FTPD Version Vulnerability

Summary

Several versions of the ftpd server have a variety of vulnerabilities.

Impact

Malicious users exploiting these vulnerability are able to gain unauthorized access, possibly even root access, to a target system.

The Problems

Versions of the wuarchive ftpd available before April 8, 1993 have a vulnerability in the access control mechanism. Anyone (remote or local) can potentially gain access to any account, including root, on a host running this version of ftpd. This vulnerability is described in CERT Advisory CA-93.06.

Some copies of the source code for versions 2.2 and 2.1 of the wuarchive ftpd were modified by an intruder, and contain a Trojan horse. If your FTP daemon was compiled from the intruder-modified source code, you are vulnerable. If you are running the wuarchive ftpd, but not providing anonymous FTP access, you are still vulnerable to this Trojan horse. An intruder can gain root access on a host running an FTP daemon that contains the Trojan horse. This vulnerability is described in CERT Advisory CA-94.07.

Versions 2.0 through 2.3 of the wuarchive ftpd have two vulnerabilities that can be exploited to gain root access. The first vulnerability is in the SITE EXEC command feature of ftpd that allows any user (remote or local) to obtain root access. There is a second vulnerability due to a race condition in these implementations. Sites using these versions of ftpd are vulnerable even if they do not support anonymous FTP. In addition to the wuarchive ftpd, DECWRL ftpd versions prior to 5.93 and BSDI ftpd versions 1.1 prior to patch 5 are vulnerable. This vulnerability is described in CERT Advisory CA-94.08. CERT Advisory CA-95.16 describes the SITE EXEC vulnerability in further detail, and lists all the Linux distributions that may be using the vulnerable version of ftpd.

Some vendor and third party versions of the ftpd have a vulnerability that may allow regular and anonymous FTP users to read or write to arbitrary files with root privileges. This vulnerability is caused by a signal handling routine that increases process privileges to root, while still continuing to catch other signals. This introduces a race condition that may allow regular, as well as anonymous FTP, users to access files with root privileges. Depending on the configuration of the ftpd server, this may allow intruders to read or write to arbitrary files on the server. This attack requires an intruder to be able to make a network connection to a vulnerable ftpd server. This vulnerability is described in CERT Advisory CA-97.16.

Resolution

To correct this vulnerability, replace the ftpd server with a more recent version. The current version of the wuarchive ftpd can be found at the wuarchive ftp site. Another solution would be to obtain the latest fixed or patch versions of ftpd from the vendor. Finally, ftp access can be restricted by using a TCP wrapper.

Where can I read more about this?

To read more about the FTPD vulnerabilities, read CERT Advisories CA-97.16, CA-95.16, CA-94.08, CA-94.07, and CA-93.06. Additionally, you can read more about securing all information servers at this CIAC site.