Just got this from the ASU LUG, wanted to make sure y'all got this too, I don't know what to make of it, whether it's a hoax or not, I'm a *nix newbie anyway, so... take is as you will, Light the way --Egui (pronounced Egg-ee, don't ask) --- ellipse wrote: > Date: Fri, 30 Nov 2001 07:34:38 -0700 > From: ellipse > Subject: *ALERT* UPDATED BID 3581 (URGENCY 8.2): > Wu-Ftpd File Globbing Heap > Corruption Vulnerability > To: ASULUG@asu.edu > Reply-to: Arizona State University Linux Users Group > > > For the benefit of those of you that haven't not > seen this as of yet. Be > sure to patch this, as you can bet there'll be a > worm that comes out of > this. > > Cheers, > ellipse > > --------------------------------------------------------------------------- > Security Alert > > Subject: Wu-Ftpd File Globbing Heap Corruption > Vulnerability > BUGTRAQ ID: 3581 CVE ID: > CAN-2001-0550 > Published: Nov 27, 2001 Updated: > Nov 30, 2001 00:19:10 > > Remote: Yes Local: > No > Availability: Always Authentication: > Not Required > Credibility: Vendor Confirmed Ease: > No Exploit Available > Class: Failure to Handle Exceptional > Conditions > > Impact: 10.0 Severity: 10.0 > Urgency: 8.2 > > Last Change: Wirex Immunix advisory released, > updated packages available. > --------------------------------------------------------------------------- > > Vulnerable Systems: > > David Madore ftpd-BSD 0.3.3 > David Madore ftpd-BSD 0.3.2 > Washington University wu-ftpd 2.6.1 > + Caldera eDesktop 2.4 > + Caldera eServer 2.3.1 > + Caldera OpenLinux 2.3 > + Caldera OpenLinux Server 3.1 > + Cobalt Qube 1.0 > + Conectiva Linux 7.0 > + Conectiva Linux 6.0 > + MandrakeSoft Corporate Server 1.0.1 > + MandrakeSoft Linux Mandrake 8.1 > + MandrakeSoft Linux Mandrake 8.0 ppc > + MandrakeSoft Linux Mandrake 8.0 > + MandrakeSoft Linux Mandrake 7.2 > + MandrakeSoft Linux Mandrake 7.1 > + MandrakeSoft Linux Mandrake 7.0 > + MandrakeSoft Linux Mandrake 6.1 > + MandrakeSoft Linux Mandrake 6.0 > + RedHat Linux 7.2 noarch > + RedHat Linux 7.2 ia64 > + RedHat Linux 7.2 i686 > + RedHat Linux 7.2 i586 > + RedHat Linux 7.2 i386 > + RedHat Linux 7.2 athlon > + RedHat Linux 7.2 alpha > + RedHat Linux 7.1 noarch > + RedHat Linux 7.1 ia64 > + RedHat Linux 7.1 i686 > + RedHat Linux 7.1 i586 > + RedHat Linux 7.1 i386 > + RedHat Linux 7.1 alpha > + RedHat Linux 7.0 sparc > + RedHat Linux 7.0 i386 > + RedHat Linux 7.0 alpha > + TurboLinux TL Workstation 6.1 > + TurboLinux Turbo Linux 6.0.5 > + TurboLinux Turbo Linux 6.0.4 > + TurboLinux Turbo Linux 6.0.3 > + TurboLinux Turbo Linux 6.0.2 > + TurboLinux Turbo Linux 6.0.1 > + TurboLinux Turbo Linux 6.0 > + Wirex Immunix OS 7.0-Beta > + Wirex Immunix OS 7.0 > Washington University wu-ftpd 2.6.0 > + Cobalt Qube 1.0 > + Conectiva Linux 5.1 > + Conectiva Linux 5.0 > + Conectiva Linux 4.2 > + Conectiva Linux 4.1 > + Conectiva Linux 4.0es > + Conectiva Linux 4.0 > + Debian Linux 2.2 sparc > + Debian Linux 2.2 powerpc > + Debian Linux 2.2 arm > + Debian Linux 2.2 alpha > + Debian Linux 2.2 68k > + Debian Linux 2.2 > + RedHat Linux 6.2 sparc > + RedHat Linux 6.2 i386 > + RedHat Linux 6.2 alpha > + RedHat Linux 6.1 sparc > + RedHat Linux 6.1 i386 > + RedHat Linux 6.1 alpha > + RedHat Linux 6.0 sparc > + RedHat Linux 6.0 i386 > + RedHat Linux 6.0 alpha > + RedHat Linux 5.2 sparc > + RedHat Linux 5.2 i386 > + RedHat Linux 5.2 alpha > + S.u.S.E. Linux 7.3sparc > + S.u.S.E. Linux 7.3ppc > + S.u.S.E. Linux 7.3i386 > + S.u.S.E. Linux 7.2i386 > + S.u.S.E. Linux 7.1x86 > + S.u.S.E. Linux 7.1sparc > + S.u.S.E. Linux 7.1ppc > + S.u.S.E. Linux 7.1alpha > + S.u.S.E. Linux 7.0sparc > + S.u.S.E. Linux 7.0ppc > + S.u.S.E. Linux 7.0i386 > + S.u.S.E. Linux 7.0alpha > + S.u.S.E. Linux 6.4ppc > + S.u.S.E. Linux 6.4alpha > + S.u.S.E. Linux 6.4 > + S.u.S.E. Linux 6.3 ppc > + S.u.S.E. Linux 6.3 alpha > + S.u.S.E. Linux 6.3 > + S.u.S.E. Linux 6.2 > + S.u.S.E. Linux 6.1 alpha > + S.u.S.E. Linux 6.1 > + TurboLinux Turbo Linux 4.0 > + Wirex Immunix OS 6.2 > Washington University wu-ftpd 2.5.0 > + Caldera eDesktop 2.4 > + Caldera eServer 2.3.1 > + Caldera eServer 2.3 > + Caldera OpenLinux 2.4 > + Caldera OpenLinux Desktop 2.3 > + RedHat Linux 6.0 sparc > + RedHat Linux 6.0 i386 > + RedHat Linux 6.0 alpha > > > Summary: > > Wu-Ftpd contains a remotely exploitable heap > corruption bug. > > Impact: > > A remote attacker may execute arbitrary code on > the vulnerable server. > > Technical Description: > > Wu-Ftpd is an ftp server based on the BSD ftpd > that is maintained by > Washington University. > > Wu-Ftpd allows for clients to organize files for > ftp actions based on > "file globbing" patterns. File globbing is > also used by various > shells. The implementation of file globbing > included in Wu-Ftpd > contains a heap corruption vulnerability that may > allow for an attacker > to execute arbitrary code on a server remotely. > > During the processing of a globbing pattern, the > Wu-Ftpd implementation > creates a list of the files that match. The > memory where this data is > stored is on the heap, allocated using malloc(). > The globbing function > simply returns a pointer to the list. It is > up to the calling > functions to free the allocated memory. > > If an error occurs processing the pattern, memory > will not be allocated > and a variable indicating this should be set. > The calling functions > must check the value of this variable before > attempting to use the > globbed filenames (and later freeing the memory). > > Under certain circumstances, the globbing function > does not set this > variable when an error occurs. As a result of > this, Wu-Ftpd will > eventually attempt to free uninitialized memory. > > If this region of memory contained > user-controllable data before the > free call, it may be possible to have an > arbitrary word in memory > overwritten with an arbitrary value. This can > lead to execution of > arbitrary code if function pointers or > return addresses are > overwritten. > > If anonymous FTP is not enabled, valid user > credentials are required to > exploit this vulnerability. > > This vulnerability was initially scheduled for > public release on > December 3, 2001. However, Red Hat has made > details public as of > November 27, 2001. As a result, we are forced to > warn other users of > the vulnerable product, so that they may take > appropriate actions. > > Attack Scenarios: > > To exploit this vulnerability, an attacker must > have either valid > credentials required to log in as an FTP user, or > anonymous access must > be enabled. > > The attacker must ensure that a maliciously > constructed malloc header > containing the target address and it's replacement > value are in the > right location in the uninitialized part of the > heap. The attacker > must also place shellcode in server process > memory. > > The attacker must send an FTP command containing > a specific globbing > pattern that does not set the error variable. > > When the server attempts to free the memory used > to store the globbed > filenames, the target word in memory will be > overwritten. > > If an attacker overwrites a function pointer or > return address with a > pointer to the shellcode, it may be executed by > the server process. > > Exploits: > > The following (from the CORE advisory) > demonstrates the existence of > this vulnerability: > > ftp> open localhost > Connected to localhost (127.0.0.1). > 220 sasha FTP server (Version wu-2.6.1-18) > ready. > Name (localhost:root): anonymous > 331 Guest login ok, send your complete e-mail > address as password. > Password: > 230 Guest login ok, access restrictions apply. > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> ls ~{ > 227 Entering Passive Mode (127,0,0,1,241,205) > 421 Service not available, remote server has > closed connection > > 1405 ? S 0:00 ftpd: accepting > connections on port 21 > 7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd > 26256 ? S > 0:00 ftpd: > sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > 26265 tty3 R 0:00 bash -c ps ax | grep > ftpd > (gdb) at 26256 > Attaching to program: /usr/sbin/wu.ftpd, process > 26256 > Symbols already loaded for /lib/libcrypt.so.1 > Symbols already loaded for /lib/libnsl.so.1 > Symbols already loaded for /lib/libresolv.so.2 > Symbols already loaded for /lib/libpam.so.0 > Symbols already loaded for /lib/libdl.so.2 > Symbols already loaded for /lib/i686/libc.so.6 > Symbols already loaded for /lib/ld-linux.so.2 > Symbols already loaded for > /lib/libnss_files.so.2 > Symbols already loaded for > /lib/libnss_nisplus.so.2 > Symbols already loaded for /lib/libnss_nis.so.2 > 0x40165544 in __libc_read () from > /lib/i686/libc.so.6 > (gdb) c > Continuing. > > Program received signal SIGSEGV, Segmentation > fault. > __libc_free (mem=0x61616161) at malloc.c:3136 > 3136 in malloc.c > > Currently the SecurityFocus staff are not aware > of any exploits for > this issue. If you feel we are in error or are > aware of more recent > information, please mail us at: > vuldb@securityfocus.com > > > Mitigating Strategies: > > This vulnerability is remotely exploitable. > Restricting access to the > network port, (TCP port 21 is standard for FTP), > will block clients > from unauthorized networks. > > With some operating systems, anonymous FTP is > enabled by default. > Anonymous FTP is often in use on public FTP sites, > most often software > repositories. It is basically a guest account > with access to download > files from within a restricted environment. > This vulnerability is > exploitable by clients logged in through anonymous > FTP. Anonymous FTP > should be disabled immediately until fixes are > available, as it would > allow any host on the Internet who can connect > to the service to > exploit this vulnerability. It is a good idea to > disable it normally > unless it is absolutely necessary (in which case > the FTP server should > be on a dedicated, isolated host). > > Stack and other memory protection > schemes may complicate > exploitability, and/or prevent commonly > available exploits from > working. This should not be relied upon > for security. This > vulnerability involves 'poking' words in memory. > This means that there > are many different ways that it may be exploited. > Making the stack > non-executable or checking the integrity of stack > variables may not be > enough to prevent all possibile methods of > exploitation. > > It is advised to disable the service and use > alternatives until fixes > are available. > > Solutions: > > Vendor notified on Nov 14, 2001. > > Fixes will be available from the author as well > as from vendors who > ship products that include Wu-Ftpd as core or > optional components. > > This vulnerability was initially scheduled for > public release on > December 3, 2001. Red Hat pre-emptively > released an advisory on > November 27, 2001. As a result, other vendors may > not yet have fixes > available. > > This record will be updated as fixes from > various vendors become > available. > > For Washington University wu-ftpd 2.6.0: > > SuSE Upgrade 7.3 i386 wuftpd-2.6.0-344.i386.rpm > > ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/wuftpd-2.6.0-344.i386. > rpm > > SuSE Upgrade 7.2 i386 wuftpd-2.6.0-344.i386.rpm > > ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/wuftpd-2.6.0-344.i386. > rpm > > SuSE Upgrade 7.1 i386 wuftpd-2.6.0-346.i386.rpm > > ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/wuftpd-2.6.0-346.i386. > rpm > > SuSE Upgrade 7.0 i386 wuftpd-2.6.0-344.i386.rpm > > ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/wuftpd-2.6.0-344.i386. > rpm > > SuSE Upgrade 6.4 i386 wuftpd-2.6.0-344.i386.rpm > > ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/wuftpd-2.6.0-344.i386. > rpm > > SuSE Upgrade 6.3 i386 wuftpd-2.6.0-347.i386.rpm > > ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/wuftpd-2.6.0-347.i386. > rpm > > SuSE Upgrade 7.3 sparc > wuftpd-2.6.0-240.sparc.rpm > > ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/wuftpd-2.6.0-240.spar > c.rpm > > SuSE Upgrade 7.1 sparc > wuftpd-2.6.0-242.sparc.rpm > > ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/wuftpd-2.6.0-242.spar > c.rpm > > SuSE Upgrade 7.0 sparc > wuftpd-2.6.0-241.sparc.rpm > > ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/wuftpd-2.6.0-241.spar > c.rpm > > SuSE Upgrade 7.1 alpha > wuftpd-2.6.0-252.alpha.rpm > > ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/wuftpd-2.6.0-252.alpha. > rpm > > SuSE Upgrade 7.0 alpha > wuftpd-2.6.0-251.alpha.rpm > > ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/wuftpd-2.6.0-251.alpha. > rpm > > SuSE Upgrade 6.4 alpha > wuftpd-2.6.0-251.alpha.rpm > > ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/wuftpd-2.6.0-251.alpha. > rpm > > SuSE Upgrade 6.3 alpha > wuftpd-2.6.0-250.alpha.rpm > > ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/wuftpd-2.6.0-250.alpha. > rpm > > SuSE Upgrade 7.3 ppc wuftpd-2.6.0-277.ppc.rpm > > ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/wuftpd-2.6.0-277.ppc.rp > m > > SuSE Upgrade 7.1 ppc wuftpd-2.6.0-277.ppc.rpm > > ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/wuftpd-2.6.0-277.ppc.rp > m > > SuSE Upgrade 7.0 ppc wuftpd-2.6.0-279.ppc.rpm > > ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/wuftpd-2.6.0-279.ppc.rp > m > > SuSE Upgrade 6.4 ppc wuftpd-2.6.0-278.ppc.rpm > > ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/wuftpd-2.6.0-278.ppc.rp > m > > For Washington University wu-ftpd 2.6.1: > > Red Hat RPM 6.2 alpha > wu-ftpd-2.6.1-0.6x.21.alpha.rpm > > ftp://updates.redhat.com/6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha. > rpm > > Red Hat RPM 6.2 sparc > wu-ftpd-2.6.1-0.6x.21.sparc.rpm > > ftp://updates.redhat.com/6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc. > rpm > > Caldera RPM OpenLinux 2.3 > wu-ftpd-2.6.1-13OL.i386.rpm > > ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS/wu-ftpd- > 2.6.1-13OL.i386.rpm > > Caldera RPM eServer 2.3.1 > wu-ftpd-2.6.1-13OL.i386.rpm > > ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS/wu-ftpd-2. > 6.1-13OL.i386.rpm > > Caldera RPM eDesktop 2.4 > wu-ftpd-2.6.1-13OL.i386.rpm > > ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS/wu-ftpd-2 > .6.1-13OL.i386.rpm > > Caldera RPM OpenLinux 3.1 Server > wu-ftpd-2.6.1-13.i386.rpm > > ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS/w > u-ftpd-2.6.1-13.i386.rpm > > Wirex Upgrade Immunix 7.0 i386 > wu-ftpd-2.6.1-6_imnx_4.i386.rpm > > http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/wu-ftpd-2.6.1- > 6_imnx_4.i386.rpm > > Red Hat RPM 7.0 alpha > wu-ftpd-2.6.1-16.7x.1.alpha.rpm > > ftp://updates.redhat.com/7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha. > rpm > > Red Hat RPM 7.0 i386 > wu-ftpd-2.6.1-16.7x.1.i386.rpm > > ftp://updates.redhat.com/7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rp > m > > Red Hat RPM 7.1 alpha > wu-ftpd-2.6.1-16.7x.1.alpha.rpm > > ftp://updates.redhat.com/7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha. > rpm > > Red Hat RPM 7.1 i386 > wu-ftpd-2.6.1-16.7x.1.i386.rpm > > ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rp > m > > Red Hat RPM 7.1 ia64 > wu-ftpd-2.6.1-16.7x.1.ia64.rpm > > ftp://updates.redhat.com/7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rp > m > > Red Hat RPM 7.2 i386 wu-ftpd-2.6.1-20.i386.rpm > > ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm > > Red Hat RPM 6.2 i386 > wu-ftpd-2.6.1-0.6x.21.i386.rpm > > ftp://updates.redhat.com/6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rp > m > > Credit: > > Condition first reported by Matt Power. > Exploitability later confirmed > by Luciano Notarfrancesco and Juan Pablo > Martinez Kuhn from Core > Security Technologies, Buenos Aires, Argentina. > > References: > > advisory: > Caldera CSSA-2001-041.0: Linux - Vulnerability in > wu-ftpd > http://www.securityfocus.com/advisories/3693 > > advisory: > Immunix IMNX-2001-70-036-01: wu-ftpd > http://www.securityfocus.com/advisories/3696 > > advisory: > RedHat RHSA-2001:157-06: Updated wu-ftpd packages > are available > http://www.securityfocus.com/advisories/3680 > > advisory: > SuSE SuSE-SA:2001:043: wuftpd > http://www.securityfocus.com/advisories/3691 > > web page: > CORE SDI Homepage (CORE) > http://www.core-sdi.com > > web page: > Wu-Ftpd Homepage (Washington University) > http://www.wu-ftpd.org > > ChangeLog: > > Nov 30, 2001: Wirex Immunix advisory released, > updated packages > available. > Nov 29, 2001: SUSE and Caldera fixes available; > some versions of BSD > FTPD may also be vulnerable. > Nov 26, 2001: Initial analysis. > > --------------------------------------------------------------------------- > > HOW TO INTERPRET THIS ALERT > > BUGTRAQ ID: This is a unique > identifier assigned to the > vulnerability by > SecurityFocus.com. > > CVE ID: This is a unique > identifier assigned to the > vulnerability by the CVE. > > Published: The date the vulnerability > was first made public. > > Updated: The date the information was > last updated. > > Remote: Whether this is a > remotely exploitable > vulnerability. > > Local: Whether this is a > locally exploitable > vulnerability. > > Credibility: Describes how credible the > information about the > vulnerability is. Possible > values are: > > Conflicting Reports: The are > multiple conflicting > about the existance of the > vulnerability. > > Single Source: There is > a single non-reliable > source reporting the > existence of the > vulnerability. > > Reliable Source: There is a > single reliable source > reporting the existence of > the vulnerability. > > Conflicting Details: There > is consensus on the > existence of the > vulnerability but not it's > details. > > Multiple Sources: There > is consensus on the > existence and details of the > vulnerability. > > Vendor Confirmed: The > vendor has confirmed the > vulnerability. > > Class: The class of vulnerability. > Possible values are: > Boundary Condition Error, > Access Validation Error, > Origin Validation Error, > Input Valiadtion Error, > Failure to Handle > Exceptional Conditions, Race > Condition Error, > Serialization Error, Atomicity > Error, Environment Error, > and Configuration Error. > > Ease: Rates how easiliy the > vulnerability can be > exploited. Possible > values are: No Exploit > Available, Exploit > Available, and No Exploit > Required. > > Impact: Rates the impact of the > vulnerability. It's range > is 1 through 10. > > Severity: Rates the severity of the > vulnerability. It's range > is 1 through 10. It's > computed from the impact > rating and remote flag. > Remote vulnerabiliteis with > a high impact rating > receive a high severity > rating. Local > vulnerabilities with a low impact > rating receive a low > severity rating. > > Urgency: Rates how quickly you should > take action to fix or > mitigate the vulnerability. > It's range is 1 through > 10. It's computed from the > severity rating, the > ease rating, and the > credibility rating. High > severity vulnerabilities > with a high ease rating, > and a high confidence rating > have a higher urgency > rating. Low severity > vulnerabilities with a low > ease rating, and a low > confidence rating have a > lower urgency rating. > > Last Change: The last change made > to the vulnerability > information. > > Vulnerable Systems: The list of vulnerable > systems. A '+' preceding a > system name indicates > that one of the system > components is vulnerable > vulnerable. For example, > Windows 98 ships with > Internet Explorer. So if a > vulnerability is found in IE > you may see something > like: Microsoft Internet > Explorer + Microsoft > Windows 98 > > Non-Vulnerable Systems: The list of non-vulnerable > systems. > > Summary: A concise summary of the > vulnerability. > > Impact: The impact of the > vulnerability. > > Technical Description: The in-depth description of > the vulnerability. > > Attack Scenarios: Ways an attacker may make > use of the vulnerability. > > Exploits: Exploit intructions or > programs. > > Mitigating Strategies: Ways to mitigate the > vulnerability. > > Solutions: Solutions to the > vulnerability. > > Credit: Information about who > disclosed the vulnerability. > > References: Sources of information on > the vulnerability. > > Related Resources: Resources that might be of > additional value. > > ChangeLog: History of changes to the > vulnerability record. > > --------------------------------------------------------------------------- > > Copyright 2001 > SecurityFocus.com > > > > > > ---------- > SecurityFocus - the leading provider of Security > Intelligence Services for > business. > Visit our website at www.securityfocus.com > > EnvoyWorldWide, Inc. > Business-Critical Communications for the wired and > wireless world. > Visit our website at www.envoyww.com __________________________________________________ Do You Yahoo!? Buy the perfect holiday gifts at Yahoo! Shopping. http://shopping.yahoo.com