漏洞信息详情

Wu-ftpd 2.6.0 SITE EXEC远程格式串溢出漏洞

• CNNVD编号：CNNVD-200007-013
• 危害等级： 超危
  
• CVE编号： CVE-2000-0573
• 漏洞类型： 输入验证
• 发布时间： 2000-06-22
• 威胁类型： 远程
• 更新时间： 2005-05-02
• 厂        商： hp
• 漏洞来源： tf8 [email protected]...

漏洞简介

Washington University FTP Server是一个非常流行的Unix系统下的FTP服务器。很多Unix和Linux的发行版本都把它作为默认安装的FTP服务器。 Wu-ftpd在SITE EXEC实现上存在格式化串溢出漏洞，远程攻击者可能利用此漏洞通过溢出攻击以root用户的权限执行任意指令。 Wu-ftpd的SITE EXEC将用户输入的数据错误的作为格式字符串传送给vsnprintf()函数，攻击者可以构造一个特殊的格式字符串，例如＜retloc＞\\%.f\\%.f\\%.f \\%.＜ret＞d\\%n来覆盖堆栈中的某些重要数据，返回地址或者保存的uid等等，攻击者可以远程执行系统命令。这种攻击并不等同于通常的缓冲区溢出攻击，主要是错误的使用vsnprintf()以及缺乏对用户输入数据的检查引起的。

漏洞公告

临时解决方法： 如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁：

* 可以使用这个临时的补丁程序， 重新编译wuftp2.6.0

diff -ur wu-ftpd-orig/src/ftpcmd.y wu-ftpd-2.6.0/src/ftpcmd.y

--- wu-ftpd-orig/src/ftpcmd.y Wed Oct 13 08:15:28 1999

+++ wu-ftpd-2.6.0/src/ftpcmd.y Thu Jun 22 22:44:41 2000

@@ -1926,13 +1926,13 @@

}

if (!maxfound)

maxlines = defmaxlines;

- lreply(200, cmd);

+ lreply(200, "%s", cmd);

while (fgets(buf, sizeof buf, cmdf)) {

size_t len = strlen(buf);

if (len > 0 && buf[len - 1] == '\n')

buf[--len] = '\0';

- lreply(200, buf);

+ lreply(200, "%s", buf);

if (maxlines <=>

++lines;

else if (++lines >= maxlines) {

diff -ur wu-ftpd-orig/src/ftpd.c wu-ftpd-2.6.0/src/ftpd.c

--- wu-ftpd-orig/src/ftpd.c Thu Jun 22 22:23:40 2000

+++ wu-ftpd-2.6.0/src/ftpd.c Thu Jun 22 22:45:23 2000

@@ -3157,7 +3157,7 @@

reply(230, "User %s logged in.%s", pw->pw_name, guest ?

" Access restrictions apply." : "");

sprintf(proctitle, "%s: %s", remotehost, pw->pw_name);

- setproctitle(proctitle);

+ setproctitle("%s", proctitle);

if (logging)

syslog(LOG_INFO, "FTP LOGIN FROM %s, %s", remoteident, pw->pw_name);

/* H* mod: if non-anonymous user, copy it to "authuser" so everyone can

@@ -5912,7 +5912,7 @@

remotehost[sizeof(remotehost) - 1] = '\0';

sprintf(proctitle, "%s: connected", remotehost);

- setproctitle(proctitle);

+ setproctitle("%s", proctitle);

wu_authenticate();

/* Create a composite source identification string, to improve the logging 厂商补丁： Caldera ------- Caldera已经为此发布了一个安全公告(CSSA-2000-020.0)以及相应补丁:

CSSA-2000-020.0：wu-ftpd vulnerability

链接： http://www.caldera.com/support/security/advisories/CSSA-2000-020.0.txt

补丁下载：

OpenLinux Desktop 2.3

Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS

Verification

ddc86702f33d6a5edddab258ddd72195 RPMS/wu-ftpd-2.5.0-7.i386.rpm

8090110ecef8d1efd2fe4c279f209e29 SRPMS/wu-ftpd-2.5.0-7.src.rpm

OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0

Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS

Verification

f909e8b47ec6780109c2437cdfdc2497 RPMS/wu-ftpd-2.5.0-7.i386.rpm

8354edf2f90e59aa96d8baf1d77e28a0 SRPMS/wu-ftpd-2.5.0-7.src.rpm

. OpenLinux eDesktop 2.4

Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

Verification

d2df4fb386d65387039f33538571d907 RPMS/wu-ftpd-2.5.0-7.i386.rpm

13313d25d6d93dd98dd94e62d48c711c SRPMS/wu-ftpd-2.5.0-7.src.rpm Conectiva --------- Conectiva已经为此发布了一个安全公告(2000-06-23)以及相应补丁:

2000-06-23：Remote root compromise

链接：

补丁下载：

DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/i386/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/servidor-1.0/i386/wu-ftpd-2.6.0-11cl.i386.rpm

DIRECT LINK TO THE SOURCE PACKAGES

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/servidor-1.0/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm Debian ------ Debian已经为此发布了一个安全公告(Debian-00-010)以及相应补丁:

Debian-00-010：New Debian wu-ftpd packages released

链接： http://www.debian.org/security/2000/debian-

补丁下载：

Source archives:

http://security.d

参考网址

来源:CERT/CC Advisory: CA-2000-13 名称: CA-2000-13 链接:http://www.cert.org/advisories/CA-2000-13.HTML 来源: XF 名称: wuftp-format-string-stack-overwrite(4773) 链接:http://xforce.iss.net/xforce/xfdb/4773 来源: BUGTRAQ 名称: 20000623 ftpd: the advisory version 链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000623091822.3321.qmail@fiver.freemessage.com 来源: BID 名称: 1387 链接:http://www.securityfocus.com/bid/1387 来源: REDHAT 名称: RHSA-2000:039 链接:http://www.redhat.com/support/errata/RHSA-2000-039.HTML 来源: CALDERA 名称: CSSA-2000-020.0 链接:http://www.calderasystems.com/support/security/advisories/CSSA-2000-020.0.txt 来源: BUGTRAQ 名称: 20000707 New Released Version of the WuFTPD Sploit 链接:http://marc.theaimsgroup.com/?l=bugtraq&m=96299933720862&w=2 来源: BUGTRAQ 名称: 20000623 WUFTPD 2.6.0 remote root exploit 链接:http://marc.theaimsgroup.com/?l=bugtraq&m=96179429114160&w=2 来源: BUGTRAQ 名称: 20000622 WuFTPD: Providing *remote* root since at least1994 链接:http://marc.theaimsgroup.com/?l=bugtraq&m=96171893218000&w=2 来源: BUGTRAQ 名称: 20000702 [Security Announce] wu-ftpd update 链接:http://archives.neohapsis.com/archives/bugtraq/2000-07/0017.HTML 来源: BUGTRAQ 名称: 20000723 CONECTIVA LINUX SECURITY ANNOUNCEMENT - WU-FTPD (re-release) 链接:http://archives.neohapsis.com/archives/bugtraq/2000-06/0244.HTML 来源: NETBSD 名称: NetBSD-SA2000-009 链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2000-009.txt.asc 来源: FREEBSD 名称: FreeBSD-SA-00:29 链接:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:29.wu-ftpd.asc.v1.1 来源: AUSCERT 名称: AA-2000.02 链接:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02 来源：NSFOCUS 名称：634 链接：http://www.nsfocus.net/vulndb/634

受影响实体

• Hp Hp-Ux:11.00  

补丁

暂无