ALERT Wu-Ftpd File Globbing Heap Corruption Vulnerability

To: debian-user@lists.debian.org
Subject: *ALERT* Wu-Ftpd File Globbing Heap Corruption Vulnerability
From: Account for Debian group mail <debian@pcez.com>
Date: Wed, 28 Nov 2001 14:59:48 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1011128145305.14382B-100000@mail.pcez.com>

Anyone know what is being done with the Debian verson of Wu-Ftpd for this
problem?

Thanks,

Ken 

Date: Wed, 28 Nov 2001 10:05:28 -0700 (MST)
From: Dave Ahmad <da@securityfocus.com>
To: <bugtraq@securityfocus.com>
Subject: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption
Vulnerability
Message-ID:
<Pine.GSO.4.30.0111280946160.20852-100000@mail.securityfocus.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

---------------------------------------------------------------------------
                              Security Alert

Subject:      Wu-Ftpd File Globbing Heap Corruption Vulnerability
BUGTRAQ ID:   3581                   CVE ID:         CVE-MAP-NOMATCH
Published:    Nov 27, 2001           Updated:        Nov 28, 2001 01:12:56

Remote:       Yes                    Local:          No
Availability: Always                 Authentication: Not Required
Credibility:  Vendor Confirmed       Ease:           No Exploit Available

Impact:   10.0           Severity: 10.0            Urgency:  8.2

Last Change:  Initial analysis.
---------------------------------------------------------------------------

Vulnerable Systems:

  Washington University wu-ftpd 2.6.1
   + Caldera OpenLinux Server 3.1
   + Caldera OpenLinux Workstation 3.1
   + Cobalt Qube 1.0
   + Conectiva Linux 7.0
   + Conectiva Linux 6.0
   + MandrakeSoft Corporate Server 1.0.1
   + MandrakeSoft Linux Mandrake 8.1
   + MandrakeSoft Linux Mandrake 8.0 ppc
   + MandrakeSoft Linux Mandrake 8.0
   + MandrakeSoft Linux Mandrake 7.2
   + MandrakeSoft Linux Mandrake 7.1
   + MandrakeSoft Linux Mandrake 7.0

   + MandrakeSoft Linux Mandrake 6.1
   + MandrakeSoft Linux Mandrake 6.0
   + RedHat Linux 7.2 noarch
   + RedHat Linux 7.2 ia64
   + RedHat Linux 7.2 i686
   + RedHat Linux 7.2 i586
   + RedHat Linux 7.2 i386
   + RedHat Linux 7.2 athlon
   + RedHat Linux 7.2 alpha
   + RedHat Linux 7.1 noarch
   + RedHat Linux 7.1 ia64
   + RedHat Linux 7.1 i686
   + RedHat Linux 7.1 i586
   + RedHat Linux 7.1 i386
   + RedHat Linux 7.1 alpha
   + RedHat Linux 7.0 sparc
   + RedHat Linux 7.0 i386
   + RedHat Linux 7.0 alpha
   + TurboLinux TL Workstation 6.1
   + TurboLinux Turbo Linux 6.0.5
   + TurboLinux Turbo Linux 6.0.4
   + TurboLinux Turbo Linux 6.0.3
   + TurboLinux Turbo Linux 6.0.2
   + TurboLinux Turbo Linux 6.0.1
   + TurboLinux Turbo Linux 6.0
   + Wirex Immunix OS 7.0-Beta
   + Wirex Immunix OS 7.0
  Washington University wu-ftpd 2.6.0
   + Cobalt Qube 1.0
   + Conectiva Linux 5.1
   + Conectiva Linux 5.0
   + Conectiva Linux 4.2
   + Conectiva Linux 4.1
   + Conectiva Linux 4.0es
   + Conectiva Linux 4.0
   + Debian Linux 2.2 sparc
   + Debian Linux 2.2 powerpc
   + Debian Linux 2.2 arm
   + Debian Linux 2.2 alpha
   + Debian Linux 2.2 68k
   + Debian Linux 2.2
   + RedHat Linux 6.2 sparc
   + RedHat Linux 6.2 i386
   + RedHat Linux 6.2 alpha
   + RedHat Linux 6.1 sparc
   + RedHat Linux 6.1 i386
   + RedHat Linux 6.1 alpha
   + RedHat Linux 6.0 sparc
   + RedHat Linux 6.0 i386
   + RedHat Linux 6.0 alpha
   + RedHat Linux 5.2 sparc
   + RedHat Linux 5.2 i386
   + RedHat Linux 5.2 alpha
   + S.u.S.E. Linux 6.4ppc
   + S.u.S.E. Linux 6.4alpha
   + S.u.S.E. Linux 6.4
   + S.u.S.E. Linux 6.3 ppc
   + S.u.S.E. Linux 6.3 alpha
   + S.u.S.E. Linux 6.3
   + S.u.S.E. Linux 6.2
  + S.u.S.E. Linux 6.1 alpha
   + S.u.S.E. Linux 6.1
   + TurboLinux Turbo Linux 4.0
   + Wirex Immunix OS 6.2
  Washington University wu-ftpd 2.5.0
   + Caldera eDesktop 2.4
   + Caldera eServer 2.3.1
   + Caldera eServer 2.3
   + Caldera OpenLinux 2.4
   + Caldera OpenLinux Desktop 2.3
   + RedHat Linux 6.0 sparc
   + RedHat Linux 6.0 i386
   + RedHat Linux 6.0 alpha

Summary:

  Wu-Ftpd contains a remotely exploitable heap corruption bug.

Impact:

  A remote attacker may execute arbitrary code on the vulnerable server.

Technical Description:

  Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained  by
  Washington University.

  Wu-Ftpd allows for clients to organize files for ftp actions  based  on
  "file globbing" patterns.  File globbing is also used by various
  shells.  The implementation of file globbing included in Wu-Ftpd
  contains a heap corruption vulnerability that may allow for an attacker
  to execute arbitrary code on a server remotely.

  During the processing of a globbing pattern, the Wu-Ftpd implementation
  creates a list of the files that match.  The memory where this data is
  stored is on the heap, allocated using malloc().  The globbing function
  simply returns a pointer to the list.   It is up to the calling
  functions to free the allocated memory.

  If an error occurs processing the pattern, memory will not be allocated
  and a variable indicating this should be set.  The calling functions
  must check the value of this variable before attempting to use the
  globbed filenames (and later freeing the memory).

  When certain globbing patterns are processed, the globbing function does
  not set this variable when an error occurs.  As a result of this,
  Wu-Ftpd may eventually attempt to free uninitialized memory.  There are
  a number of possibly exploitable conditions.

  If this region of memory contained user-controllable data before the
  free call, it may be possible to have an arbitrary word in memory
  overwritten with an arbitrary value.  This can lead to execution of
  arbitrary code if function pointers or return addresses are
  overwritten.

  If anonymous FTP is not enabled, valid user credentials are required to
  exploit this vulnerability.

  This vulnerability was initially scheduled for public release on
  December 3, 2001.  However, Red Hat has made details public as of
 November 27, 2001.  As a result, we are forced to warn other users of
  the vulnerable product, so that they may take appropriate actions.

Attack Scenarios:

  To exploit this vulnerability,  an  attacker  must  have  either  valid
  credentials required to log in as an FTP user, or anonymous access must
  be enabled.

  The attacker must ensure that a maliciously constructed  malloc  header
  containing the target address and it's replacement  value  are  in  the
  right location in the uninitialized part of  the  heap.   The  attacker
  must also place shellcode in server process memory.

  The attacker must send an FTP command containing  a  specific  globbing
  pattern that does not set the error variable.

  When the server attempts to free the memory used to store  the  globbed
  filenames, the target word in memory will be overwritten.

  If an attacker overwrites a function pointer or return address  with  a
  pointer to the shellcode, it may be executed by the server process.

Exploits:  Not listed here....

ETC., ETC., ETC.

Reply to:

Follow-Ups:
- Re: *ALERT* Wu-Ftpd File Globbing Heap Corruption Vulnerability
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: global environment variables?
Next by Date: Re: New bash and tab completion
Previous by thread: Re: global environment variables?
Next by thread: Re: *ALERT* Wu-Ftpd File Globbing Heap Corruption Vulnerability
Index(es):
- Date
- Thread

*ALERT* Wu-Ftpd File Globbing Heap Corruption Vulnerability

ALERT Wu-Ftpd File Globbing Heap Corruption Vulnerability