Recently, Core Security Technologies notified Linux vendors of a serious security vulnerability in WU-FTP, a common Linux FTP server. Soon thereafter, Linux vendors began coordinating with CERT to provide patches that could fix this problem. These patches were to be released when the information of the vulnerability went public.

However, an inadvertent announcement by Red Hat made the information on this vulnerability available to the public before all of the vendors had readied their patches, causing the other Linux vendors to scramble a bit. Red Hat has apologized for the mistake and vowed not to let it happen again. If you have not already patched your Linux systems running WU-FTP, you should go to CERT Advisory CA-2001-33 and download and install the patch for your Linux system(s).

Threat level: High to extreme
Core Security Technologies discovered that Washington University’s WU-FTP suffers from a vulnerability in the wu-ftpd daemon because it does not properly handle glob commands. Further, it found that all versions of wu-ftpd up to and including 2.6.1 are vulnerable to this problem. This includes the default version of WU-FTP that ships on nearly every major Linux distribution.

The threat is particularly serious because the vulnerability gives any FTP session the ability to access any files on the server. Since most FTP servers allow anonymous as a login user, most servers are vulnerable to anyone on the Internet.

Mitigating factors
Administrators who have removed the anonymous FTP user account are still vulnerable to this problem, but attackers will need a valid user account name and password to establish an FTP session and make an attack.

If wu-ftpd does not have root privileges on a system, the potential damage will be limited to whatever privileges it is granted on that server.

A quick and dirty fix for many systems is to simply turn off the wu-ftpd daemon and/or block TCP port 21 on the firewall.

A specific wu-ftpd 2.6.1 patch is available from Neohapsis Archives, and some vendors have released a beta version of wu-ftpd (usually labeled 2.7.0). The developer of wu-ftpd advises that those having this version immediately revert their systems to version 2.6.1 and apply the necessary patch to that version. No patch has been released for 2.7.0, and has announced that it will skip that release number to avoid any confusion.

Ultimately, multiple Linux and UNIX versions are vulnerable to this problem. The best resource to see which distributions and versions are vulnerable and to locate individual patches and updated information is the CERT Vulnerability Note #886083 or individual vendor sites.

One word of warning: When you search for more information on this vulnerability, it’s important to know that a Trojan horse masquerading as a patch to wu-ftpd 2.6.1 was recently posted to the Vuln-Dev mailing list. This is not a legitimate patch, and it will damage your files if applied. A full report is available at Newsbytes.

The wu-ftpd FTP server is derived from the BSD ftpd and is maintained by the WU-FTPD Development Group, which has announced that it will release a fixed version of wu-ftpd with release 2.6.2.

Globbing is a term used to describe the way some software expands filenames using the old DOS wildcards such as an asterisk (*) and a question mark (?). That makes a nice shortcut for users who either don’t know the exact filename or need to download a lot of similar files. But matching all those wildcard filenames or expanding really complex glob requests can place a heavy load on a server and cause a denial of service event, according to the report “Secure Programming for Linux and Unix HOWTO.”

CERT identifies the glob vulnerability in Vulnerability Note #886083, which describes it as an unusual combination of two code bugs rather than the usual buffer overflow flaw. According to the CERT report, “WU-FTPD’s implementation of the glob command does not properly return an error condition when interpreting the string ‘~{‘ and then frees memory that may contain user-supplied data.” This means that attackers could run arbitrary code on the server once it is compromised with the relatively simple glob attack.

End sum
If you use WU-FTP for running FTP services on your network, you should download and apply the appropriate patch for your OS as soon as possible. Due to the inherent danger of this vulnerability, this is not an update to put off for a more convenient time.

Have a comment or a question?

We look forward to getting your input and hearing about your experiences regarding this topic. Post a comment or a question about this article.