GEN:SID 1:1971
Message FTP SITE EXEC format string attempt
Summary Someone has attempted a format string attack that is successful against
the SITE EXEC command on vulnerable versions of WU-FTPD.

Impact Severe; remote root compromise possible if user is running a version of
WU-FTPD prior to 2.6.2 as root.

Detailed Information This attack is a format string attack against the implementation of the
SITE EXEC command in Washington University's ftp daemon.  This
vulnerability was widespread, due to the widespread use of wu-ftpd in
many of the Linux distributions.

This is an input validation problem, as wu-ftpd is not checking the user
input that is passed directly into a format string for a printf/sprintf
function. With specific malicious data, it is possible to overwrite the
return address of the stack.  If properly done, when the function
attempts to return, it will return to the overwritten return address of
the function and it is possible to execute arbitrary commands.

If running a vulnerable version of WU-FTPD as an anonymous ftp server,
this increases the exploitability dramatically, as the exploit must run
after a "user" has logged into the server.  Running the server allowing
anonymous logins means that any user, anywhere can log into the ftp
server and run the command.
Affected Systems This vulnerability affects multiple vendors distributions of wuftpd
2.6.1 and earlier.  
Attack Scenarios Attacker logs into an anonymous ftp server, checks to see if the SITE
EXEC command is implemented, and if it is, exploits the format string
attack, and executing arbitrary commands on the server. In most default
implementations of WU-FTPD the daemon was running as root and allowed
anonymous login.  If this is the case, the attacker would now have root
access to the system.  
Ease of Attack Simple.

Multiple exploit scripts are available.
Corrective Action Patch all instances of WU-FTPD to the latest version, 2.6.2, as well
disallow anonymous access to the server.
Additional References bugtraq,1505
bugtraq,1387
cve,CVE-2000-0573
nessus,10452