Home page logo
/

bugtraq logo Bugtraq mailing list archives

CORE-20011001: Wu-FTP glob heap corruption vulnerability
From: Iván Arce <core.lists.bugtraq () core-sdi com>
Date: Wed, 28 Nov 2001 23:01:05 -0300

                        CORE Security Technologies
                          http://www.corest.com

                   Vulnerability Report For WU-FTPD Server


Date Published: 2001-11-28

Last Update: 2001-11-28

Advisory ID: CORE-20011001

Bugtraq ID: 3581

CVE CAN: None currently assigned

Title: WU-FTPD Improper Ftpglob Error Handling Vulnerability

Class: Failure to handle exceptional conditions

Remotely Exploitable: Yes

Locally Exploitable: Yes

Release Mode: FORCED RELEASE

Vulnerability Description:

The Washington University FTP daemon (WU-FTPD) is a highly modified and
significantly complex version of FTPD that provides some extra features:
custom logging, limited remote command support, and other enhacements
to the standard BSD version of FTPD.

A problem was found in all versions of Wu-FTPD included by default in all
major Linux distributions. Other platforms that ship wu-ftpd and FTP
server programs derived from it are affected.

By exploiting this problem, any user who is able to log into a vulnerable
version of the WU-FTPD server may be able to execute arbitrary code
remotely with the privileges of the server process (usually root) which
can lead to complete system compromise.

The problem is due to a combination of bugs, one located within the
function responsible for the globbing feature, which fails to properly
signal an error to its caller under certain conditions. The glob function
does not properly handle the string "~{" as an illegal parameter.
The other bug is at the caller, a command parser function, that incorrectly
handles the error status returned by the glob function allowing the
corruption of the process memory space.

For those interested in a technical description and proof of concept follow
towards the end of this advisory.

Vulnerable Packages:

WU-FTPD

 All versions of wu-ftpd including and up to 2.6.1 are vulnerable.
 Version 2.7.0 snapshots are also vulnerable.
 Note that 2.7.0 is has not been released officially and is currently a
 testing version.

 Washington University wu-ftpd 2.6.1
  + Caldera OpenLinux Server 3.1
  + Caldera OpenLinux Workstation 3.1
  + Cobalt Qube 1.0
  + Conectiva Linux 7.0
  + Conectiva Linux 6.0
  + MandrakeSoft Corporate Server 1.0.1
  + MandrakeSoft Linux Mandrake 8.1
  + MandrakeSoft Linux Mandrake 8.0 ppc
  + MandrakeSoft Linux Mandrake 8.0
  + MandrakeSoft Linux Mandrake 7.2
  + MandrakeSoft Linux Mandrake 7.1
  + MandrakeSoft Linux Mandrake 7.0
  + MandrakeSoft Linux Mandrake 6.1
  + MandrakeSoft Linux Mandrake 6.0
  + RedHat Linux 7.2 noarch
  + RedHat Linux 7.2 ia64
  + RedHat Linux 7.2 i686
  + RedHat Linux 7.2 i586
  + RedHat Linux 7.2 i386
  + RedHat Linux 7.2 athlon
  + RedHat Linux 7.2 alpha
  + RedHat Linux 7.1 noarch
  + RedHat Linux 7.1 ia64
  + RedHat Linux 7.1 i686
  + RedHat Linux 7.1 i586
  + RedHat Linux 7.1 i386
  + RedHat Linux 7.1 alpha
  + RedHat Linux 7.0 sparc
  + RedHat Linux 7.0 i386
  + RedHat Linux 7.0 alpha
  + TurboLinux TL Workstation 6.1
  + TurboLinux Turbo Linux 6.0.5
  + TurboLinux Turbo Linux 6.0.4
  + TurboLinux Turbo Linux 6.0.3
  + TurboLinux Turbo Linux 6.0.2
  + TurboLinux Turbo Linux 6.0.1
  + TurboLinux Turbo Linux 6.0
  + Wirex Immunix OS 7.0-Beta
  + Wirex Immunix OS 7.0
Washington University wu-ftpd 2.6.0
  + Cobalt Qube 1.0
  + Conectiva Linux 5.1
  + Conectiva Linux 5.0
  + Conectiva Linux 4.2
  + Conectiva Linux 4.1
  + Conectiva Linux 4.0es
  + Conectiva Linux 4.0
  + Debian Linux 2.2 sparc
  + Debian Linux 2.2 powerpc
  + Debian Linux 2.2 arm
  + Debian Linux 2.2 alpha
  + Debian Linux 2.2 68k
  + Debian Linux 2.2
  + RedHat Linux 6.2 sparc
  + RedHat Linux 6.2 i386
  + RedHat Linux 6.2 alpha
  + RedHat Linux 6.1 sparc
  + RedHat Linux 6.1 i386
  + RedHat Linux 6.1 alpha
  + RedHat Linux 6.0 sparc
  + RedHat Linux 6.0 i386
  + RedHat Linux 6.0 alpha
  + RedHat Linux 5.2 sparc
  + RedHat Linux 5.2 i386
  + RedHat Linux 5.2 alpha
  + S.u.S.E. Linux 6.4ppc
  + S.u.S.E. Linux 6.4alpha
  + S.u.S.E. Linux 6.4
  + S.u.S.E. Linux 6.3 ppc
  + S.u.S.E. Linux 6.3 alpha
  + S.u.S.E. Linux 6.3
  + S.u.S.E. Linux 6.2
  + S.u.S.E. Linux 6.1 alpha
  + S.u.S.E. Linux 6.1
  + TurboLinux Turbo Linux 4.0
  + Wirex Immunix OS 6.2
Washington University wu-ftpd 2.5.0
  + Caldera eDesktop 2.4
  + Caldera eServer 2.3.1
  + Caldera eServer 2.3
  + Caldera OpenLinux 2.4
  + Caldera OpenLinux Desktop 2.3
  + RedHat Linux 6.0 sparc
  + RedHat Linux 6.0 i386
  + RedHat Linux 6.0 alpha

Sun Microsystems Inc.

 The Sun Cobalt Qube1 is vulnerable.

 Solaris is NOT vulnerable to this problem.

 As reported by Brent Paulson from Sun regarding
 Solaris ISP server that ships with a wu-ftpd derived server:
 "The Sun engineering group for the SISP in.ftpd product
  has verified that we are not vulnerable to the issue
  described in the described vulnerability."


Hewlett Packard

 As reported by Dan Grove from HP:

 " HP-UX is immune to this issue. It was fixed
  in conjunction with the last "globbing" issue
  announced in CERT Advisory CA-2001-07, released
  April 10, 2001. The lab did a complete check/scan
  of the globbing software, and fixed this issue then
  as well. Customers should apply the patches listed
  in HP Security Bulletin #162 released July 19,2001:

  HPSBUX0107-162   Security Vulnerability in ftpd and ftp"


Solution/Vendor Information/Workaround:

 Wu-FTPD
  The wu-ftpd development team has devised a patch
  that fixes the problem and its already applied to
  the current wu-ftpd source tree. Current 2.7.0
  snapshots are NOT vulnerable, however 2.7.0 is
  not an official wu-ftpd release and should be thought
  as a version for testing.

  The team will provide patches for the vulnerable
  WU-ftpd releases shortly.

 RedHat

   RedHat Linux had released and advisory and and
   SRPMs to address the problem, they can be obtained
   from
     http://www.redhat.com/support/errata/RHSA-2001-157.html

 Conectiva Linux

   Fixed packages will be made available in the next days
   for all supported Conectiva Linux distributions at
   ftp://atualizacoes.conectiva.com.br

 Caldera Systems

  OpenLinux 2.3

    Vulnerable.
    Fixed packages were released on 2001/11/28:
      ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/068/

  OpenLinux eServer 2.3.1

    Vulnerable.
    Fixed packages were released on 2001/11/28:
     ftp://ftp.caldera.com/pub/updates/eServer/2.3/064/

  OpenLinux eDesktop 2.4

    Vulnerable.
    Fixed packages were released on 2001/11/28:
     ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/058/

  OpenLinux Workstation 3.1

    Not vulnerable. (Does not include wu-ftpd)

  OpenLinux Server 3.1

   Vulnerable.
   Fixed packages were released on 2001/11/28:
    ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/020/

 Sun Microsystems

 "The only Sun Cobalt Server Appliance that is vulnerable to this
  exploit is the Qube1.  The Qube1 is no longer a supported appliance,
  but we do understand the need of having updates available.
  The following RPM is not officially supported by Sun Cobalt,
  but offers legacy customers the ability to maintain a limited
  level of security."

  Qube1:

ftp://ftp.cobaltnet.com/pub/unsupported/qube1/rpms/wu-ftpd-2.6.1-C1.NOPAM.mi
ps.rpm

ftp://ftp.cobaltnet.com/pub/unsupported/qube1/srpms/wu-ftpd-2.6.1-C1.NOPAM.s
rc.rpm


 SuSE Linux

  SuSE have the set of patches to fix the vulnerability.
  Updated packages that fix the vulnerability are available
  from the following URLs:

  i386 Intel Platform:

    SuSE-7.3
    ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/wuftpd-2.6.0-344.i386.rpm
      d1b549b8c2d91d66a8b35fe17a1943b3
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/wuftpd-2.6.0-344.src.rpm
      9ef0e6ac850499dc0150939c62bc146f

    SuSE-7.2
    ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/wuftpd-2.6.0-344.i386.rpm
      4583443a993107b26529331fb1e6254d
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/wuftpd-2.6.0-344.src.rpm
      aaee0343670feae70ccc9217a8e22211

    SuSE-7.1
    ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/wuftpd-2.6.0-346.i386.rpm
      347a030a85cb5fcbe32d3d79d382e19e
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/wuftpd-2.6.0-346.src.rpm
      aa3e53641f6ce0263196e6f1cb0447c3

    SuSE-7.0
    ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/wuftpd-2.6.0-344.i386.rpm
      e34eec18ecc10f187f6aa1aa3b24b75b
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/wuftpd-2.6.0-344.src.rpm
      fafc8c2bbd68dd5ca3d04228433c359a

    SuSE-6.4
    ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/wuftpd-2.6.0-344.i386.rpm
      2354abe95b056762c7f6584449291ff2
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/wuftpd-2.6.0-344.src.rpm
      507b8d484b13737c9d2b6a68fda0cc26

    SuSE-6.3
    ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/wuftpd-2.6.0-347.i386.rpm
      9851ad02e656bba8b5e02ed2ddb46845
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/wuftpd-2.6.0-347.src.rpm
      5d7c4b6824836ca28b228cc5dcfc4fd6

    Sparc Platform:

    SuSE-7.3

ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/wuftpd-2.6.0-240.sparc.rpm
      2d19e4ead17396a1e28fca8745f9629d
    source rpm:

ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/wuftpd-2.6.0-240.src.rpm
      bdb0b5ddd72f8563db3c8e444a0df7f5

    SuSE-7.1

ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/wuftpd-2.6.0-242.sparc.rpm
      f6b04f284bece6bf3700facccc015ffe
    source rpm:

ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/wuftpd-2.6.0-242.src.rpm
      1660547ac9a5a3b32a4070d69803cf18

    SuSE-7.0

ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/wuftpd-2.6.0-241.sparc.rpm
      1bd905b095b9a4bb354fc190b6e54a01
    source rpm:

ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/wuftpd-2.6.0-241.src.rpm
      597263eb7d0fbbf242d519d3c126a441

    AXP Alpha Platform:

    SuSE-7.1
    ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/wuftpd-2.6.0-252.alpha.rpm
      e608bfd2cc9e511c6eb6932c33c68789
    source rpm:
    ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/wuftpd-2.6.0-252.src.rpm
      34915af1ca79b27bad8bc2fd3a5cab05

    SuSE-7.0
    ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/wuftpd-2.6.0-251.alpha.rpm
      86a7d8f60d76a053873bcc13860b0bbb
    source rpm:
    ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/wuftpd-2.6.0-251.src.rpm
      9674f9f1630b3107ac22d275705da76e

    SuSE-6.4
    ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/wuftpd-2.6.0-251.alpha.rpm
      2501444a1e4241e8f6f4cdcc6fd133b0
    source rpm:
    ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/wuftpd-2.6.0-251.src.rpm
      34812d943900bdb902ad7edd40e1943f

    SuSE-6.3
    ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/wuftpd-2.6.0-250.alpha.rpm
      429a49ef9d4d0865fbb443c212b8a8c7
    source rpm:
    ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/wuftpd-2.6.0-250.src.rpm
      76467dae0f460677ba80ec907eefca28

    PPC Power PC Platform:

    SuSE-7.3
    ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/wuftpd-2.6.0-277.ppc.rpm
      a381269b3e2fc43fda59e4d08aef57ae
    source rpm:
    ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/wuftpd-2.6.0-277.src.rpm
      7cacb696a88e57a843402a796212aee6

    SuSE-7.1
    ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/wuftpd-2.6.0-277.ppc.rpm
      bfc39be2c09323d96f974fdd0c73fda1
    source rpm:
    ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/wuftpd-2.6.0-277.src.rpm
      e2681b2ed4801ce14b5dfb926480ac51

    SuSE-7.0
    ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/wuftpd-2.6.0-279.ppc.rpm
      19f989e637fd9b6fa652f8a4014bb7b1
    source rpm:
    ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/wuftpd-2.6.0-279.src.rpm
      76c493a915691c51a2481f0925e8ce39

    SuSE-6.4
    ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/wuftpd-2.6.0-278.ppc.rpm
      ad29cf172bbd03a5e1f301cf6b9404e5
    source rpm:
    ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/wuftpd-2.6.0-278.src.rpm
      82338702692eba599d8c3d242aff3d1a

 MandrakeSoft

  MandrakeSoft has developed a patch for the problem, fixed packages
  will be made available shortly.

 Turbo Linux

  Contact Turbo-linux for patch information and fixed packages.
  http://www.turbolinux.com/security/

 Debian Linux

  Debian has developed a patch for the problem, fixed packages
  will be made available shortly.


 Wirex Inmunix

  WireX has developed a patch for the problem, fixed packages
  will be made available shortly.

 Workaround:

 To prevent exploitation of this bug it is advised to disable anonymous
 FTP access until patches are applied.
 Notice that legit users with FTP accounts can still exploit the problem
 even if anonymous access is disabled. If legit ftp accoutn posse
 a security risk, FTP service should be disabled completly until
 fixed packages are deployed.


Vendors notified on: November 14th, 2001

Credits:

 This vulnerability was initially reported to the vuln-dev mailing list
 at SecurityFocus.com by Matt Power from Bindview Corp. on April 30th, 2001.
 At that moment, it was thought as a not exploitable bug and no further
 research was conducted.

 The bug was re-discovered independantly by Luciano Notarfrancesco and
 Juan Pablo Martinez Kuhn from Core Security Technologies and confirmed to
be
 exploitable on Nov. 1st, 2001

 This advisory was drafted with the aid of the Vulnerability Help team at
 SecurityFocus.com.

 We would like to thank the VulnHelp Team, CERT,the WU-ftpd development
 team and the Linux vendors for their efforts trying to coordinate the
release
 of information and availability of fixes.

Technical Description - Exploit/Concept Code:

 Tests were performed using wu-ftp server versions 2.6.1 and 2.7.0 snapshots

 WU-FTPD server features globbing capabilities, allowing a user to search
 pathnames matching patterns according to the rules used by the shell.
 The feature does not use the glibc implementation of the glob()
 function, instead it implements its own in the the glob.c file

 This implementation fails to set the globerr variable under certain
 circunstances, bypassing error checking after the call, and trying to free
 an uninitialized memory address. This memory address is located in the
 process heap and can be manipulated by the user, issuing especially crafted
 commands beforehand to the server. This issue was found twice in the source
 code.

 The handling of the globbing metacharacters is done by the ftpglob()
 function included in the glob.c file. The function is called for example
 from ftpcmd.y line 1277 and line 1303 while processing pathnames for
 restricted and non-restricted users beggining with a '/' or a '~'
 character respectively.

   if (restricted_user && logged_in && $1 && strncmp($1, "/", 1) == 0){
 [...]
 globlist = ftpglob(t);
 [...]
   }

   else if (logged_in && $1 && strncmp($1, "~", 1) == 0) {
        char **globlist;

        globlist = ftpglob($1);
 [...]
   }

 After that, the variable globerr is checked to handle any possible error
 that could had happened during the globbing process, setting this variable
 is responsability of the ftpglob() function.

 Under certain circunstances not properly handled by the function, globerr
 is not set even though an error condition is present

 Being not initialized explicitly, globlist contains what was in the heap
 before, which can be properly set with specially crafted requests to the
server.

 As the globerr was not set properly, the function attempts to free
 the provided pointer in ftpcmd.y line 1282 and line 1288.

                   if (globerr) {
                        reply(550, globerr);
                        $$ = NULL;
                        if (globlist) {
                            blkfree(globlist);
                            free((char *) globlist);
                        }
                    }
                    else if (globlist) {
                        $$ = *globlist;
                        blkfree(&globlist[1]);
                        free((char *) globlist);
                    }

 As shown, during the processing of a globbing pattern, the
 Wu-Ftpd implementation creates a list of the files that match.
 The memory where this data is stored is on the heap, allocated using
 malloc().  The globbing function simply returns a pointer to the list.
 It is up to the calling functions to free the allocated memory.

 If an error occurs processing the pattern, memory will not be allocated
 and a variable indicating this should be set.
 The calling functions must check the value of this variable before
 attempting to use the globbed filenames (and later freeing the memory).

 Under certain circumstances, the globbing function does not set this
variable
 when an error occurs.  As a result of this, Wu-Ftpd will eventually attempt
to
 free uninitialized memory.

 If this region of memory contained user-controllable data before the free
 call, it is possible to have an arbitrary word in memory overwritten with
an
 arbitrary value.  This can lead to execution of arbitrary code if function
 pointers or return addresses are overwritten.

 Details of hwo to exploit this type of problems are in the
 public domain and can be found in Phrack Magazine #57 article 9:

  http://www.phrack.org/show.php?p=57&a=9

 Unsuccessful explotation of the problem does not lead to denial of service
 attacks as the ftp server continues normal execution, only the thread
 handling the request fails, helping the attacker to success.


 The following excerpt is a sample verification of the existence of
 the problem:

ftp> open localhost
Connected to localhost (127.0.0.1).
220 sasha FTP server (Version wu-2.6.1-18) ready.
Name (localhost:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
227 Entering Passive Mode (127,0,0,1,241,205)
421 Service not available, remote server has closed connection

 1405 ?        S      0:00 ftpd: accepting connections on port 21
 7611 tty3     S      1:29 gdb /usr/sbin/wu.ftpd
26256 ?        S      0:00 ftpd:
sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
26265 tty3     R      0:00 bash -c ps ax | grep ftpd
(gdb) at 26256
Attaching to program: /usr/sbin/wu.ftpd, process 26256
Symbols already loaded for /lib/libcrypt.so.1
Symbols already loaded for /lib/libnsl.so.1
Symbols already loaded for /lib/libresolv.so.2
Symbols already loaded for /lib/libpam.so.0
Symbols already loaded for /lib/libdl.so.2
Symbols already loaded for /lib/i686/libc.so.6
Symbols already loaded for /lib/ld-linux.so.2
Symbols already loaded for /lib/libnss_files.so.2
Symbols already loaded for /lib/libnss_nisplus.so.2
Symbols already loaded for /lib/libnss_nis.so.2
0x40165544 in __libc_read () from /lib/i686/libc.so.6
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
__libc_free (mem=0x61616161) at malloc.c:3136
3136    in malloc.c


 Note that the segmentation fault is generated because the program is trying
 to free() a user provided (and in this case invalid) memory chunk
referenced
 by the value 0x61616161 (or its ASCII equivalent 'aaaa', sent earlier in
the
 session as the user password), this should be enough hint on the existence
 and exploitability of the bug


DISCLAIMER:

The contents of this advisory are copyright (c) 2001 CORE Security
Technologies and may be distributed freely provided that no fee is charged
for this distribution and proper credit is given.

$Id: WUFTPD_free_advisory.txt,v 1.5 2001/11/29 02:05:13 iarce Exp $



--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arce () corest com>


  By Date           By Thread  

Current thread:
  • CORE-20011001: Wu-FTP glob heap corruption vulnerability Iván Arce (Nov 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]