GEN:SID | 1:1378 |
Message | FTP wu-ftp bad file completion attempt { |
Summary | This event is generated when an attempt is made to exploit a file globbing vulnerability associated with WU-FTPD.
|
Impact | Remote root access. A successful attack can allow remote execution of commands with privileges of WU-FTPD, most often root.
|
Detailed Information | An exploit in Washington University FTP daemon (WU-FTPD) code associated with file globbing can allow execution of arbitrary code with the privileges of WU-FTPD, typically root. WU-FTPD invokes the glob function when certain characters are used in a file name argument supplied by an FTP client. The glob function fails to properly handle illegal strings such as "~{" and "~[". The problem is compounded when the glob function returns an error condition that is incorrectly handled, which may lead to the corruption of process memory space. This exploit requires login access to a vulnerable server either via an anonymous or established user account.
|
Affected Systems | Many operating systems running WU-FTPD 2.6.1, 2.6.0, and 2.5.0.
|
Attack Scenarios | An attacker may login to a vulnerable WU-FTP server and enter a malformed file argument to gain access and execute arbitrary commands.
|
Ease of Attack | Simple.
|
Corrective Action | Upgrade to the latest non-affected version of the software or apply the appropriate patch.
Do not enable anonymous FTP access unless required.
|
Additional References | CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0886 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0550
Bugtraq: http://www.securityfocus.com/bid/3581
CERT: http://www.kb.cert.org/vuls/id/886083
|
Rule References | cve: 2001-0550
bugtraq: 3707
bugtraq: 3581
cve: 2001-0886
|