Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wu-ftpd Remote Root Hole

Posted by michael on from the taking-anonymous-access-a-little-too-literally dept.

Ademar writes: "A remote exploitable vulnerability was found in wu_ftp, which is distributed in all major distros. The CERT has a (private) list to coordinate this kind of disclosure so vendors can release updates together, but RH broke the schedule and released their advisory first. You can see the full advisory from securityfocus in bugtraq, but here is a quote: "This vulnerability was initially scheduled for public release on December 3, 2001. Red Hat pre-emptively released an advisory on November 27, 2001. As a result, other vendors may not yet have fixes available."" CNET has a story about this too.

6 of 515 comments (clear)

  1. more to the story by Phexro · · Score: 5, Informative

    item: the version of wu-ftpd that rh released was a pre-release from cvs. they changed the version number. this bug was fixed in cvs months ago.

    item: the securityfocus vuln-help people are supposed to help coordinate vendors & the software maintainers. they sent notification of the bug to the wrong address, so the wu-ftpd developers weren't even aware that there was a bug present until the day the rh advisory went out.

    item: there was supposed to be a coordinated advisory put out on dec. 3rd. rh preempted that, causing this nasty confusion.

    greg lundberg posted a big explanation of what went on to several mailing lists... it should be on the wuftpd-questions archive, but i don't see it there yet.

    also, see the news item at securityfocus about this.

  2. Security must-dos for RedHat by Hoonis · · Score: 5, Informative

    This shows you what daemons are auto-started:
    # /sbin/chkconfig --list | grep :on

    man NAME_OF_THING_YOU_DONT_KNOW_WHAT_IT_IS
    # /sbin/chkconfig --del THING_YOU_DONT_WANT

    get the latest nmap from freshmeat.net.
    do this:
    # nmap -sS -P0 YOURIPORHOSTNAME

    do you see any ports you weren't expecting?
    Turn off the services!

    Install portsentry + ipchains on a firewall,
    or if you don't have more than one box, your
    own box! Set portsentry to listen on bind to
    catch a lot of automated attackes from a RH6.2
    bug. Move your ssh (2.X or greater!!) daemon
    to a non-standard port (edit /etc/ssh2/ssh2d),
    then set the normal ssh port as a portsentry
    tripwire.

    Very active attacks right now:
    Bind
    ftp
    finger
    telnet
    ssh
    port 59 (anyone know wtf that is?)

    wu-ftpd had an *earlier* vulnerability that
    was causing increased scan activity too!

    Subscribe to the cert.org mailing list, and
    "grep for linux".

    you have to take an active role and pay attention
    to all security bulletins out there, because
    you will literally be attacked within an hour
    of bringing up a new DSL/T1 server anywhere in
    the wild. I've seen portscans on newly installed
    lines in less than 5 minutes!

  3. Tiny Violins by gnovos · · Score: 5, Informative

    Sure they put out this advisory before it became knowledge to the NEWS organizations, but the "bad guy" groups have known about this for quite some time. Case in point, my brother wanted to show me some large home-movie mpegs (much to large to email to me), so he gave me an account on his box to ftp them from. Somehow the password that he gave me wasn't right (he must typed it with the caps lock on), so I couldn't get into his machine. He was already asleep by that time, so I couldn't call him up to change it, so just for kicks, I thought it might be fun to see if there was any way to break in. Sure enough, a few well-formed google searches, and I had pages that not only "discussed" this vulnerability, but had tools and scripts (including compiled Windows 9x GUIs for the lazy script kiddie) for download. They were wonderfully useful, and they *worked*.

    So, the root of the situation is: 1) Anyone who did NOT know about this hole had been vulnerable LONG before the posting. 2) When told about the hole, but without a patch, any of those admins could then take whatever steps would be needed to keep thier server secure (even shutting ftp down if it came to that).

    RedHat was right.

    --
    "Your superior intellect is no match for our puny weapons!"
  4. Regarding disclosure... by slashkitty · · Score: 5, Informative
    As a security bug hunter myself, I know that the sooner you disclose the sooner it gets fixed. The more serious the hole, the sooner it should get fixed. period. 2 weeks ago, I published an alert on a bunch of website security holes, including microsoft.com. Knowing how ms reacts to disclosure, I didn't disclose the specifics on microsoft.com's site, but I did on the others. Guess what? The hole on microsoft.com is still not fixed, while most other sites have moved to fix their holes. Now, this hole also affect thousands (if not millions? ) of sites, but it seems to require disclosure to get things moving.

    Now, RedHat maybe shouldn't have ever made this "agreement" to pospone patches. Maybe they noticed that people were already making use of this not-so-secret-to-black-hats bug. Or, maybe it was just a mistake... I don't know. I'm just glad I don't have a public wu-ftp server to deal with.

    --
    -- these are only opinions and they might not be mine.
  5. Re:Another globbing bug? by bad-badtz-maru · · Score: 5, Informative

    Learn more about security before offering advice:

    Breaking chroot jail:
    http://www.bpfh.net/simes/computing/chroot-break .h tml

    Proftpd globbing bug:
    http://www.linuxsecurity.com/advisories/other_ad vi sory-1223.html

    maru

  6. WU-FTPD maintainer ain't happy... by MelloDawg · · Score: 5, Informative

    Check out this thread on the wuftpd-questions list:

    http://marc.theaimsgroup.com/?l=wuftpd-questions&m =100698257011540&w=2

    --
    /. is irrelevant.