General
cancel
Showing results for 
Search instead for 
Did you mean: 

Hacker on the Prowl - wuftpd is vulnerable

Albert E. Whale, CISSP
Honored Contributor

Hacker on the Prowl - wuftpd is vulnerable

I have just tracked a hacker and found that they are penetrating through the wu-ftpd package.

Apparently the site exec command is being used to hack into servers.

Cert issued the advisery CA-2000-13 in November of last year:
http://www.cert.org/advisories/CA-2000-13.html

Please update your ftp software immediately!
Sr. Systems Consultant @ ABS Computer Technology, Inc. http://www.abs-comptech.com/aewhale.html & http://www.ancegroup.com
2 REPLIES
Bill_6
Advisor

Re: Hacker on the Prowl - wuftpd is vulnerable

There is a Red Hat specific attack in the form of the Ramen Worm, http://xforce.iss.net/alerts/advise71.php that targets wu-ftp as well as rpc.statd and LPRng.

There's nothing fdisk can't fix
Steven Sim Kok Leong
Honored Contributor

Re: Hacker on the Prowl - wuftpd is vulnerable

Hi,

wu-ftpd 2.6.0-14.6x and beyond is not vulnerable to the site-exec exploit. A safer bet would be to upgrade to wu-ftpd 2.6.1. Even though the wu-ftpd 2.6.1 RPM is not available on RedHat 6.X, the source (tarball downloadable) can be smoothly compiled and implemented on RedHat 6.X. wu-ftpd 2.6.1 source can be downloaded from http://www.landfield.com/wu-ftpd/wu-ftpd.html.

One note about wu-ftpd 2.6.1. The recent security advisory from SANS warns of the privatepw vulnerability specific to wu-ftpd 2.6.1. However, the privatepw vulnerability won't affect you if you don't use the 'private' feature which allows SITE GROUP and SITE GPASS.

Advisory extract:
==
*** {00.56.019} Cross - wu-ftpd privatepw temp file race condition

The privatepw application that shipped with wu-ftpd version 2.6.1 uses insecure temp file handling, which results in a local race condition.
==

Hope this helps. Regards.

Steven Sim
Brainbench MVP for Unix Admin
http://www.brainbench.com
Email: steven@beepz.com. Homepage: https://www.beepz.com