Wu-Ftpd 存在文件扩展导致HEAP破坏漏洞发布时间:2001-11-29 更新时间:2001-11-29 严重程度:高 威胁程度:远程管理员权限 错误类型:设计错误 利用方式:服务器模式 受影响系统 Washington University wu-ftpd 2.6.1详细描述 Wu-Ftpd是一款基于BSD ftpd的服务程序,其中存在一个远程Heap破坏漏洞可以 导致远程攻击在目标服务器上执行任意命令。 Wu-Ftpd允许客户端提供"文件扩展"模式来对文件进行操作,文件扩展也用于各种 shell上,此文件扩展实现上存在一个heap破坏可以导致攻击者执行任意命令。 在处理扩展模式过程中,Wu-Ftpd会建立一匹配的文件列表,这些数据存储在heap 区,由malloc()分配,globbing扩展函数简单的返回指针给列表,其调用函数进行 内存释放。 如果在扩展模式处理过程中出现错误,内存会被分配并需要设置一变量来指示出错 过程。调用函数需要在尝试使用这个扩展文件名之前检查这个变量值(之后会释放 内存)。 当部分扩展模式被处理时,扩展函数没有在错误发生时设置这个变量,结果导致 Wu-Ftpd释放没有初始化的内存。这里就存在多种利用可能。 如果在Free调用之前这部分内存包含了用户可控制数据,就可以导致任意数据写到 内存中,导致函数指针或者返回地址被覆盖而执行任意代码。 此漏洞需要匿名用户或者合法用户登陆。 测试代码 ftp> open localhost Connected to localhost (127.0.0.1). 220 sasha FTP server (Version wu-2.6.1-18) ready. Name (localhost:root): anonymous 331 Guest login ok, send your complete e-mail address as password. Password: 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls ~{ 227 Entering Passive Mode (127,0,0,1,241,205) 421 Service not available, remote server has closed connection 1405 ? S 0:00 ftpd: accepting connections on port 21 7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd 26256 ? S 0:00 ftpd: sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 26265 tty3 R 0:00 bash -c ps ax | grep ftpd (gdb) at 26256 Attaching to program: /usr/sbin/wu.ftpd, process 26256 Symbols already loaded for /lib/libcrypt.so.1 Symbols already loaded for /lib/libnsl.so.1 Symbols already loaded for /lib/libresolv.so.2 Symbols already loaded for /lib/libpam.so.0 Symbols already loaded for /lib/libdl.so.2 Symbols already loaded for /lib/i686/libc.so.6 Symbols already loaded for /lib/ld-linux.so.2 Symbols already loaded for /lib/libnss_files.so.2 Symbols already loaded for /lib/libnss_nisplus.so.2 Symbols already loaded for /lib/libnss_nis.so.2 0x40165544 in __libc_read () from /lib/i686/libc.so.6 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. __libc_free (mem=0x61616161) at malloc.c:3136 3136 in malloc.c 当前SecurityFocus 尚未发现有任何攻击代码。 解决方案 关闭匿名用户访问。 Redhat请升级如下程序: Red Hat RPM 6.2 alpha wu-ftpd-2.6.1-0.6x.21.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha.rpm Red Hat RPM 6.2 sparc wu-ftpd-2.6.1-0.6x.21.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc.rpm Red Hat RPM 7.0 alpha wu-ftpd-2.6.1-16.7x.1.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm Red Hat RPM 7.0 i386 wu-ftpd-2.6.1-16.7x.1.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm Red Hat RPM 7.1 alpha wu-ftpd-2.6.1-16.7x.1.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm Red Hat RPM 7.1 i386 wu-ftpd-2.6.1-16.7x.1.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm Red Hat RPM 7.1 ia64 wu-ftpd-2.6.1-16.7x.1.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rpm Red Hat RPM 7.2 i386 wu-ftpd-2.6.1-20.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm Red Hat RPM 6.2 i386 wu-ftpd-2.6.1-0.6x.21.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rpm Conectiva Linux ftp://atualizacoes.conectiva.com.br/ OpenLinux 2.3 ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/068/ OpenLinux eServer 2.3.1 ftp://ftp.caldera.com/pub/updates/eServer/2.3/064/ OpenLinux eDesktop 2.4 ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/058/ OpenLinux Server 3.1 ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/020/ SuSE Linux i386 Intel Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/wuftpd-2.6.0-344.i386.rpm d1b549b8c2d91d66a8b35fe17a1943b3 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/wuftpd-2.6.0-344.src.rpm 9ef0e6ac850499dc0150939c62bc146f SuSE-7.2 ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/wuftpd-2.6.0-344.i386.rpm 4583443a993107b26529331fb1e6254d source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/wuftpd-2.6.0-344.src.rpm aaee0343670feae70ccc9217a8e22211 SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/wuftpd-2.6.0-346.i386.rpm 347a030a85cb5fcbe32d3d79d382e19e source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/wuftpd-2.6.0-346.src.rpm aa3e53641f6ce0263196e6f1cb0447c3 SuSE-7.0 ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/wuftpd-2.6.0-344.i386.rpm e34eec18ecc10f187f6aa1aa3b24b75b source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/wuftpd-2.6.0-344.src.rpm fafc8c2bbd68dd5ca3d04228433c359a SuSE-6.4 ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/wuftpd-2.6.0-344.i386.rpm 2354abe95b056762c7f6584449291ff2 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/wuftpd-2.6.0-344.src.rpm 507b8d484b13737c9d2b6a68fda0cc26 SuSE-6.3 ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/wuftpd-2.6.0-347.i386.rpm 9851ad02e656bba8b5e02ed2ddb46845 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/wuftpd-2.6.0-347.src.rpm 5d7c4b6824836ca28b228cc5dcfc4fd6 Sparc Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/wuftpd-2.6.0-240.sparc.rpm 2d19e4ead17396a1e28fca8745f9629d source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/wuftpd-2.6.0-240.src.rpm bdb0b5ddd72f8563db3c8e444a0df7f5 SuSE-7.1 ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/wuftpd-2.6.0-242.sparc.rpm f6b04f284bece6bf3700facccc015ffe source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/wuftpd-2.6.0-242.src.rpm 1660547ac9a5a3b32a4070d69803cf18 SuSE-7.0 ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/wuftpd-2.6.0-241.sparc.rpm 1bd905b095b9a4bb354fc190b6e54a01 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/wuftpd-2.6.0-241.src.rpm 597263eb7d0fbbf242d519d3c126a441 AXP Alpha Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/wuftpd-2.6.0-252.alpha.rpm e608bfd2cc9e511c6eb6932c33c68789 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/wuftpd-2.6.0-252.src.rpm 34915af1ca79b27bad8bc2fd3a5cab05 SuSE-7.0 ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/wuftpd-2.6.0-251.alpha.rpm 86a7d8f60d76a053873bcc13860b0bbb source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/wuftpd-2.6.0-251.src.rpm 9674f9f1630b3107ac22d275705da76e SuSE-6.4 ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/wuftpd-2.6.0-251.alpha.rpm 2501444a1e4241e8f6f4cdcc6fd133b0 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/wuftpd-2.6.0-251.src.rpm 34812d943900bdb902ad7edd40e1943f SuSE-6.3 ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/wuftpd-2.6.0-250.alpha.rpm 429a49ef9d4d0865fbb443c212b8a8c7 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/wuftpd-2.6.0-250.src.rpm 76467dae0f460677ba80ec907eefca28 PPC Power PC Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/wuftpd-2.6.0-277.ppc.rpm a381269b3e2fc43fda59e4d08aef57ae source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/wuftpd-2.6.0-277.src.rpm 7cacb696a88e57a843402a796212aee6 SuSE-7.1 ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/wuftpd-2.6.0-277.ppc.rpm bfc39be2c09323d96f974fdd0c73fda1 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/wuftpd-2.6.0-277.src.rpm e2681b2ed4801ce14b5dfb926480ac51 SuSE-7.0 ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/wuftpd-2.6.0-279.ppc.rpm 19f989e637fd9b6fa652f8a4014bb7b1 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/wuftpd-2.6.0-279.src.rpm 76c493a915691c51a2481f0925e8ce39 SuSE-6.4 ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/wuftpd-2.6.0-278.ppc.rpm ad29cf172bbd03a5e1f301cf6b9404e5 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/wuftpd-2.6.0-278.src.rpm 82338702692eba599d8c3d242aff3d1a 相关信息 参考:http://www.securityfocus.com/advisories/3680 http://www.core-sdi.com/ http://www.wu-ftpd.org/ |
