Possible WUftpd Vulnerabilities
Summary
WUftpd: A third party ftpd daemon that is popular in Linux distributions.
It is also found on many other platforms, installed by either the vendor or
the user. Several versions have been found vulnerable. However, vendors
have patched this program but have not changed the version number (as
displayed on the login banner). Consequently, SARA can not confirm that
the program is vulnerable.
Impact
A remote intruder can execute commands as root if the buffer overflow
attack is successful (i.e, current target command is chdir).
The problem
The Washington University (WU) ftpd daemon is a powerful program that
adds many safeguards and configurable security options to the standard
ftpd distribution. Unfortunately, it has been plagued with several
vulnerabilites in the late 1990's. The recent problem centers around
version wu-2.5.0(1). the orginal version was vulnerable to the chdir attack.
Vendors, such as Red Hat, quickly fixed the problem but neglected to change
the version number. As SARA assesses ftp vulnerability by version number,
it cannot determine if the new "version" has been applied.
Fix
- Confirm that the system has the most up to date version of WUftpd.
- Otherwise, patch the system to a version that is not vulnerable to
the buffer overflow attack. However, there are reports that even patched
versions may be vulnerable.
Other tips
CERT released
CA-99-13 advisory on this topic.