CERT Advisory CA-95:16 - wu-ftpd Misconfiguration Vulnerability

CERT Advisory cert-advisory at cert.org
Thu Nov 30 16:43:03 UTC 1995

CA-95:16                         CERT Advisory
                               November 30, 1995
                    wu-ftpd Misconfiguration Vulnerability

A vulnerability exists with certain configurations of the SITE EXEC command
in the Washington University ftpd, also known as wu-ftpd. Exploitation of
this vulnerability may allow root access from any account on the system.

The vulnerable configuration is known to exist in numerous Linux distributions
and is currently being actively exploited by intruders.

It should be noted that this vulnerability is not necessarily limited to Linux
but may exist on any wu-ftpd installation. Thus, all users of the wu-ftpd
program, not just the Linux users, should take this opportunity to verify the
configuration of their daemons. Note that versions of wu-ftpd before the 2.4
release contain serious security vulnerabilities and should be updated

Section III contains instructions for disabling ftpd and correcting the

As we receive additional information relating to this advisory, we will place
it in:


We encourage you to check our README files regularly for updates on
advisories that relate to your site.


I.   Description

     There is a problem with the default configuration of the Washington
     University FTP Server version 2.4 in major Linux distributions, including
     but not limited to Slackware 2.0, 2.1, 2.2, 2.3, Yggdrasil Plug&Play
     Fall'94, and the Debian Distribution. By exploiting this problem, any
     user who is able to log into a system having the vulnerable configuration
     via FTP using their login, and not the anonymous login, may gain root

     Other systems besides Linux can be configured to be vulnerable although
     the standard wu-ftpd 2.4 source code as distributed is not vulnerable.
     The problem is that the variable _PATH_EXECPATH was set to "/bin" in
     the configuration file src/pathnames.h when the distribution binary
     was built. _PATH_EXECPATH should be set to "/bin/ftp-exec" or a similar
     directory that does not contain a shell or command interpreter, for
     example. The source code shipped with the Linux distributions contains
     the correct value ("/bin/ftp-exec") despite the incorrect distribution
     binary. You should verify that _PATH_EXECPATH has the correct value
     before recompiling.

     Note that the documentation for wu-ftpd states that the directory
     defined by _PATH_EXECPATH is relative to ~ftp, the ftp home directory
     as specified in the password file. This is misleading. The pathname
     is relative to ~ftp for anonymous users only. This pathname is relative
     to "/" for other user sessions.

II.  Impact

     Any user with a local account on a system offering FTP services
     with the vulnerable configuration may gain root access. Support for
     anonymous FTP access is not required to exploit this vulnerability.

III. How to determine if you are vulnerable

     All systems running wu-ftpd should be checked to determine if the
     configuration is vulnerable.
     To test your configuration, access the ftp server using a legitimate user
     account (not an anonymous ftp login) and execute the following commands:
srchost> ftp ftphost
Connected to ftphost
220 ftphost FTP server (Version wu-2.4(2) Mon Apr 18 09:12:35 GMT+1000 1994) ready.     
Name (srchost:joe):
331 Password required for joe.
230 User joe logged in.
ftp> quote site exec echo problem
200-echo problem
200  (end of 'echo problem')
ftp> quit
221 Goodbye.

     If you receive the line "200-problem", your site is vulnerable.

IV. Solution

     If you have the vulnerability, we recommend that you turn off ftpd
     immediately using the method described in Section A below. Once you have
     done that, you can then decide whether to rebuild or fetch a new ftpd

     If you have built wu-ftpd from a source distribution, follow the steps
     in Sections B.2 and B.3 below. 

     Once you have eliminated this vulnerability, turn on ftpd with the
     method described in Section C below.
     A. Disable ftpd
        To disable ftpd, do the following as root.
        1. Shut down the FTP server using the ftpshut command.  This command
           blocks all connections to the FTP server.
           For ftpshut to work correctly, the ftpaccess(5) file will need a
           shutdown directive that names a file used by wu-ftpd to indicate
           that the server is shutdown. If your ftpaccess file does not have
           such a directive, add one to that file. When added, use ftpshut(8)
           to shut down the server. Once the server has been shutdown, all
           new incoming FTP requests will fail.

           Here is an example of the ftpshut command:
                    ftpshut now 
        2. Verify that the FTP service has been shut down by attempting to
           connect to it. You should see a message that contains a line
           similar to the following:

                    hostname FTP server shut down -- please try again later
           where hostname is the host from which you are requesting
           FTP service.

     B. Correct the configuration

        Item 1 below applies to those running Debian Linux.  Item 2 applies
        to all other Linux systems.  Item 3 applies to those who are building
        wu-ftpd from source on systems other than Linux.

        1. If you are running Debian Linux, obtain a fixed binary, 
           available from the following location, and install this binary.

         MD5 (wu-ftpd-2.4-14.deb) = c00a0aac75216bf83568aee4c2e7d168

        2. If you are running any version of Linux, there is a version of
           the source code available that has been improved to compile more
           cleanly. It too is correctly configured for SITE EXEC. It is
           available from (file wu-ftpd-2.4-fixed.tar.gz)

         MD5 (wu-ftpd-2.4-fixed.tar.gz) = 3e1c6fd7cd6757e45894df0d3638b524

           This version is also correctly configured for the SITE EXEC
           command and can be compiled and installed. Consult Section
           IV below for suggestions on how to configure wu-ftpd.

        3. If you are running a version of wu-ftpd before version 2.4,
           you should upgrade to version 2.4 first. That version is
           available from

         MD5 (wu-ftpd-2.4.tar.Z) = 57f1a962c90a9b12825d39af518df433

           Version 2.4 is correctly configured for the SITE EXEC command
           and can be compiled and installed. Consult Section IV below for 
           suggestions on how to configure wu-ftpd.

     C. Enabling ftpd

        1. To turn ftpd back on, delete the file referenced by the shutdown
           directive in your ftpaccess file.

        2. Verify that the FTP service has been enabled by attempting to
           connect to it. You should see a message that contains lines
           similar to the following:

srchost> ftp ftphost
Connected to ftphost
220 ftphost FTP server (Version wu-2.4(3) Mon Apr 3 16:53:11 EDT 1995) ready.
Name (srchost:joe):

IV.  Advice on configuring the FTP Daemon for SITE EXEC

     Here are some configuration guidelines for the directories named by
     the _PATH_EXECPATH variable.

     1. Directories used by SITE EXEC: The documentation for wu-ftpd
        states that the directory defined by the _PATH_EXECPATH variable is
        relative to ~ftp, the ftp home directory as specified in the password
        file. This is misleading. The pathname is relative to ~ftp for
        anonymous users only. The pathname is relative to "/" for all other
        user sessions.

        Therefore, you need to check the two directories used by the SITE
        EXEC command. For example, if the _PATH_EXECPATH variable is set to
        /bin/ftp-exec, then wu-ftpd searches the ~ftp/bin/ftp-exec directory
        for programs specified by SITE EXEC when the anonymous login is used,
        and the /bin/ftp-exec directory specified by SITE EXEC when any other
        login is used.

     2. Contents of the directories used by SITE EXEC: The commands installed
        in these directories can be executed by the SITE EXEC command. We
        strongly recommend that this directory contain only those programs
        that you wish to be executed by those users who connect to your FTP
        server. An example of a program to install in these directories is
        the ls program. Programs that should not be installed in these
        directories are shells, for example sh or csh, and command
        interpreters, for example awk and perl.

The CERT Coordination Center thanks AUSCERT, the Australian response team, and
Alexander O. Yuriev, Temple University, author of Linux Security Updates, for
their support in responding to this problem. Linux Security Updates are
available from 

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).

If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the email be
encrypted. The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).

Internet email: cert at cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.
Fax: +1 412-268-6989

Postal address:  CERT Coordination Center
                 Software Engineering Institute
                 Carnegie Mellon University
                 Pittsburgh, PA 15213-3890

CERT advisories and bulletins are posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request at cert.org.

Past CERT publications, information about FIRST representatives, and
other information related to computer security are available for anonymous
FTP from info.cert.org. 

Copyright 1995 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.

CERT is a service mark of Carnegie Mellon University.

More information about the NANOG mailing list