{"vuid":"VU#886083","idnumber":"886083","name":"WU-FTPD does not properly handle file name globbing","keywords":["WU-FTPD","WU-FTP","wuftp","wuftpd","glob","FTP","FTPD","CORE-20010901","~{","ftpcmd.y","glob.c","free()","BeroFTPD"],"overview":"SecurityFocus and CORE Security Technologies have reported a vulnerability in WU-FTPD. WU-FTPD does not handle file name globbing properly and may allow an attacker to execute arbitrary code. WU-FTPD is a widely-used FTP daemon that is included in many UNIX and Linux distributions. This vulnerability was discussed on SecurityFocus' vuln-dev mailing list in April 2001.","clean_desc":"The CERT Coordination Center has received a report from SecurityFocus and CORE Security Technologies about a remote code execution vulnerability in the Washington University FTP daemon, WU-FTPD. The vulnerability manifests in WU-FTPD's handling of file name globbing. The problem is not a typical buffer overflow or format string vulnerability, but a combination of two bugs:  WU-FTPD's globbing code does not properly return an error condition when interpreting the string '~{', and later frees memory which may contain user supplied data. When certain characters are encountered in the file name argument to an FTP command issued by a client, WU-FTPD calls its globbing code, which is implemented in glob.c. The globbing code should parse the argument string, set a variable if it encounters an error condition, and return a pointer to the expanded glob expression. The function that calls glob.c eventually uses free() to free the memory allocated to hold the expanded glob expression. A problem occurs when the globbing code fails to recognize the string '~{' as a malformed argument and does not set the error variable. The pointer returned by the globbing code references memory on the heap that contains arbitrary data instead of the expanded glob expression. If an attacker can place code of their choice in the right position on the heap, WU-FTPD may execute that code when freeing the memory referenced by the pointer that was returned by the globbing code. This vulnerability is potentially exploitable by any user who is able to log in to a vulnerable server, including users with anonymous access. If successful, an attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root. If unsuccessful, the thread servicing the request will fail, but WU-FTPD will not crash. Note that BeroFTPD, which shares much of its code base with WU-FTPD, is also vulnerable. BeroFTPD is no longer separately maintained.","impact":"A remote attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root.","resolution":"Apply Patch\nApply the appropriate patch supplied as described in the vendor section below. Alternatively, apply the patch provided by WU-FTPD.","workarounds":"Block or Restrict Access\nBlock or restrict access to the control port used by WU-FTPD, typically 21/tcp. It may be possible to use TCP Wrapper or a similar technology to provide improved access control and logging. Additionally, an application-level firewall may be able to filter requests made to WU-FTPD. Disable Anonymous Access\nDisable anonymous FTP access. Note that this will only prevent unauthenticated users from attempting to exploit this vulnerability. Disable Vulnerable Service\nDisable WU-FTPD until a patch is can be applied.","sysaffected":"","thanks":"The CERT Coordination Center thanks CORE Security Technologies and Greg Lundberg for information used in this document. Matt Power of \nBindView\n originally reported this condition on the \nvuln-dev\n mailing list.","author":"This document was written by Art Manion.","public":["http://www.corest.com/pressroom/advisories_desplegado.php?idxsection=10&idx=172","ftp://ftp.wu-FTPD.org/pub/wu-FTPD/patches/apply_to_current/ftpglob.patch","http://www.securityfocus.com/bid/3581","http://aris.securityfocus.com/alerts/wuFTPD/","http://www.securityfocus.com/archive/82/180823","http://xforce.iss.net/alerts/advise103.php","http://www.wu-FTPD.org/"],"cveids":["CVE-2001-0550"],"certadvisory":"CA-2001-33","uscerttechnicalalert":null,"datecreated":"2001-11-20T15:52:53Z","publicdate":"2001-04-30T00:00:00Z","datefirstpublished":"2001-11-28T18:24:35Z","dateupdated":"2002-03-28T22:27:14Z","revision":35,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"17","cam_population":"15","cam_impact":"19","cam_easeofexploitation":"8","cam_attackeraccessrequired":"16","cam_scorecurrent":"21.888","cam_scorecurrentwidelyknown":"25.308","cam_scorecurrentwidelyknownexploited":"38.988","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":21.888,"vulnote":null}