CNNVD-ID编号 | CNNVD-200007-013 |
CVE编号 | CVE-2000-0573 |
发布时间 | 2000-06-22 |
更新时间 | 2005-05-02 |
漏洞类型 | 输入验证 |
漏洞来源 | tf8 tf8@zolo.freelsd.net |
危险等级 | 超危 |
威胁类型 | 远程 |
厂 商 | hp |
Washington University FTP Server是一个非常流行的Unix系统下的FTP服务器。很多Unix和Linux的发行版本都把它作为默认安装的FTP服务器。 Wu-ftpd在SITE EXEC实现上存在格式化串溢出漏洞,远程攻击者可能利用此漏洞通过溢出攻击以root用户的权限执行任意指令。 Wu-ftpd的SITE EXEC将用户输入的数据错误的作为格式字符串传送给vsnprintf()函数,攻击者可以构造一个特殊的格式字符串,例如<retloc>\\%.f\\%.f\\%.f \\%.<ret>d\\%n来覆盖堆栈中的某些重要数据,返回地址或者保存的uid等等,攻击者可以远程执行系统命令。这种攻击并不等同于通常的缓冲区溢出攻击,主要是错误的使用vsnprintf()以及缺乏对用户输入数据的检查引起的。
临时解决方法: 如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
* 可以使用这个临时的补丁程序, 重新编译wuftp2.6.0
diff -ur wu-ftpd-orig/src/ftpcmd.y wu-ftpd-2.6.0/src/ftpcmd.y
--- wu-ftpd-orig/src/ftpcmd.y Wed Oct 13 08:15:28 1999
+++ wu-ftpd-2.6.0/src/ftpcmd.y Thu Jun 22 22:44:41 2000
@@ -1926,13 +1926,13 @@
}
if (!maxfound)
maxlines = defmaxlines;
- lreply(200, cmd);
+ lreply(200, "%s", cmd);
while (fgets(buf, sizeof buf, cmdf)) {
size_t len = strlen(buf);
if (len > 0 && buf[len - 1] == '\n')
buf[--len] = '\0';
- lreply(200, buf);
+ lreply(200, "%s", buf);
if (maxlines <= 0)
++lines;
else if (++lines >= maxlines) {
diff -ur wu-ftpd-orig/src/ftpd.c wu-ftpd-2.6.0/src/ftpd.c
--- wu-ftpd-orig/src/ftpd.c Thu Jun 22 22:23:40 2000
+++ wu-ftpd-2.6.0/src/ftpd.c Thu Jun 22 22:45:23 2000
@@ -3157,7 +3157,7 @@
reply(230, "User %s logged in.%s", pw->pw_name, guest ?
" Access restrictions apply." : "");
sprintf(proctitle, "%s: %s", remotehost, pw->pw_name);
- setproctitle(proctitle);
+ setproctitle("%s", proctitle);
if (logging)
syslog(LOG_INFO, "FTP LOGIN FROM %s, %s", remoteident, pw->pw_name);
/* H* mod: if non-anonymous user, copy it to "authuser" so everyone can
@@ -5912,7 +5912,7 @@
remotehost[sizeof(remotehost) - 1] = '\0';
sprintf(proctitle, "%s: connected", remotehost);
- setproctitle(proctitle);
+ setproctitle("%s", proctitle);
wu_authenticate();
/* Create a composite source identification string, to improve the logging 厂商补丁: Caldera ------- Caldera已经为此发布了一个安全公告(CSSA-2000-020.0)以及相应补丁:
CSSA-2000-020.0:wu-ftpd vulnerability
链接: http://www.caldera.com/support/security/advisories/CSSA-2000-020.0.txt
补丁下载:
OpenLinux Desktop 2.3
Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
Verification
ddc86702f33d6a5edddab258ddd72195 RPMS/wu-ftpd-2.5.0-7.i386.rpm
8090110ecef8d1efd2fe4c279f209e29 SRPMS/wu-ftpd-2.5.0-7.src.rpm
OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
Verification
f909e8b47ec6780109c2437cdfdc2497 RPMS/wu-ftpd-2.5.0-7.i386.rpm
8354edf2f90e59aa96d8baf1d77e28a0 SRPMS/wu-ftpd-2.5.0-7.src.rpm
. OpenLinux eDesktop 2.4
Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
Verification
d2df4fb386d65387039f33538571d907 RPMS/wu-ftpd-2.5.0-7.i386.rpm
13313d25d6d93dd98dd94e62d48c711c SRPMS/wu-ftpd-2.5.0-7.src.rpm Conectiva --------- Conectiva已经为此发布了一个安全公告(2000-06-23)以及相应补丁:
2000-06-23:Remote root compromise
链接:
补丁下载:
DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/i386/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/servidor-1.0/i386/wu-ftpd-2.6.0-11cl.i386.rpm
DIRECT LINK TO THE SOURCE PACKAGES
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/servidor-1.0/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm Debian ------ Debian已经为此发布了一个安全公告(Debian-00-010)以及相应补丁:
Debian-00-010:New Debian wu-ftpd packages released
链接: http://www.debian.org/security/2000/debian-
补丁下载:
Source archives:
来源:CERT/CC Advisory: CA-2000-13
名称: CA-2000-13
来源: XF
名称: wuftp-format-string-stack-overwrite(4773)
来源: BUGTRAQ
名称: 20000623 ftpd: the advisory version
来源: BID
名称: 1387
来源: REDHAT
名称: RHSA-2000:039
来源: CALDERA
名称: CSSA-2000-020.0
链接:http://www.calderasystems.com/support/security/advisories/CSSA-2000-020.0.txt
来源: BUGTRAQ
名称: 20000707 New Released Version of the WuFTPD Sploit
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=96299933720862&w=2
来源: BUGTRAQ
名称: 20000623 WUFTPD 2.6.0 remote root exploit
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=96179429114160&w=2
来源: BUGTRAQ
名称: 20000622 WuFTPD: Providing *remote* root since at least1994
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=96171893218000&w=2
来源: BUGTRAQ
名称: 20000702 [Security Announce] wu-ftpd update
链接:http://archives.neohapsis.com/archives/bugtraq/2000-07/0017.html
来源: BUGTRAQ
名称: 20000723 CONECTIVA LINUX SECURITY ANNOUNCEMENT - WU-FTPD (re-release)
链接:http://archives.neohapsis.com/archives/bugtraq/2000-06/0244.html
来源: NETBSD
名称: NetBSD-SA2000-009
链接:链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2000-009.txt.asc
来源: FREEBSD
名称: FreeBSD-SA-00:29
链接:链接:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:29.wu-ftpd.asc.v1.1
来源: AUSCERT
名称: AA-2000.02
链接:链接:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02