OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: X-Force (xforceiss.net)
Date: Thu Nov 29 2001 - 13:27:44 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
    majordomoiss.net Contact alert-owneriss.net for help with any problems!
    ---------------------------------------------------------------------------

    -----BEGIN PGP SIGNED MESSAGE-----

    Internet Security Systems Security Alert
    November 29, 2001

    WU-FTPD Heap Corruption Vulnerability

    Synopsis:

    Internet Security Systems (ISS) X-Force has learned of the public
    release of a proof of concept exploit for a vulnerability in Washington
    University's FTP daemon (WU-FTPD). This FTP daemon is packaged as a part
    of many Linux distributions. This vulnerability, which was originally
    reported in April 2001, may allow remote attackers who are able to login
    to the FTP service to execute arbitrary commands on a target system
    without any specific knowledge of that host.

    Affected Versions:

    Washington University wu-ftpd 2.6.1:
    - - Caldera OpenLinux Server 3.1, OpenLinux Workstation 3.1
    - - Cobalt Qube 1.0
    - - Conectiva Linux 7.0, 6.0
    - - MandrakeSoft Corporate Server 1.0.1
    - - MandrakeSoft Mandrake Linux 8.1, 8.0 ppc, 8.0, 7.2, 7.1, 7.0, 6.1, 6.0
    - - Red Hat Linux 7.2 noarch, 7.2 ia64, 7.2 i686, 7.2 i586, 7.2 i386,
      7.2 athlon, 7.2 alpha
    - - Red Hat Linux 7.1 noarch, 7.1 ia64, 7.1 i686, 7.1 i586, 7.1 i386,
      7.1 alpha
    - - Red Hat Linux 7.0 sparc, 7.0 i386, 7.0 alpha
    - - Turbolinux TL Workstation 6.1
    - - Turbolinux 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0
    - - WireX Immunix OS 7.0-Beta, 7.0

    Washington University wu-ftpd 2.6.0:
    - - Cobalt Qube 1.0
    - - Conectiva Linux 5.1, 5.0, 4.2, 4.1, 4.0es, 4.0
    - - Debian Linux 2.2 sparc, 2.2 powerpc, 2.2 arm, 2.2 alpha, 2.2 68k, 2.2
    - - Red Hat Linux 6.2 sparc, 6.2 i386, 6.2 alpha
    - - Red Hat Linux 6.1 sparc, 6.1 i386, 6.1 alpha
    - - Red Hat Linux 6.0 sparc, 6.0 i386, 6.0 alpha
    - - Red Hat Linux 5.2 sparc, 5.2 i386, 5.2 alpha
    - - SuSE Linux 6.4ppc, 6.4alpha, 6.4
    - - SuSE Linux 6.3 ppc, 6.3 alpha, 6.3
    - - SuSE Linux 6.2
    - - SuSE Linux 6.1 alpha, 6.1
    - - Turbolinux 4.0
    - - WireX Immunix OS 6.2

    Washington University wu-ftpd 2.5.0:
    - - Caldera eDesktop 2.4, eServer 2.3.1, eServer 2.3
    - - Caldera OpenLinux 2.4, OpenLinux Desktop 2.3
    - - Red Hat Linux 6.0 sparc, 6.0 i386, 6.0 alpha

    Description:

    The WU-FTPD daemon allows users to transfer files to and from the system
    running the service, using the File Transport Protocol (FTP). Many
    popular Linux distributions are shipped with WU-FTPD running by default.

    A vulnerability exists that may allow attackers to execute arbitrary
    code with the privileges of the FTP daemon (most often root), resulting
    in a complete system compromise. The attacker must be able to
    successfully login to the service with any account (including anonymous)
    in order to perform the exploit. This vulnerability is caused by the
    failure of the "globbing" code to signal errors on specially crafted
    expressions, resulting in a corruption of heap memory, which may be
    exploited by attackers to overwrite an arbitrary location in memory.

    The term "globbing" refers to the action taken by the glob() function,
    which is implemented in glibc library. WU-FTPD implements its own
    version of glob(). The glob() function is responsible for interpreting
    user-supplied filenames and returning valid pathnames. The glob()
    function interprets special metacharacters such as the asterisk (*) or
    "wildcard" character when returning valid pathnames. Other
    metacharacters (including ? [ ] { } ~ ') are also incorrectly
    interpreted by the glob() function. The vulnerability exists as a result
    of improper handling of these metacharacters in the WU-FTPD glob()
    implementation.

    Recommendations:

    ISS X-Force recommends that all system administrators disable the FTP
    service if it is not explicitly required. Patches for this vulnerability
    are being made available. Contact your vendor for more information. X-
    Force further recommends that administrators disable "anonymous" access
    to critical FTP servers if the feature is not required.

    ISS X-Force will provide detection and assessment support for this
    vulnerability in upcoming X-Press Updates for RealSecure Network
    Sensor and Internet Scanner. Detection support for this attack will also
    be added in a future update for BlackICE products.

    Additional Information:

    This vulnerability was initially discovered by Matt Power. The issue was
    confirmed and investigated further by Luciano Notarfrancesco and Juan
    Pablo Martinez Kuhn of Core Security Technologies:
    http://www.corest.com

    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    name CAN-2001-0550 to this issue. This is a candidate for inclusion in
    the CVE list http://cve.mitre.org, which standardizes names for
    security problems.

    ISS X-Force Database,
    http://xforce.iss.net/static/7611.php

    ______

    About Internet Security Systems (ISS)
    Internet Security Systems is a leading global provider of security
    management solutions for the Internet, protecting digital assets and
    ensuring safe and uninterrupted e-business. With its industry-leading
    intrusion detection and vulnerability assessment, remote managed
    security services, and strategic consulting and education offerings, ISS
    is a trusted security provider to more than 8,000 customers worldwide
    including 21 of the 25 largest U.S. commercial banks and the top 10 U.S.
    telecommunications companies. Founded in 1994, ISS is headquartered in
    Atlanta, GA, with additional offices throughout North America and
    international operations in Asia, Australia, Europe, Latin America and
    the Middle East. For more information, visit the Internet Security
    Systems web site at www.iss.net or call 888-901-7477.

    Copyright (c) 2001 Internet Security Systems, Inc. All rights reserved
    worldwide.

    Permission is hereby granted for the redistribution of this Alert
    electronically. It is not to be edited in any way without express
    consent of the X-Force. If you wish to reprint the whole or any part
    of this Alert in any other medium excluding electronic medium, please
    e-mail xforceiss.net for permission.

    Disclaimer

    The information within this paper may change without notice. Use of
    this information constitutes acceptance for use in an AS IS condition.
    There are NO warranties with regard to this information. In no event
    shall the author be liable for any damages whatsoever arising out of or
    in connection with the use or spread of this information. Any use of
    this information is at the user's own risk.

    X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
    as well as on MIT's PGP key server and PGP.com's key server.

    Please send suggestions, updates, and comments to: X-Force
    xforceiss.net of Internet Security Systems, Inc.

    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.3a
    Charset: noconv

    iQCVAwUBPAaL/TRfJiV99eG9AQHpaAQAsl86+pGc/rjlTG/VhDv28IJO+IgSORq4
    55zaa4RuZ6y8KBDHkyweCsFT3Jf4J4dJwBbrIJXFP+2S4NokWxTSt3zrnQwRMzRp
    u4+y2y0TfgQWwAQPXVeMaCKGZ39kmVqfhi++I3QesRYC4LVuKJYtWM8snOM75ZTk
    fKCuStDNppo=
    =bVGu
    -----END PGP SIGNATURE-----