J-Security Center

Title: Wu-Ftpd File Globbing Heap Corruption Vulnerability

Severity: CRITICAL

Description:

Wu-Ftpd is an FTP server based on the BSD 'ftpd' that is maintained by Washington University.

Wu-Ftpd allows clients to organize files for FTP actions based on "file globbing" patterns. File globbing is also used by various shells. The implementation of file globbing included in Wu-Ftpd contains a heap-corruption vulnerability that may allow an attacker to execute arbitrary code on a server remotely.

During the processing of a globbing pattern, the Wu-Ftpd implementation creates a list of the files that match. The memory where this data is stored is on the heap, allocated using 'malloc()'. The globbing function simply returns a pointer to the list. It is up to the calling functions to free the allocated memory.

If an error occurs processing the pattern, memory will not be allocated and a variable indicating this should be set. The calling functions must check the value of this variable before attempting to use the globbed filenames (and later freeing the memory).

Under certain circumstances, the globbing function fails to set this variable when an error occurs. As a result of this, Wu-Ftpd will eventually attempt to free uninitialized memory.

If this region of memory contained user-controllable data before the free call, then an attacker may be able to cause an arbitrary word in memory to be overwritten with an arbitrary value. This can allow arbitrary code to run if function pointers or return addresses are overwritten.

NOTE: If anonymous FTP is not enabled, valid user credentials are required to exploit this vulnerability.

This vulnerability was initially scheduled for public release on December 3, 2001. However, Red Hat has made details public as of November 27, 2001. As a result, we are forced to warn other users of the vulnerable product so that they may take appropriate actions.

Affected Products:

  • Caldera OpenLinux 2.3.0
  • Caldera OpenLinux 2.4.0
  • Caldera OpenLinux Desktop 2.3.0
  • Caldera OpenLinux Server 3.1.0
  • Cobalt Qube 1.0.0
  • Conectiva Linux 4.0.0
  • Conectiva Linux 4.0.0 es
  • Conectiva Linux 4.1.0
  • Conectiva Linux 4.2.0
  • Conectiva Linux 5.0.0
  • Conectiva Linux 5.1.0
  • Conectiva Linux 6.0.0
  • Conectiva Linux 7.0.0
  • Conectiva Linux 8.0.0
  • David Madore ftpd-BSD 0.3.2
  • David Madore ftpd-BSD 0.3.3
  • Debian Linux 2.2.0
  • Debian Linux 2.2.0 68k
  • Debian Linux 2.2.0 alpha
  • Debian Linux 2.2.0 arm
  • Debian Linux 2.2.0 powerpc
  • Debian Linux 2.2.0 sparc
  • HP HP-UX 11.0.0
  • HP HP-UX 11.11.0
  • MandrakeSoft Corporate Server 1.0.1
  • MandrakeSoft Linux Mandrake 6.0.0
  • MandrakeSoft Linux Mandrake 6.1.0
  • MandrakeSoft Linux Mandrake 7.0.0
  • MandrakeSoft Linux Mandrake 7.1.0
  • MandrakeSoft Linux Mandrake 7.2.0
  • MandrakeSoft Linux Mandrake 8.0.0
  • MandrakeSoft Linux Mandrake 8.0.0 ppc
  • MandrakeSoft Linux Mandrake 8.1.0
  • RedHat Linux 5.2.0 alpha
  • RedHat Linux 5.2.0 i386
  • RedHat Linux 5.2.0 sparc
  • RedHat Linux 6.0.0
  • RedHat Linux 6.0.0 alpha
  • RedHat Linux 6.0.0 sparc
  • RedHat Linux 6.1.0 alpha
  • RedHat Linux 6.1.0 i386
  • RedHat Linux 6.1.0 sparc
  • RedHat Linux 6.2.0 alpha
  • RedHat Linux 6.2.0 i386
  • RedHat Linux 6.2.0 sparc
  • RedHat Linux 7.0.0 alpha
  • RedHat Linux 7.0.0 i386
  • RedHat Linux 7.0.0 sparc
  • RedHat Linux 7.1.0 alpha
  • RedHat Linux 7.1.0 i386
  • RedHat Linux 7.1.0 i586
  • RedHat Linux 7.1.0 i686
  • RedHat Linux 7.1.0 ia64
  • RedHat Linux 7.1.0 noarch
  • RedHat Linux 7.2.0 alpha
  • RedHat Linux 7.2.0 athlon
  • RedHat Linux 7.2.0 i386
  • RedHat Linux 7.2.0 i586
  • RedHat Linux 7.2.0 i686
  • RedHat Linux 7.2.0 ia64
  • RedHat Linux 7.2.0 noarch
  • S.u.S.E. Linux 6.1.0
  • S.u.S.E. Linux 6.1.0 alpha
  • S.u.S.E. Linux 6.2.0
  • S.u.S.E. Linux 6.3.0
  • S.u.S.E. Linux 6.3.0 alpha
  • S.u.S.E. Linux 6.3.0 ppc
  • S.u.S.E. Linux 6.4.0
  • S.u.S.E. Linux 6.4.0 alpha
  • S.u.S.E. Linux 6.4.0 ppc
  • S.u.S.E. Linux 7.0.0 alpha
  • S.u.S.E. Linux 7.0.0 i386
  • S.u.S.E. Linux 7.0.0 ppc
  • S.u.S.E. Linux 7.0.0 sparc
  • S.u.S.E. Linux 7.1.0 alpha
  • S.u.S.E. Linux 7.1.0 ppc
  • S.u.S.E. Linux 7.1.0 sparc
  • S.u.S.E. Linux 7.1.0 x86
  • S.u.S.E. Linux 7.2.0 i386
  • S.u.S.E. Linux 7.3.0 i386
  • S.u.S.E. Linux 7.3.0 ppc
  • S.u.S.E. Linux 7.3.0 sparc
  • SCO Open Server 5.0.0
  • SCO Open Server 5.0.1
  • SCO Open Server 5.0.2
  • SCO Open Server 5.0.3
  • SCO Open Server 5.0.4
  • SCO Open Server 5.0.5
  • SCO Open Server 5.0.6
  • SCO Open Server 5.0.6 a
  • SCO eDesktop 2.4.0
  • SCO eServer 2.3.0
  • SCO eServer 2.3.1
  • Turbolinux Turbolinux 4.0.0
  • Turbolinux Turbolinux 6.0.0
  • Turbolinux Turbolinux 6.0.1
  • Turbolinux Turbolinux 6.0.2
  • Turbolinux Turbolinux 6.0.3
  • Turbolinux Turbolinux 6.0.4
  • Turbolinux Turbolinux 6.0.5
  • Turbolinux Turbolinux Workstation 6.1.0
  • Washington University wu-ftpd 2.5.0 .0
  • Washington University wu-ftpd 2.6.0 .0
  • Washington University wu-ftpd 2.6.1
  • WireX Immunix OS 6.2.0
  • WireX Immunix OS 7+
  • WireX Immunix OS 7.0.0
  • WireX Immunix OS 7.0.0 -Beta

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.