wu-ftpd info.

[cklaus () shadow net (Christopher Klaus)]

CERT information is misleading.  Even if you do not have the trojan
wu-ftpd version, Versions before 2.2 are insecure and have a major
security hole.  You think that CERT would have at least mentioned 
that even if your src for ftpd was not trojaned, please get the 2.3
version.  I am not sure what the point of not releasing that
information.

EMPHASIS: Get wu-ftpd2.3! even if your src was not trojaned.

Anyways, Graham Toal has pointed this out.
To fix the security hole in previous version 2.3:
1. remove "site exec" from commands.
2. stop anonymous uploading via adding "chmod no anonymous" and
 "umask no anonymous" to ftpaccess file.
3. remove ftp-exec subdirectory in ~ftp/bin
4. Obtain and install wu-ftpd 2.3

Below is the information for Trojaned version. But even if you 
do not have Trojaned version, you will need to install wu-ftpd2.3.



Here is some information that may help you know if you have a trojan
version.  

you can grep \"NULL\" in *.c for that will let you know if you have
the trojan.
the password checking routine in ftpd.c should probably not differ
from the following:

#ifdef ULTRIX_AUTH
        if ((numfails = ultrix_check_pass(passwd, xpasswd)) < 0) {
#else
        /* The strcmp does not catch null passwords! */
        if (pw == NULL || *pw->pw_passwd == '\0' ||
            strcmp(xpasswd, pw->pw_passwd)) {
#endif
            reply(530, "Login incorrect.");



-- 
Christopher William Klaus  Email: cklaus () shadow net  Author:Inet Sec. Scanner
2209 Summit Place Drive,Dunwoody, GA 30350-2430. (404)998-5871.