New vulnerability in wu-ftp

[Matty_Cross]

Recieved in a TechRepublic email.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
A recently found vulnerability has been confirmed in the wu-ftpd FTP daemon. This vulnerability is remotely exploitable and can be used to execute arbitrary code on the vulnerable FTP server.

Because wu-ftpd is such a popular and widely used FTP server, not only for Linux but for other UNIX-derivatives like BSD systems, the security impact is quite high. The fact that most FTP servers in use these days provide anonymous FTP access compounds the problem. This means that a user doesn't even have to authenticate himself or herself on the server as a real user in order to exploit this vulnerability.

The problem is due to the "file globbing" support in wu-ftpd. This globbing allows clients to organize files for FTP actions, such as list and download, based on patterns. A heap corruption problem in the wu-ftpd, in its most innocent form, will simply cause the FTP server to die with a segfault. Unfortunately, this same corruption problem can be exploited to run programs on the server that the user should not be permitted to execute.

Most vendors have released updates to fix this problem quickly. Therefore, if you are running a version of wu-ftpd installed prior to Nov. 27, 2001, you are vulnerable and need to obtain an update from your vendor.

[freeOn]

Hey Matty that's how I get free software from Microsoft. I use the WU ftp at school. I've known that for a long time. It's weird how it's just now getting around. Anyway I'm 2 up from you. lol. Good thread

[Matty_Cross]

Well, I received it in my email today, so I thought it might actually be a new one..

I'd heard about a wu-ftp vulnerability previously, but thought this was new... oh well, time to go smack TechRepublic upside the head...

I'll get you freeOn, don't you worry...