From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 7 Mar 2005 10:20:32 +0200
Subject: [NT] Denial of Service Vulnerability in WU-FTPD
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050307090856.0E53C57B8@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Denial of Service Vulnerability in WU-FTPD
------------------------------------------------------------------------
SUMMARY
<http://www.wu-ftpd.org/>; Wuarchive-ftpd, more affectionately known as
WU-FTPD, is a replacement ftp daemon for Unix systems developed at
Washington University by Chris Myers and later by Bryan D. O'Connor.
WU-FTPD is the most popular ftp daemon on the Internet, used on many
anonymous ftp sites all around the world.
Remote exploitation of an input validation vulnerability in WU-FPTD could
allow for a denial of service of the system by resource exhaustion.
DETAILS
Vulnerable Systems:
* WU-FPTD version 2.6.2
The vulnerability specifically exists in the wu_fnmatch() function in
wu_fnmatch.c. When a pattern containing a '*' character is supplied as
input, the function calls itself recursively on a smaller substring. By
supplying a string which contains a large number of '*' characters, the
system will take a long time to return the results, during which time it
will be using a large amount of CPU time. After a user logs into the ftpd,
an attacker can send a simple command which will cause high CPU
utilization.
To exploit this vulnerability, a simple ftp client is sufficient. Once
logged in, either anonymously or as an authenticated user, issuing the
following command will cause the machine to become less responsive.
ftp> dir ***************************************************************
***************************************************************
***************************************************************
**.*
By re-connecting and issuing the command multiple times, the system can be
made completely unresponsive. This may prevent legitimate access to
services provided by the system for the period of the attack.
Workaround:
Consider disabling the ftpd. If this is not viable as an option, consider
disabling anonymous access. Disabling anonymous access will not prevent
registered users from exploiting this vulnerability.
Disclosure Timeline:
* 02.09.2005 - Initial vendor notification - No response.
* 02.18.2005 - Additional vendor notification - No response.
* 02.25.2005 - Public disclosure.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com.> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=207&type=vulnerabilities>; http://www.idefense.com/application/poi/display?id=207&type=vulnerabilities
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
