COMMAND

    wuftpd

SYSTEMS AFFECTED

    wu-ftpd 2.6.0-*

PROBLEM

    George Bakos posted following.  www.hack.co.za made available  yet
    another format string stack overwrite exploit for wu-ftpd 2.6.0-*.
    He has seen an increased level  of scanning for port 21 since,  no
    doubt attributable to this latest SITE EXEC vulnerability.

    The new tool (wu-lnx.c) in the lab against Mandrake 7.1 and RH 6.0
    shows limited success as well as 100% effectiveness against RH 6.2.
    A preliminary  scrub of  the code  and traces  indicated that user
    data supplied via the PASS  command is stuffed with shellcode  and
    a SITE EXEC then overwrites a stack pointer to call it.

    The following is an entry left in /var/log/messages on the  target
    box.  Note the last line.

        Sep 28 02:46:25 drteeth ftpd[14989]: ANONYMOUS FTP LOGIN FROM
        grover.tester.org [192.168.222.1], �������������������������������
        ��������?�������������������������������������������������
        ����������������������������������������������������������
        ���������������������������������������������������������
        �����������������������������������1À1Û1É°FÍ€1À1ÛC‰ÙA°?
        Í€ëk^1À1É�^^AˆF^Df¹ÿ^A°'Í€1À�^^A°=Í€1À1Û�^^H‰C^B1ÉþÉ1À�^^
        H°^LÍ€þÉuó1ÀˆF^I�^^H°=Í€þ^N°0þȈF^D1ÀˆF^G‰v^H‰F^L‰ó�N^H�
        V^L°^KÍ€1À1Û°^AÍ€è�ÿÿÿ0bin0sh1..11

    As the  parent service  (inetd) is  not affected,  here may  be no
    external indication that a site has been attacked.   Additionally,
    this  is  not  a  buffer  overflow,  and  no  process  will   exit
    unexpectedly.  Ndiff  and similar techniques  will fail to  detect
    any changes  in the  status of  listening inet  ports on exploited
    systems.

SOLUTION

    Version  2.6.1  does  not  appear  vulnerable.   This  is  another
    incarnation of a very serious  vulnerability.  If you are  running
    wu-ftpd  2.60-*,  it  is  advised  that  you  upgrade to the 2.6.1
    release.