[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : wu-ftpd Misconfiguration Vulnerability

Title: wu-ftpd Misconfiguration Vulnerability
Released by: CERT
Date: 30th November 1995
Printable version: Click here

Hash: SHA1


CERT(*) Advisory CA-95:16

Original issue date: November 30, 1995

Last revised: September 23, 1997        

                Updated copyright statement

              A complete revision history is at the end of this file.

Topic: wu-ftpd Misconfiguration Vulnerability

- -----------------------------------------------------------------------------

A vulnerability exists with certain configurations of the SITE EXEC command

in the Washington University ftpd, also known as wu-ftpd. Exploitation of

this vulnerability may allow root access from any account on the system.

The vulnerable configuration is known to exist in numerous Linux distributions

and is currently being actively exploited by intruders.

It should be noted that this vulnerability is not necessarily limited to Linux

but may exist on any wu-ftpd installation. Thus, all users of the wu-ftpd

program, not just the Linux users, should take this opportunity to verify the

configuration of their daemons. Note that versions of wu-ftpd before the 2.4

release contain serious security vulnerabilities and should be updated


Section III contains instructions for disabling ftpd and correcting the


We will update this advisory as we receive additional information.

Please check advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     There is a problem with the default configuration of the Washington

     University FTP Server version 2.4 in major Linux distributions, including

     but not limited to Slackware 2.0, 2.1, 2.2, 2.3, Yggdrasil Plug&Play

     Fall'94, and the Debian Distribution. By exploiting this problem, any

     user who is able to log into a system having the vulnerable configuration

     via FTP using their login, and not the anonymous login, may gain root


     Other systems besides Linux can be configured to be vulnerable although

     the standard wu-ftpd 2.4 source code as distributed is not vulnerable.

     The problem is that the variable _PATH_EXECPATH was set to "/bin" in

     the configuration file src/pathnames.h when the distribution binary

     was built. _PATH_EXECPATH should be set to "/bin/ftp-exec" or a similar

     directory that does not contain a shell or command interpreter, for

     example. The source code shipped with the Linux distributions contains

     the correct value ("/bin/ftp-exec") despite the incorrect distribution

     binary. You should verify that _PATH_EXECPATH has the correct value

     before recompiling.

     Note that the documentation for wu-ftpd states that the directory

     defined by _PATH_EXECPATH is relative to ~ftp, the ftp home directory

     as specified in the password file. This is misleading. The pathname

     is relative to ~ftp for anonymous users only. This pathname is relative

     to "/" for other user sessions.

II.  Impact

     Any user with a local account on a system offering FTP services

     with the vulnerable configuration may gain root access. Support for

     anonymous FTP access is not required to exploit this vulnerability.

III. How to determine if you are vulnerable

     All systems running wu-ftpd should be checked to determine if the

     configuration is vulnerable.

     To test your configuration, access the FTP server using a legitimate user

     account (not an anonymous FTP login) and login to your FTP server. For


          srchost> ftp ftphost

          Connected to ftphost

          220 ftphost FTP server (Version wu-2.4(2) Mon Apr 18 09:12:35 [...]


          Name (srchost:joe):

          331 Password required for joe.


          230 User joe logged in.

     Then type:

           ftp> quote site exec echo problem

     If you see the following response, then you are not vulnerable:

             200-echo problem

             200  (end of 'echo problem')

     However, if you see this following response, then you are vulnerable

     (note the additional '200-problem' entry):

             200-echo problem


             200  (end of 'echo problem')

IV. Solution

     If you have the vulnerability, we recommend that you turn off ftpd

     immediately using the method described in Section A below. Once you have

     done that, you can then decide whether to rebuild or fetch a new ftpd


     If you have built wu-ftpd from a source distribution, follow the steps

     in Sections B.2 and B.3 below.

     Once you have eliminated this vulnerability, turn on ftpd with the

     method described in Section C below.

     A. Disable ftpd

        To disable ftpd, do the following as root.

        1. Shut down the FTP server using the ftpshut command.  This command

           blocks all connections to the FTP server.

           For ftpshut to work correctly, the ftpaccess(5) file will need a

           shutdown directive that names a file used by wu-ftpd to indicate

           that the server is shutdown. If your ftpaccess file does not have

           such a directive, add one to that file. When added, use ftpshut(8)

           to shut down the server. Once the server has been shutdown, all

           new incoming FTP requests will fail.

           Here is an example of the ftpshut command:

                    ftpshut now

        2. Verify that the FTP service has been shut down by attempting to

           connect to it. You should see a message that contains a line

           similar to the following:

                    hostname FTP server shut down -- please try again later

           where hostname is the host from which you are requesting

           FTP service.

     B. Correct the configuration

        Item 1 below applies to those running Debian Linux.  Item 2 applies

        to all other Linux systems.  Item 3 applies to those who are building

        wu-ftpd from source on systems other than Linux.

        1. If you are running Debian Linux, obtain a fixed binary,

           available from the following location, and install this binary.


         MD5 (wu-ftpd-2.4-14.deb) = c00a0aac75216bf83568aee4c2e7d168

        2. If you are running any version of Linux, there is a version of

           the source code available that has been improved to compile more

           cleanly. It too is correctly configured for SITE EXEC. It is

           available from (file wu-ftpd-2.4-fixed.tar.gz)


         MD5 (wu-ftpd-2.4-fixed.tar.gz) = 3e1c6fd7cd6757e45894df0d3638b524

           This version is also correctly configured for the SITE EXEC

           command and can be compiled and installed. Consult Section

           IV below for suggestions on how to configure wu-ftpd.

        3. If you are running a version of wu-ftpd before version 2.4,

           you should upgrade to version 2.4 first. That version is

           available from


         MD5 (wu-ftpd-2.4.tar.Z) = 57f1a962c90a9b12825d39af518df433

           Version 2.4 is correctly configured for the SITE EXEC command

           and can be compiled and installed. Consult Section IV below for

           suggestions on how to configure wu-ftpd.

     C. Enabling ftpd

        1. To turn ftpd back on, delete the file referenced by the shutdown

           directive in your ftpaccess file.

        2. Verify that the FTP service has been enabled by attempting to

           connect to it. You should see a message that contains lines

           similar to the following:

srchost> ftp ftphost

Connected to ftphost

220 ftphost FTP server (Version wu-2.4(3) Mon Apr 3 16:53:11 EDT 1995) ready.

Name (srchost:joe):

IV.  Advice on configuring the FTP Daemon for SITE EXEC

     Here are some configuration guidelines for the directories named by

     the _PATH_EXECPATH variable.

     1. Directories used by SITE EXEC: The documentation for wu-ftpd

        states that the directory defined by the _PATH_EXECPATH variable is

        relative to ~ftp, the ftp home directory as specified in the password

        file. This is misleading. The pathname is relative to ~ftp for

        anonymous users only. The pathname is relative to "/" for all other

        user sessions.

        Therefore, you need to check the two directories used by the SITE

        EXEC command. For example, if the _PATH_EXECPATH variable is set to

        /bin/ftp-exec, then wu-ftpd searches the ~ftp/bin/ftp-exec directory

        for programs specified by SITE EXEC when the anonymous login is used,

        and the /bin/ftp-exec directory specified by SITE EXEC when any other

        login is used.

     2. Contents of the directories used by SITE EXEC: The commands installed

        in these directories can be executed by the SITE EXEC command. We

        strongly recommend that this directory contain only those programs

        that you wish to be executed by those users who connect to your FTP

        server. An example of a program to install in these directories is

        the ls program. Programs that should not be installed in these

        directories are shells, for example sh or csh, and command

        interpreters, for example awk and perl.

- ---------------------------------------------------------------------------

The CERT Coordination Center thanks AUSCERT, the Australian response team, and

Alexander O. Yuriev, Temple University, author of Linux Security Updates, for

their support in responding to this problem. Linux Security Updates are

available from


- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident

Response and Security Teams (FIRST).

If you wish to send sensitive incident or vulnerability information to

CERT staff by electronic mail, we strongly advise that the email be

encrypted. The CERT Coordination Center can support a shared DES key, PGP

(public key available via anonymous FTP on info.cert.org), or PEM (contact

CERT staff for details).

Internet email: cert@cert.org

Telephone: +1 412-268-7090 (24-hour hotline)

           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),

           and are on call for emergencies during other hours.

Fax: +1 412-268-6989

Postal address:  CERT Coordination Center

                 Software Engineering Institute

                 Carnegie Mellon University

                 Pittsburgh, PA 15213-3890


CERT advisories and bulletins are posted on the USENET newsgroup

comp.security.announce. If you would like to have future advisories and

bulletins mailed to you or to a mail exploder at your site, please send mail

to cert-advisory-request@cert.org.

Past CERT publications, information about FIRST representatives, and

other information related to computer security are available for anonymous

FTP from info.cert.org.

- -----------------------------------------------------------------------------

Copyright 1995, 1996 Carnegie Mellon University. Conditions for use,

disclaimers, and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.



Information for Solaris 2.4

- ---------------------------

    After the advisory was originally issued, Charles Jardine 

    provided the following information.

    The problem with the SITE EXEC command is that programs spawned by

    wu-ftpd are run as the effective user and group id of the logged in

    user but real user and group id of root (or however wu-ftpd is started

    by inetd, usually root).

    To address this, the following can be used as a basis for a patch.

    (Note that this patch works for Solaris 2.4 compiled with gcc-2.7.2.)

    *** /tmp/T0a001YI       Mon Dec  4 10:22:13 1995

    --- popen.c     Mon Dec  4 10:22:08 1995


    *** 141,146 ****

    --- 141,158 ----


                  (void) close(pdes[1]);


    + /*

    +  * This fixes the ``real'' problem with SITE EXEC

    +  */

    +       {

    +               uid_t u = geteuid();

    +               gid_t g = getegid();


    +               setuid(0);

    +               setgid(g);

    +               setuid(u);

    +       }


              execv(gargv[0], gargv);




Revision history

Sep. 23, 1997  Updated copyright statement

Aug. 30, 1996  Information previously in the README was inserted

               into the advisory.

Jan. 19, 1996  Updates - Added code that can be used as the basis for a patch

               for the SITE EXEC command for Solaris 2.4.

Dec. 19, 1995  Sec. III - Expanded the explanation of how to determine if

               you are vulnerable.


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.