CERT: Unix, Linux server FTP vulnerability found

From...

By Todd R. Weiss

(IDG) -- A security warning has been issued by the CERT Coordination Center at Carnegie Mellon University advising users of the Washington University FTP daemon (WU-FTPD) for Unix and Linux systems that their servers can be invaded and taken over unless patches are installed.

In an announcement Thursday, CERT said the vulnerabilities, if left open, can allow a hacker to take total control of a computer system using remote root capabilities.

Art Manion, an Internet security analyst at CERT, in Pittsburgh, said the warning was issued because the WU-FTPD program is very popular in the Unix and Linux communities and has a large installed base, potentially leaving many targets.

"The potential is certainly there for it to be exploited," Manion said. Unix and Linux vendors, including Caldera International Inc., Red Hat Inc. and SuSE Linux AG, have posted patches and advisories. IBM's AIX Unix doesn't ship with the WU-FTPD program, so it is unaffected. Hewlett-Packard Co.'s HP-UX Unix has already been patched as part of a fix for an earlier security issue.

IDG.net INFOCENTER Computerworld main page Computerworld's topic-oriented communities Computerworld's IT career center Free daily newsletters Related IDG.net Stories CERT: Unix flaw could allow malicious hacking Survey: Web attacks doubled in past year CERT reports massive scanning under way Features PC World.com Product Finder Mastering e-commerce by degrees Fast-track training puts nontechies in IT jobs Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

WU-FTPD is a program that provides file transport protocol (FTP) services on Unix and Linux systems. The inherent vulnerabilities expose a system to potential remote root compromise by anyone with access to the FTP service, according to CERT.

The vulnerabilities involve two shortcomings in WU-FTPD. The first is that the program doesn't properly handle "glob" commands, which allow a user to specify multiple file names and locations using typical shell notation. WU-FTPD implements its own globbing code instead of using libraries in the underlying operating system. The globbing code is designed to recognize invalid syntax and return an error condition to the calling function.

However, when it encounters a specific string, the globbing code fails to properly return the error condition, creating a hole through which an intruder could attack.

The other vulnerability appears when WU-FTPD is configured to use RFC 931 authentication running in debug mode. When using RFC 931 authentication, WU-FTPD will request ID information before authorizing a connection request from a client. But when it's done in debugging mode, it becomes vulnerable to attacks by any user who's able to log in, including users with anonymous access.

On an unrelated note, CERT itself has been the subject of a denial-of-service attack for the past several days, and its Web site has at times been unreachable, the group confirmed Friday.

"All critical CERT/CC functions remain operational," spokesman Bill Pollak said in a prepared statement. "Incident and vulnerability reports are being processed and advisories will be issued if needed. Some Internet sites, though, may be temporarily unable to reach the CERT/CC Web site. We are working with our service providers to resolve this problem.

"The recent activity directed against the CERT Coordination Center Web site is not unique," Pollak said. "On a daily basis, the CERT/CC is the target of attack attempts by intruders, and has been for many years. The nature of the protocols and technology used for the Internet causes organizations to be dependent on the security of others. Thus, no organization, including the CERT/CC, is completely immune to occasional service disruptions."