Some copies of the source code for versions 2.2 and 2.1 of the wuarchive ftpd were modified by an intruder, and contain a Trojan horse. If your FTP daemon was compiled from the intruder-modified source code, you are vulnerable. If you are running the wuarchive ftpd, but not providing anonymous FTP access, you are still vulnerable to this Trojan horse. An intruder can gain root access on a host running an FTP daemon that contains the Trojan horse. This vulnerability is described in CERT Advisory CA-94.07.
Versions 2.0 through 2.3 of the wuarchive ftpd have two vulnerabilities that can be exploited to gain root access. The first vulnerability is in the SITE EXEC command feature of ftpd that allows any user (remote or local) to obtain root access. There is a second vulnerability due to a race condition in these implementations. Sites using these versions of ftpd are vulnerable even if they do not support anonymous FTP. In addition to the wuarchive ftpd, DECWRL ftpd versions prior to 5.93 and BSDI ftpd versions 1.1 prior to patch 5 are vulnerable. This vulnerability is described in CERT Advisory CA-94.08. CERT Advisory CA-95.16 describes the SITE EXEC vulnerability in further detail, and lists all the Linux distributions that may be using the vulnerable version of ftpd.
Some vendor and third party versions of the ftpd have a vulnerability that may allow regular and anonymous FTP users to read or write to arbitrary files with root privileges. This vulnerability is caused by a signal handling routine that increases process privileges to root, while still continuing to catch other signals. This introduces a race condition that may allow regular, as well as anonymous FTP, users to access files with root privileges. Depending on the configuration of the ftpd server, this may allow intruders to read or write to arbitrary files on the server. This attack requires an intruder to be able to make a network connection to a vulnerable ftpd server. This vulnerability is described in CERT Advisory CA-97.16.