Following Core Security Technologies notifying Linux vendors of a serious security vulnerability in WU-FTP, a common Linux FTP server, the companies began coordinating with CERT to provide patches to fix the problem.

These patches were to be released when the information of the vulnerability went public.

However, an inadvertent announcement by Red Hat made the information on this vulnerability available to the public before all of the vendors had readied their patches, causing the other Linux vendors to scramble a bit.

Red Hat has apologised for the mistake and vowed not to let it happen again. If you have not already patched your Linux systems running WU-FTP, you should go to CERT Advisory CA-2001-33 (www.cert.org/advisories/CA-2001-33.html) and download and install the patch for your Linux system(s).

Threat level: high to extreme

Core Security Technologies discovered that Washington University's WU-FTP suffers from a vulnerability in the wu-ftpd daemon because it does not properly handle glob commands.

Further, it found that all versions of wu-ftpd up to and including 2.6.1 are vulnerable to this problem. This includes the default version of WU-FTP that ships on nearly every major Linux distribution.

The threat is particularly serious because the vulnerability gives any FTP session the ability to access any files on the server. Since most FTP servers allow anonymous as a login user, most servers are vulnerable to anyone on the Internet.

Mitigating factors

Administrators who have removed the anonymous FTP user account are still vulnerable to this problem, but attackers will need a valid user account name and password to establish an FTP session and make an attack.

If wu-ftpd does not have root privileges on a system, the potential damage will be limited to whatever privileges it is granted on that server.

A quick and dirty fix for many systems is to simply turn off the wu-ftpd daemon and/or block TCP port 21 on the firewall.

Fix

A specific wu-ftpd 2.6.1 patch (http://archives .neohapsis.com/archives/vulnwatch/2001-q4/0059.html) is available from Neohapsis Archives, and some vendors have released a beta version of wu-ftpd (usually labelled 2.7.0).

The developer of wu-ftpd advises that those having this version immediately revert their systems to version 2.6.1 and apply the necessary patch to that version.

No patch has been released for 2.7.0, and wu-ftpd.org has announced that it will skip that release number to avoid any confusion.

Ultimately, multiple Linux and UNIX versions are vulnerable to this problem. The best resource to see which distributions and versions are vulnerable and to locate individual patches and updated information is the CERT Vulnerability Note #886083 (www.kb.cert .org/vuls/id/886083) or individual vendor sites.

One word of warning: When you search for more information on this vulnerability, it's important to know that a Trojan horse masquerading as a patch to wu-ftpd 2.6.1 was recently posted to the Vuln-Dev mailing list.

This is not a legitimate patch, and it will damage your files if applied. A full report is available at Newsbytes (www.newsbytes.com/ news/01/170392.html).

Looking at the details

Globbing is a term used to describe the way some software expands filenames using the old DOS wildcards such as an asterisk (*) and a question mark (?).

That makes a nice shortcut for users who either don't know the exact filename or need to download a lot of similar files.

But matching all those wildcard filenames or expanding really complex glob requests can place a heavy load on a server and cause a denial of service event, according to the report "Secure Programming for Linux and Unix HOWTO" (www.linuxdoc.org/HOWTO/Secure-Programs-HOWTO/input.html).

CERT identifies the glob vulnerability in Vulnerability Note #886083, which describes it as an unusual combination of two code bugs rather than the usual buffer overflow flaw.

According to the CERT report, "WU-FTPD's implementation of the glob command does not properly return an error condition when interpreting the string '~{' and then frees memory that may contain user-supplied data."

This means that attackers could run arbitrary code on the server once it is compromised with the relatively simple glob attack.

End sum

If you use WU-FTP for running FTP services on your network, you should download and apply the appropriate patch for your OS as soon as possible. Due to the inherent danger of this vulnerability, this is not an update to put off for a more convenient time.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.