as of November 27, 2001. As a result, we are forced to warn other users of the vulnerable product, so that they may take appropriate actions. Attack Scenarios: To exploit this vulnerability, an attacker must have either valid credentials required to log in as an FTP user, or anonymous access must be enabled. The attacker must ensure that a maliciously constructed malloc header containing the target address and it's replacement value are in the right location in the uninitialized part of the heap. The attacker must also place shellcode in server process memory. The attacker must send an FTP command containing a specific globbing pattern that does not set the error variable. When the server attempts to free the memory used to store the globbed filenames, the target word in memory will be overwritten. If an attacker overwrites a function pointer or return address with a pointer to the shellcode, it may be executed by the server process. Exploits: The following (from the CORE advisory) demonstrates the existence of this vulnerability: ftp> open localhost Connected to localhost (127.0.0.1). 220 sasha FTP server (Version wu-2.6.1-18) ready. Name (localhost:root): anonymous 331 Guest login ok, send your complete e-mail address as password. Password: 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls ~{ 227 Entering Passive Mode (127,0,0,1,241,205) 421 Service not available, remote server has closed connection 1405 ? S 0:00 ftpd: accepting connections on port 21 7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd 26256 ? S 0:00 ftpd: sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 26265 tty3 R 0:00 bash -c ps ax | grep ftpd (gdb) at 26256 Attaching to program: /usr/sbin/wu.ftpd, process 26256 Symbols already loaded for /lib/libcrypt.so.1 Symbols already loaded for /lib/libnsl.so.1 Symbols already loaded for /lib/libresolv.so.2 Symbols already loaded for /lib/libpam.so.0 Symbols already loaded for /lib/libdl.so.2 Symbols already loaded for /lib/i686/libc.so.6 Symbols already loaded for /lib/ld-linux.so.2 Symbols already loaded for /lib/libnss_files.so.2 Symbols already loaded for /lib/libnss_nisplus.so.2 Symbols already loaded for /lib/libnss_nis.so.2 0x40165544 in __libc_read () from /lib/i686/libc.so.6 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. __libc_free (mem=0x61616161) at malloc.c:3136 3136 in malloc.c Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com Mitigating Strategies: This vulnerability is remotely exploitable. Restricting access to the network port, (TCP port 21 is standard for FTP), will block clients from unauthorized networks. With some operating systems, anonymous FTP is enabled by default. Anonymous FTP is often in use on public FTP sites, most often software repositories. It is basically a guest account with access to download files from within a restricted environment. This vulnerability is exploitable by clients logged in through anonymous FTP. Anonymous FTP should be disabled immediately until fixes are available, as it would allow any host on the Internet who can connect to the service to exploit this vulnerability. It is a good idea to disable it normally unless it is absolutely necessary (in which case the FTP server should be on a dedicated, isolated host). Stack and other memory protection schemes may complicate exploitability, and/or prevent commonly available exploits from working. This should not be relied upon for security. This vulnerability involves 'poking' words in memory. This means that there are many different ways that it may be exploited. Making the stack non-executable or checking the integrity of stack variables may not be enough to prevent all possibile methods of exploitation. It is advised to disable the service and use alternatives until fixes are available. Solutions: Vendor notified on Nov 14, 2001. Fixes will be available from the author as well as from vendors who ship products that include Wu-Ftpd as core or optional components. This vulnerability was initially scheduled for public release on December 3, 2001. Red Hat pre-emptively released an advisory on November 27, 2001. As a result, other vendors may not yet have fixes available. This record will be updated as fixes from various vendors become available. For Washington University wu-ftpd 2.6.1: Red Hat RPM 6.2 alpha wu-ftpd-2.6.1-0.6x.21.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha.rpm Red Hat RPM 6.2 sparc wu-ftpd-2.6.1-0.6x.21.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc.rpm Red Hat RPM 7.0 alpha wu-ftpd-2.6.1-16.7x.1.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm Red Hat RPM 7.0 i386 wu-ftpd-2.6.1-16.7x.1.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm Red Hat RPM 7.1 alpha wu-ftpd-2.6.1-16.7x.1.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm Red Hat RPM 7.1 i386 wu-ftpd-2.6.1-16.7x.1.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm Red Hat RPM 7.1 ia64 wu-ftpd-2.6.1-16.7x.1.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rpm Red Hat RPM 7.2 i386 wu-ftpd-2.6.1-20.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm Red Hat RPM 6.2 i386 wu-ftpd-2.6.1-0.6x.21.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rpm Credit: Condition first reported by Matt Power, deemed non-exploitable. Rediscovered and exploitability later confirmed by Luciano Notarfrancesco and Juan Pablo Martinez Kuhn from Core Security Technologies, Buenos Aires, Argentina. References: advisory: RedHat RHSA-2001:157-06: Updated wu-ftpd packages are available http://www.securityfocus.com/advisories/3680 web page: CORE SDI Homepage (CORE) http://www.core-sdi.com web page: Wu-Ftpd Homepage (Washington University) http://www.wu-ftpd.org ChangeLog: Nov 26, 2001: Initial analysis. --------------------------------------------------------------------------- HOW TO INTERPRET THIS ALERT BUGTRAQ ID: This is a unique identifier assigned to the vulnerability by SecurityFocus.com. CVE ID: This is a unique identifier assigned to the vulnerability by the CVE. Published: The date the vulnerability was first made public. Updated: The date the information was last updated. Remote: Whether this is a remotely exploitable vulnerability. Local: Whether this is a locally exploitable vulnerability. Credibility: Describes how credible the information about the vulnerability is. Possible values are: Conflicting Reports: The are multiple conflicting about the existance of the vulnerability. Single Source: There is a single non-reliable source reporting the existence of the vulnerability. Reliable Source: There is a single reliable source reporting the existence of the vulnerability. Conflicting Details: There is consensus on the existence of the vulnerability but not it's details. Multiple Sources: There is consensus on the existence and details of the vulnerability. Vendor Confirmed: The vendor has confirmed the vulnerability. Class: The class of vulnerability. Possible values are: Boundary Condition Error, Access Validation Error, Origin Validation Error, Input Valiadtion Error, Failure to Handle Exceptional Conditions, Race Condition Error, Serialization Error, Atomicity Error, Environment Error, and Configuration Error. Ease: Rates how easiliy the vulnerability can be exploited. Possible values are: No Exploit Available, Exploit Available, and No Exploit Required. Impact: Rates the impact of the vulnerability. It's range is 1 through 10. Severity: Rates the severity of the vulnerability. It's range is 1 through 10. It's computed from the impact rating and remote flag. Remote vulnerabiliteis with a high impact rating receive a high severity rating. Local vulnerabilities with a low impact rating receive a low severity rating. Urgency: Rates how quickly you should take action to fix or mitigate the vulnerability. It's range is 1 through 10. It's computed from the severity rating, the ease rating, and the credibility rating. High severity vulnerabilities with a high ease rating, and a high confidence rating have a higher urgency rating. Low severity vulnerabilities with a low ease rating, and a low confidence rating have a lower urgency rating. Last Change: The last change made to the vulnerability information. Vulnerable Systems: The list of vulnerable systems. A '+' preceding a system name indicates that one of the system components is vulnerable vulnerable. For example, Windows 98 ships with Internet Explorer. So if a vulnerability is found in IE you may see something like: Microsoft Internet Explorer + Microsoft Windows 98 Non-Vulnerable Systems: The list of non-vulnerable systems. Summary: A concise summary of the vulnerability. Impact: The impact of the vulnerability. Technical Description: The in-depth description of the vulnerability. Attack Scenarios: Ways an attacker may make use of the vulnerability. Exploits: Exploit intructions or programs. Mitigating Strategies: Ways to mitigate the vulnerability. Solutions: Solutions to the vulnerability. Credit: Information about who disclosed the vulnerability. References: Sources of information on the vulnerability. Related Resources: Resources that might be of additional value. ChangeLog: History of changes to the vulnerability record. --------------------------------------------------------------------------- Copyright 2001 SecurityFocus.com [***** End SecurityFocus Security Alert BID 3581 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of SecurityFocus for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-013: Mac OS X Downloading Applications Vulnerability M-014: UNIX - Multiple Vulnerabilities In LPD M-015: Microsoft Universal Plug and Play Request Vulnerability M-016: Internet Explorer, Cumulative Vulnerabilities Patch M-017: Multiple SSH Vulnerabilities M-018: Cisco - Multiple Vulnerabilities in ACL Implementations M-019: Multiple Vendor CDE dtpscd Process Buffer Overflow M-020: SGI Multiple Local SendMail Vulnerability M-021: Hewlett-Packard Remote Logic Flaw Vulnerability in rlpdaemon M-022: SGI IRIX shells create temporary files insecurely