WU-FTPD restricted-gid Directory Access Restriction Bypass

2004-03-09T04:10:11
ID OSVDB:4160
Type osvdb
Reporter Glenn Stewart()
Modified 2004-03-09T04:10:11

Description

Vulnerability Description

WU-FTPD contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the restricted-gid feature is used. A malicious user can change the permissions on their home directory to deny themselves access. A subsequent connection by that user will exploit the flaw, and put them into the home directory of the root user, which will disclose files that an ordinary user would not have access to resulting in a loss of confidentiality.

Technical Description

The following is the patch that Red Hat has applied. It should work for all platforms:

--- wu-ftpd/src/ftpd.c.escape 2001-05-17 20:36:44.000000000 +0200 +++ wu-ftpd/src/ftpd.c 2004-03-01 11:56:17.541416616 +0100 @@ -3365,7 +3365,7 @@ } #endif / ALT_HOMEDIR / #else / DISABLE_STRICT_HOMEDIR is defined / - if (chdir("/") < 0) { + if (restricted_user || chdir("/") < 0) { #ifdef VERBOSE_ERROR_LOGING syslog(LOG_NOTICE, "FTP LOGIN FAILED (cannot chdir) for %s, %s", remoteident, pw->pw_name);

Solution Description

Upgrade to version 2.6.2-13 (Available on some Linux distributions) or higher, as it has been reported to fix this vulnerability. In addition, WU-FTPD Development Group has released a patch for some older versions of the main distribution.

Short Description

WU-FTPD contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the restricted-gid feature is used. A malicious user can change the permissions on their home directory to deny themselves access. A subsequent connection by that user will exploit the flaw, and put them into the home directory of the root user, which will disclose files that an ordinary user would not have access to resulting in a loss of confidentiality.

References:

Vendor URL: http://www.wuftpd.org/ Vendor Specific Advisory URL Security Tracker: 1009349 Secunia Advisory ID:11055 Secunia Advisory ID:11350 Secunia Advisory ID:12086 Secunia Advisory ID:14013 Secunia Advisory ID:20168 RedHat RHSA: RHSA-2004:096 Other Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20040303-01-U.asc Other Advisory URL: http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01012 Other Advisory URL: http://www.debian.org/security/2004/dsa-457 Other Advisory URL: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.6/SCOSA-2005.6.txt Other Advisory URL: http://www.turbolinux.com/security/2004/TLSA-2004-8.txt Nessus Plugin ID:12098 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-07/0173.html Keyword: BugIDs: 5012436 ISS X-Force ID: 15423 CVE-2004-0148 CIAC Advisory: o-095 Bugtraq ID: 9832