安全研究
安全漏洞
Wu-ftpd 2.6.0 SITE EXEC远程格式串溢出漏洞
发布日期:2000-06-22
更新日期:2000-06-22
受影响系统:
Washington University wu-ftpd 2.4.2academ[BETA-18]描述:
- RedHat Linux 5.2
Washington University wu-ftpd 2.4.2academ[BETA1-15]
- Caldera OpenLinux Standard 1.2
Washington University wu-ftpd 2.5.0
- RedHat Linux 6.1
Washington University wu-ftpd 2.6.0
- RedHat Linux 6.1
BUGTRAQ ID: 1387
CVE(CAN) ID: CVE-2000-0573
Washington University FTP Server是一个非常流行的Unix系统下的FTP服务器。很多Unix和Linux的发行版本都把它作为默认安装的FTP服务器。
Wu-ftpd在SITE EXEC实现上存在格式化串溢出漏洞,远程攻击者可能利用此漏洞通过溢出攻击以root用户的权限执行任意指令。
Wu-ftpd的SITE EXEC将用户输入的数据错误的作为格式字符串传送给vsnprintf()函数,攻击者可以构造一个特殊的格式字符串,例如<retloc>%.f%.f%.f %.<ret>d%n来覆盖堆栈中的某些重要数据,返回地址或者保存的uid等等,攻击者可以远程执行系统命令。这种攻击并不等同于通常的缓冲区溢出攻击,主要是错误的使用vsnprintf()以及缺乏对用户输入数据的检查引起的。
<*来源:tf8 (tf8@zolo.freelsd.net)
链接:http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-499.html
ftp://patches.sgi.com/support/free/security/advisories/20000701-01-I
http://www.cert.org/advisories/CA-2000-13.html
http://www.caldera.com/support/security/advisories/CSSA-2000-020.0.txt
http://www.debian.org/security/2000/debian-
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:29.[需要添加].asc
http://online.securityfocus.com/advisories/2404
http://www.ciac.org/ciac/bulletins/k-054.shtml
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2000-010.txt.asc
https://www.redhat.com/support/errata/RHSA-2000-039.html
http://www.suse.com/de/support/security/_[需要添加]_txt.txt
http://www.turbolinux.com/pipermail/tl-security-announce/2000-July/000390.html
*>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 可以使用这个临时的补丁程序, 重新编译wuftp2.6.0
diff -ur wu-ftpd-orig/src/ftpcmd.y wu-ftpd-2.6.0/src/ftpcmd.y
--- wu-ftpd-orig/src/ftpcmd.y Wed Oct 13 08:15:28 1999
+++ wu-ftpd-2.6.0/src/ftpcmd.y Thu Jun 22 22:44:41 2000
@@ -1926,13 +1926,13 @@
}
if (!maxfound)
maxlines = defmaxlines;
- lreply(200, cmd);
+ lreply(200, "%s", cmd);
while (fgets(buf, sizeof buf, cmdf)) {
size_t len = strlen(buf);
if (len > 0 && buf[len - 1] == '\n')
buf[--len] = '\0';
- lreply(200, buf);
+ lreply(200, "%s", buf);
if (maxlines <= 0)
++lines;
else if (++lines >= maxlines) {
diff -ur wu-ftpd-orig/src/ftpd.c wu-ftpd-2.6.0/src/ftpd.c
--- wu-ftpd-orig/src/ftpd.c Thu Jun 22 22:23:40 2000
+++ wu-ftpd-2.6.0/src/ftpd.c Thu Jun 22 22:45:23 2000
@@ -3157,7 +3157,7 @@
reply(230, "User %s logged in.%s", pw->pw_name, guest ?
" Access restrictions apply." : "");
sprintf(proctitle, "%s: %s", remotehost, pw->pw_name);
- setproctitle(proctitle);
+ setproctitle("%s", proctitle);
if (logging)
syslog(LOG_INFO, "FTP LOGIN FROM %s, %s", remoteident, pw->pw_name);
/* H* mod: if non-anonymous user, copy it to "authuser" so everyone can
@@ -5912,7 +5912,7 @@
remotehost[sizeof(remotehost) - 1] = '\0';
sprintf(proctitle, "%s: connected", remotehost);
- setproctitle(proctitle);
+ setproctitle("%s", proctitle);
wu_authenticate();
/* Create a composite source identification string, to improve the logging
厂商补丁:
Caldera
-------
Caldera已经为此发布了一个安全公告(CSSA-2000-020.0)以及相应补丁:
CSSA-2000-020.0:wu-ftpd vulnerability
链接:http://www.caldera.com/support/security/advisories/CSSA-2000-020.0.txt
补丁下载:
OpenLinux Desktop 2.3
Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
Verification
ddc86702f33d6a5edddab258ddd72195 RPMS/wu-ftpd-2.5.0-7.i386.rpm
8090110ecef8d1efd2fe4c279f209e29 SRPMS/wu-ftpd-2.5.0-7.src.rpm
OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
Verification
f909e8b47ec6780109c2437cdfdc2497 RPMS/wu-ftpd-2.5.0-7.i386.rpm
8354edf2f90e59aa96d8baf1d77e28a0 SRPMS/wu-ftpd-2.5.0-7.src.rpm
. OpenLinux eDesktop 2.4
Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
Verification
d2df4fb386d65387039f33538571d907 RPMS/wu-ftpd-2.5.0-7.i386.rpm
13313d25d6d93dd98dd94e62d48c711c SRPMS/wu-ftpd-2.5.0-7.src.rpm
Conectiva
---------
Conectiva已经为此发布了一个安全公告(2000-06-23)以及相应补丁:
2000-06-23:Remote root compromise
链接:
补丁下载:
DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/i386/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/servidor-1.0/i386/wu-ftpd-2.6.0-11cl.i386.rpm
DIRECT LINK TO THE SOURCE PACKAGES
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/servidor-1.0/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm
Debian
------
Debian已经为此发布了一个安全公告(Debian-00-010)以及相应补丁:
Debian-00-010:New Debian wu-ftpd packages released
链接:http://www.debian.org/security/2000/debian-
补丁下载:
Source archives:
http://security.debian.org/dists/slink/updates/source/wu-ftpd-academ_2.4.2.16-13.1.diff.gz
http://security.debian.org/dists/slink/updates/source/wu-ftpd-academ_2.4.2.16-13.1.dsc
http://security.debian.org/dists/slink/updates/source/wu-ftpd-academ_2.4.2.16.orig.tar.gz
Intel ia32 architecture:
http://security.debian.org/dists/slink/updates/binary-i386/wu-ftpd-academ_2.4.2.16-13.1_i386.deb
Sun Sparc architecture:
http://security.debian.org/dists/slink/updates/binary-sparc/wu-ftpd-academ_2.4.2.16-13.1_sparc.deb
Debian 2.2 alias potato
Source archives:
http://security.debian.org/dists/potato/updates/main/source/wu-ftpd_2.6.0-5.1.diff.gz
http://security.debian.org/dists/potato/updates/main/source/wu-ftpd_2.6.0-5.1.dsc
http://security.debian.org/dists/potato/updates/main/source/wu-ftpd_2.6.0.orig.tar.gz
Architecture indendent archives:
http://security.debian.org/dists/potato/updates/main/binary-all/wu-ftpd-academ_2.6.0-5.1_all.deb
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-00:29)以及相应补丁:
FreeBSD-SA-00:29:wu-ftpd port contains remote root compromise [REVISED]
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:29.[需要添加].asc
补丁下载:
Patches are available for FreeBSD 3, 4 and 5 at:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/ftp/wu-ftpd-2.6.0.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/wu-ftpd-2.6.0.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/ftp/wu-ftpd-2.6.0.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/wu-ftpd-2.6.0.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/ftp/wu-ftpd-2.6.0.tar.gz
HP
--
HP已经为此发布了一个安全公告(HPSBUX0007-117)以及相应补丁:
HPSBUX0007-117:Sec. Vulnerability in ftpd **Rev.04**
链接:
补丁下载:
ftp://us-ffs.external.hp.com/hp-ux_patches
HP HP-UX 10.0 1:
HP Patch PHNE_22058
HP HP-UX 10.10:
HP Patch PHNE_22058
HP HP-UX 10.16:
HP Patch PHNE_22703
HP HP-UX 10.20:
HP Patch PHNE_22057
HP HP-UX (VVOS) 10.24:
HP Patch PHNE_22059
HP HP-UX 10.26:
HP Patch PHNE_22124
HP HP-UX 11.0 4:
HP Patch PHNE_22060
HP HP-UX 11.0:
HP Patch PHNE_21936
补丁安装方法:
1. 在安装补丁之前备份系统。
2. 以root身份登录。
3. 把patch复制到/tmp目录。
4. 转到/tmp目录unshar补丁程序:
cd /tmp
sh PHCO_xxxxxx
5a. 对一个单独的系统,运行swinstall来安装补丁:
swinstall -x autoreboot=true -x match_target=true \
-s /tmp/PHCO_xxxxx.depot
默认情况下会把原来的软件备份到/var/adm/sw/patch/PHCO_xxxxx目录下。如果你不希望保留一个备份,可以创建一个空文件/var/adm/sw/patch/PATCH_NOSAVE,这样系统就不会再保留备份了。
警告:当安装补丁的时候这个文件存在,补丁安装以后就不能卸载了,使用这个功能的时候必须小心。
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2000:039-02)以及相应补丁:
RHSA-2000:039-02:remote root exploit (SITE EXEC) fixed
链接:https://www.redhat.com/support/errata/RHSA-2000-039.html
补丁下载:
Red Hat Linux 5.2:
386:
ftp://updates.redhat.com/5.2/i386/wu-ftpd-2.6.0-2.5.x.i386.rpm
alpha:
ftp://updates.redhat.com/5.2/alpha/wu-ftpd-2.6.0-2.5.x.alpha.rpm
sparc:
ftp://updates.redhat.com/5.2/sparc/wu-ftpd-2.6.0-2.5.x.sparc.rpm
sources:
ftp://updates.redhat.com/5.2/SRPMS/wu-ftpd-2.6.0-2.5.x.src.rpm
Red Hat Linux 6.2:
i386:
ftp://updates.redhat.com/6.2/i386/wu-ftpd-2.6.0-14.6x.i386.rpm
alpha:
ftp://updates.redhat.com/6.2/alpha/wu-ftpd-2.6.0-14.6x.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/wu-ftpd-2.6.0-14.6x.sparc.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/wu-ftpd-2.6.0-14.6x.src.rpm
可使用下列命令安装补丁:
rpm -Fvh [文件名]
TurboLinux
----------
TurboLinux已经为此发布了一个安全公告(TLSA2000014-1)以及相应补丁:
TLSA2000014-1:wu-ftpd-2.6.0 and earlier
链接:
补丁下载:
TurboLinux Turbo Linux 3.5 b2:
TurboLinux RPM wu-ftpd-2.6.1-1.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/4.0/security/wu-ftpd-2.6.1-1.i386.rpm
TurboLinux Turbo Linux 4.0:
TurboLinux RPM wu-ftpd-2.6.1-1.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/4.0/security/wu-ftpd-2.6.1-1.i386.rpm
浏览次数:9287
严重程度:0(网友投票)
绿盟科技给您安全的保障