CERT warns of Unix and Linux FTP hole

The CERT Coordination Centre has issued a warning to users of the Washington University FTP daemon (WU-FTPD) for Unix and Linux...

The CERT Coordination Centre has issued a warning to users of the Washington University FTP daemon (WU-FTPD) for Unix and Linux systems that their servers could be invaded and taken over unless patches are installed.

CERT said the vulnerabilities, if left open, could allow a hacker to take total control of a computer system using remote root capabilities.

Art Manion, an Internet security analyst at CERT, said the warning was issued because the WU-FTPD program is very popular in the Unix and Linux communities and has a large installed base.

"The potential is certainly there for it to be exploited," Manion said. Unix and Linux vendors, including Caldera International, Red Hat and SuSE Linux, have posted patches and advice. IBM's AIX Unix does not ship with the WU-FTPD program, so is unaffected, while Hewlett-Packard's HP-UX Unix has already been patched as part of a fix for an earlier security issue.

WU-FTPD is a program providing file transport protocol (FTP) services on Unix and Linux systems. CERT claims its inherent vulnerabilities can expose a system to potential remote root compromise by anyone with access to the FTP service.

The vulnerabilities involve two shortcomings in WU-FTPD. The first is that the program cannot handle "glob" commands properly. Glob commands allow a user to specify multiple filenames and locations using typical shell notation. WU-FTPD implements its own globbing code instead of using libraries in the underlying operating system. The globbing code is designed to recognise invalid syntax and return an error condition to the calling function.

However, when it encounters a specific string, the globbing code fails to properly return the error condition, creating a hole that an intruder could attack.

The other vulnerability appears when WU-FTPD is configured to use RFC 931 authentication running in debug mode. When using RFC 931 authentication, WU-FTPD will request ID information before authorising a connection request from a client. However, in debugging mode, it becomes vulnerable to attacks by any user able to log in, including those with anonymous access.

CERT confirmed that it has been the subject of a denial-of-service attack for past several days, leaving its Web site unreachable at times.

"The recent activity directed against the CERT Coordination Centre Web site is not unique," said spokesman Bill Pollak. "On a daily basis, the CERT/CC is the target of attack attempts by intruders, and has been for many years.

"The nature of the protocols and technology used for the Internet causes organisations to be dependent on the security of others. Thus, no organisation, including the CERT/CC, is completely immune to occasional service disruptions."

Read more on Antivirus, firewall and IDS products