FTPD Version Vulnerability

Summary

Several versions of the ftpd server have a variety of vulnerabilities.

Impact

Malicious users exploiting these vulnerability are able to gain unauthorized access or disrupt service on a target system.

The Problems


MAPPING_CHDIR Buffer Overflow


CVE 1999-0878

Versions of wu-ftpd between 2.4.2-BETA18-VR4 and 2.5.0, and all versions of BeroFTPD contain a vulnerability which could allow an attacker to overwrite static memory and execute arbitrary code as root by creating a directory with a carefully chosen name. In order to exploit this vulnerability, an attacker would need to have access to a writable directory on the ftp server, either through a user account or by anonymous ftp. This vulnerability is described in CERT Advisory 99-13.


Message File Buffer Overflow


CVE 1999-0879

Due to improper bounds checking in expansion of macro variables in a message file, an attacker could overwrite the stack and execute arbitrary commands with the privileges of the ftp server, usually root. wu-ftpd prior to version 2.6.0, and all versions of BeroFTPD have this vulnerability. An attacker would require the ability to control the contents of a message file in order to exploit this vulnerability. Whether or not an anonymous user would have this ability depends on the configuration of the ftp server. This vulnerability is described in CERT Advisory 99-13.


SITE NEWER


CVE 1999-0880

SITE NEWER is a feature which allows mirroring software to find all files on an ftp server newer than a specified date. wu-ftpd prior to version 2.6.0, and all versions of BeroFTPD fail to properly free memory when this feature is used in certain situations, causing the server to consume memory. This could allow an attacker to disrupt service. If the attacker has the ability to create files on the server through a user account or a writable directory accessible by anonymous ftp, then it is also possible to execute arbitrary commands with the privileges of the ftp server (typically root). This vulnerability is described in CERT Advisory 99-13.


Palmetto Buffer Overflow


CVE 1999-0368

Due to improper bounds checking, an attacker can overwrite the internal stack space of the ftp server, thereby executing arbitrary commands with the privileges of the ftp server, which is typically root. The attacker would need access to a writable directory on the ftp server, either through a user account or by anonymous ftp, in order to create the long pathname necessary to exploit the vulnerability. The affected versions are wu-ftpd versions 2.4.2-BETA 18 and earlier (including VR versions prior to 2.4.2-BETA 18-VR10), ProFTPD versions prior to 1.2.0pre2, and BeroFTPD versions prior to 1.2.0. This vulnerability is described in CERT Advisory 99-03.


AIX ftpd buffer overflow


CVE 1999-0789

A buffer overflow vulnerability has been found in the AIX 4.3.x ftp daemon that allows remote attackers to gain root access. Example exploit code has been publicly released. Other versions of AIX are not affected. This vulnerability is described in IBM Security Vulnerability Alerts 1999:004.1 and 1999:004.2.


Signal Handling Race Condition


CVE 1999-0035

Some vendor and third party versions of the ftpd have a vulnerability that may allow regular and anonymous FTP users to read or write to arbitrary files with root privileges. This vulnerability is caused by a signal handling routine that increases process privileges to root, while still continuing to catch other signals. This introduces a race condition that may allow regular, as well as anonymous FTP, users to access files with root privileges. Depending on the configuration of the ftpd server, this may allow intruders to read or write to arbitrary files on the server. This attack requires an intruder to be able to make a network connection to a vulnerable ftpd server. wu-ftpd 2.4.2-BETA-12 and later versions of wu-ftpd do not have this vulnerability. This vulnerability is described in CERT Advisory CA-97.16.


SITE EXEC and Race Condition


CVE 1999-0080
CVE 1999-0955

Versions 2.0 through 2.3 of the wuarchive ftpd have two vulnerabilities that can be exploited to gain root access. The first vulnerability is in the SITE EXEC command feature of ftpd that allows any user (remote or local) to obtain root access. There is a second vulnerability due to a race condition in these implementations. Sites using these versions of ftpd are vulnerable even if they do not support anonymous FTP. In addition to the wuarchive ftpd, DECWRL ftpd versions prior to 5.93 and BSDI ftpd versions 1.1 prior to patch 5 are vulnerable. These vulnerabilities are described in CERT Advisory CA-94.08. CERT Advisory CA-95.16 describes the SITE EXEC vulnerability in further detail, and lists all the Linux distributions that may be using the vulnerable version of ftpd.


Trojan Horse

Some copies of the source code for versions 2.2 and 2.1 of the wuarchive ftpd were modified by an intruder, and contain a Trojan horse. If your FTP daemon was compiled from the intruder-modified source code, you are vulnerable. If you are running the wuarchive ftpd, but not providing anonymous FTP access, you are still vulnerable to this Trojan horse. An intruder can gain root access on a host running an FTP daemon that contains the Trojan horse. This vulnerability is described in CERT Advisory CA-94.07.


Access Control Vulnerability

Versions of the wuarchive ftpd available before April 8, 1993 have a vulnerability in the access control mechanism. Anyone (remote or local) can potentially gain access to any account, including root, on a host running this version of ftpd. This vulnerability is described in CERT Advisory CA-93.06.

Resolution

To correct this vulnerability, replace the ftpd server with the most recent version. The current version of the wuarchive ftpd can be found at the wuarchive ftp site. Another solution would be to obtain the latest fixed or patch versions of ftpd from the vendor.

In some cases, disallowing anonymous ftp access, or removing write permissions from all directories accessible by anonymous ftp could serve as a workaround. However, this will only be an effective solution for those vulnerabilities which, as noted above, require the attacker to create files or directories on the server. You will still need to upgrade ftpd to fix the other vulnerabilities.

Finally, ftp access can be restricted by using TCP wrappers.

Where can I read more about this?

To read more about the FTPD vulnerabilities, read CERT Advisories CA-99-13, CA-99-03, CA-97.16, CA-95.16, CA-94.08, CA-94.07, and CA-93.06. More information about AIX FTPD vulnerabilities can be found in IBM Security Vulnerability Alerts 1999:004.1 and 1999:004.2. Additionally, you can read more about securing all information servers at this CIAC site.