Wu-ftpd 2.6.0 SITE EXEC远程格式串溢出漏洞

CNNVD-ID编号	CNNVD-200007-013	CVE编号	CVE-2000-0573
发布时间	2000-06-22	更新时间	2005-05-02
漏洞类型	输入验证	漏洞来源	tf8 tf8@zolo.freelsd.net
危险等级	超危	威胁类型	远程
厂商	hp

漏洞介绍

Washington University FTP Server是一个非常流行的Unix系统下的FTP服务器。很多Unix和Linux的发行版本都把它作为默认安装的FTP服务器。 Wu-ftpd在SITE EXEC实现上存在格式化串溢出漏洞，远程攻击者可能利用此漏洞通过溢出攻击以root用户的权限执行任意指令。 Wu-ftpd的SITE EXEC将用户输入的数据错误的作为格式字符串传送给vsnprintf()函数，攻击者可以构造一个特殊的格式字符串，例如＜retloc＞\\%.f\\%.f\\%.f \\%.＜ret＞d\\%n来覆盖堆栈中的某些重要数据，返回地址或者保存的uid等等，攻击者可以远程执行系统命令。这种攻击并不等同于通常的缓冲区溢出攻击，主要是错误的使用vsnprintf()以及缺乏对用户输入数据的检查引起的。

漏洞补丁

临时解决方法：如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁：

* 可以使用这个临时的补丁程序，重新编译wuftp2.6.0

diff -ur wu-ftpd-orig/src/ftpcmd.y wu-ftpd-2.6.0/src/ftpcmd.y

--- wu-ftpd-orig/src/ftpcmd.y Wed Oct 13 08:15:28 1999

+++ wu-ftpd-2.6.0/src/ftpcmd.y Thu Jun 22 22:44:41 2000

@@ -1926,13 +1926,13 @@

}

if (!maxfound)

maxlines = defmaxlines;

- lreply(200, cmd);

+ lreply(200, "%s", cmd);

while (fgets(buf, sizeof buf, cmdf)) {

size_t len = strlen(buf);

if (len > 0 && buf[len - 1] == '\n')

buf[--len] = '\0';

- lreply(200, buf);

+ lreply(200, "%s", buf);

if (maxlines <= 0)

++lines;

else if (++lines >= maxlines) {

diff -ur wu-ftpd-orig/src/ftpd.c wu-ftpd-2.6.0/src/ftpd.c

--- wu-ftpd-orig/src/ftpd.c Thu Jun 22 22:23:40 2000

+++ wu-ftpd-2.6.0/src/ftpd.c Thu Jun 22 22:45:23 2000

@@ -3157,7 +3157,7 @@

reply(230, "User %s logged in.%s", pw->pw_name, guest ?

" Access restrictions apply." : "");

sprintf(proctitle, "%s: %s", remotehost, pw->pw_name);

- setproctitle(proctitle);

+ setproctitle("%s", proctitle);

if (logging)

syslog(LOG_INFO, "FTP LOGIN FROM %s, %s", remoteident, pw->pw_name);

/* H* mod: if non-anonymous user, copy it to "authuser" so everyone can

@@ -5912,7 +5912,7 @@

remotehost[sizeof(remotehost) - 1] = '\0';

sprintf(proctitle, "%s: connected", remotehost);

- setproctitle(proctitle);

+ setproctitle("%s", proctitle);

wu_authenticate();

/* Create a composite source identification string, to improve the logging 厂商补丁： Caldera ------- Caldera已经为此发布了一个安全公告(CSSA-2000-020.0)以及相应补丁:

CSSA-2000-020.0：wu-ftpd vulnerability

链接： http://www.caldera.com/support/security/advisories/CSSA-2000-020.0.txt

补丁下载：

OpenLinux Desktop 2.3

Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS

Verification

ddc86702f33d6a5edddab258ddd72195 RPMS/wu-ftpd-2.5.0-7.i386.rpm

8090110ecef8d1efd2fe4c279f209e29 SRPMS/wu-ftpd-2.5.0-7.src.rpm

OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0

Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS

Verification

f909e8b47ec6780109c2437cdfdc2497 RPMS/wu-ftpd-2.5.0-7.i386.rpm

8354edf2f90e59aa96d8baf1d77e28a0 SRPMS/wu-ftpd-2.5.0-7.src.rpm

. OpenLinux eDesktop 2.4

Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

Verification

d2df4fb386d65387039f33538571d907 RPMS/wu-ftpd-2.5.0-7.i386.rpm

13313d25d6d93dd98dd94e62d48c711c SRPMS/wu-ftpd-2.5.0-7.src.rpm Conectiva --------- Conectiva已经为此发布了一个安全公告(2000-06-23)以及相应补丁:

2000-06-23：Remote root compromise

链接：

补丁下载：

DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/i386/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/servidor-1.0/i386/wu-ftpd-2.6.0-11cl.i386.rpm

DIRECT LINK TO THE SOURCE PACKAGES

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/servidor-1.0/SRPMS/wu-ftpd-2.6.0-11cl.i386.rpm Debian ------ Debian已经为此发布了一个安全公告(Debian-00-010)以及相应补丁:

Debian-00-010：New Debian wu-ftpd packages released

链接： http://www.debian.org/security/2000/debian-

补丁下载：

Source archives:

http://security.d

参考网址

来源:CERT/CC Advisory: CA-2000-13

名称: CA-2000-13

链接：http://www.cert.org/advisories/CA-2000-13.html
来源: XF

名称: wuftp-format-string-stack-overwrite(4773)

链接：http://xforce.iss.net/xforce/xfdb/4773
来源: BUGTRAQ

名称: 20000623 ftpd: the advisory version

链接：http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000623091822.3321.qmail@fiver.freemessage.com
来源: BID

名称: 1387

链接：http://www.securityfocus.com/bid/1387
来源: REDHAT

名称: RHSA-2000:039

链接：http://www.redhat.com/support/errata/RHSA-2000-039.html
来源: CALDERA

名称: CSSA-2000-020.0

链接：http://www.calderasystems.com/support/security/advisories/CSSA-2000-020.0.txt
来源: BUGTRAQ

名称: 20000707 New Released Version of the WuFTPD Sploit

链接：http://marc.theaimsgroup.com/?l=bugtraq&m=96299933720862&w=2
来源: BUGTRAQ

名称: 20000623 WUFTPD 2.6.0 remote root exploit

链接：http://marc.theaimsgroup.com/?l=bugtraq&m=96179429114160&w=2
来源: BUGTRAQ

名称: 20000622 WuFTPD: Providing *remote* root since at least1994

链接：http://marc.theaimsgroup.com/?l=bugtraq&m=96171893218000&w=2
来源: BUGTRAQ

名称: 20000702 [Security Announce] wu-ftpd update

链接：http://archives.neohapsis.com/archives/bugtraq/2000-07/0017.html
来源: BUGTRAQ

名称: 20000723 CONECTIVA LINUX SECURITY ANNOUNCEMENT - WU-FTPD (re-release)

链接：http://archives.neohapsis.com/archives/bugtraq/2000-06/0244.html
来源: NETBSD

名称: NetBSD-SA2000-009

链接：链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2000-009.txt.asc
来源: FREEBSD

名称: FreeBSD-SA-00:29

链接：链接:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:29.wu-ftpd.asc.v1.1
来源: AUSCERT

名称: AA-2000.02

链接：链接:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02

受影响实体

Hp Hp-Ux:11.00

信息来源

http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200007-013

Wu-ftpd 2.6.0 SITE EXEC远程格式串溢出漏洞

漏洞介绍

漏洞补丁

参考网址

受影响实体

信息来源

查询漏洞

相关漏洞

支持服务

云学院

合作与生态

Wu-ftpd 2.6.0 SITE EXEC远程格式串溢出漏洞

漏洞介绍

漏洞补丁

参考网址

受影响实体

信息来源

查询漏洞

相关漏洞