wu-ftpd versions 2.6.0 and earlier and HP-UX 11.00 ftpd have a vulnerability in the SITE EXEC command which could allow a remote attacker to gain access to the server. This vulnerability could be exploited if either the attacker had access to a user account on the system, or anonymous FTP were enabled on the system.
CAN 2000-0574
A missing format string in the setproctitle
function call could allow an attacker to gain root access
by a format attack. wu-ftpd 2.6.0 and earlier,
HP-UX 10.20 and 11.00, ProFTPD prior to 1.2.0, and OpenBSD
ftpd 6.4 and earlier are known to be vulnerable to this attack.
CVE 2000-0699
On HP-UX 10.20, the fix for this vulnerability is also needed
to fix a format string vulnerability in the PASS
command.
A single-byte buffer overflow in the replydirname function could allow a remote user to gain root access. The user would need write access to a directory on the server, either through a user account or an anonymous account, to exploit the vulnerability. OpenBSD version 2.8 or earlier (ftpd version 6.5 or earlier), and NetBSD version 1.5 or earlier are affected by this vulnerability.
CAN 1999-0911
CVE 2001-0136
CVE 2001-0318
Multiple vulnerabilities affecting ProFTP
could be used to create a denial of
service or execute arbitrary code on the server.
1/18/02
The first problem is a denial of service which results from
a command containing excessive globbing. By issuing a list
command with an argument containing many repetitions of the
"*/.." string, for example, an attacker could
cause the server to consume all available memory, thus crashing
the FTP process or the server. ProFTP version 1.2.1 and earlier
are affected by this vulnerability.
The next two problems are memory leaks, one in the SIZE command and another in the USER command, which could be exploited to consume excessive amounts of memory on the system, leading to a denial of service. ProFTP 1.2.0 prior to rc3, including all pre-release versions, are affected by these two vulnerabilities.
The last problem is a format string vulnerability which could be used to execute arbitrary code on the system. This exploit is theoretically possible but very difficult to execute in practice. ProFTP 1.2.0 prior to rc3, including all pre-release versions, are affected by this vulnerability.
Versions of wu-ftpd between 2.4.2-BETA18-VR4 and 2.5.0, and all versions of BeroFTPD contain a vulnerability which could allow an attacker to overwrite static memory and execute arbitrary code as root by creating a directory with a carefully chosen name. In order to exploit this vulnerability, an attacker would need to have access to a writable directory on the ftp server, either through a user account or by anonymous ftp. This vulnerability is described in CERT Advisory 1999-13.
Due to improper bounds checking in expansion of macro variables in a message file, an attacker could overwrite the stack and execute arbitrary commands with the privileges of the ftp server, usually root. wu-ftpd prior to version 2.6.0, and all versions of BeroFTPD have this vulnerability. An attacker would require the ability to control the contents of a message file in order to exploit this vulnerability. Whether or not an anonymous user would have this ability depends on the configuration of the ftp server. This vulnerability is described in CERT Advisory 1999-13.
SITE NEWER is a feature which allows mirroring software to find all files on an ftp server newer than a specified date. wu-ftpd prior to version 2.6.0, and all versions of BeroFTPD fail to properly free memory when this feature is used in certain situations, causing the server to consume memory. This could allow an attacker to disrupt service. If the attacker has the ability to create files on the server through a user account or a writable directory accessible by anonymous ftp, then it is also possible to execute arbitrary commands with the privileges of the ftp server (typically root). This vulnerability is described in CERT Advisory 1999-13.
Due to improper bounds checking, an attacker can overwrite the internal stack space of the ftp server, thereby executing arbitrary commands with the privileges of the ftp server, which is typically root. The attacker would need access to a writable directory on the ftp server, either through a user account or by anonymous ftp, in order to create the long pathname necessary to exploit the vulnerability. The affected versions are wu-ftpd versions 2.4.2-BETA 18 and earlier (including VR versions prior to 2.4.2-BETA 18-VR10), ProFTPD versions prior to 1.2.0pre2, and BeroFTPD versions prior to 1.2.0. This vulnerability is described in CERT Advisory 1999-03.
A buffer overflow vulnerability has been found in the AIX 4.3.x ftp daemon that allows remote attackers to gain root access. Example exploit code has been publicly released. Other versions of AIX are not affected. This vulnerability is described in CIAC Bulletin J-072.
Some vendor and third party versions of the ftpd have a vulnerability that may allow regular and anonymous FTP users to read or write to arbitrary files with root privileges. This vulnerability is caused by a signal handling routine that increases process privileges to root, while still continuing to catch other signals. This introduces a race condition that may allow regular, as well as anonymous FTP, users to access files with root privileges. Depending on the configuration of the ftpd server, this may allow intruders to read or write to arbitrary files on the server. This attack requires an intruder to be able to make a network connection to a vulnerable ftpd server. wu-ftpd 2.4.2-BETA-12 and later versions of wu-ftpd do not have this vulnerability. This vulnerability is described in CERT Advisory CA-1997-16.
Versions 2.0 through 2.3 of the wuarchive ftpd have two vulnerabilities that can be exploited to gain root access. The first vulnerability is in the SITE EXEC command feature of ftpd that allows any user (remote or local) to obtain root access. There is a second vulnerability due to a race condition in these implementations. Sites using these versions of ftpd are vulnerable even if they do not support anonymous FTP. In addition to the wuarchive ftpd, DECWRL ftpd versions prior to 5.93 and BSDI ftpd versions 1.1 prior to patch 5 are vulnerable. These vulnerabilities are described in CERT Advisory CA-1994-08. CERT Advisory CA-1995-16 describes the SITE EXEC vulnerability in further detail, and lists all the Linux distributions that may be using the vulnerable version of ftpd.
Some copies of the source code for versions 2.2 and 2.1 of the wuarchive ftpd were modified by an intruder, and contain a Trojan horse. If your FTP daemon was compiled from the intruder-modified source code, you are vulnerable. If you are running the wuarchive ftpd, but not providing anonymous FTP access, you are still vulnerable to this Trojan horse. An intruder can gain root access on a host running an FTP daemon that contains the Trojan horse. This vulnerability is described in CERT Advisory CA-1994-07.
Versions of the wuarchive ftpd available before April 8, 1993 have a vulnerability in the access control mechanism. Anyone (remote or local) can potentially gain access to any account, including root, on a host running this version of ftpd. This vulnerability is described in CERT Advisory CA-1993-06.
Another solution would be to obtain the latest fixed or patch versions of ftpd from the vendor. For OpenBSD, a patch is available for the setproctitle bug. For HP-UX, download the fix for the setproctitle bug for 11.0 or 10.20.
In some cases, disallowing anonymous ftp access, or removing write permissions from all directories accessible by anonymous ftp could serve as a workaround. However, this will only be an effective solution for those vulnerabilities which, as noted above, require the attacker to create files or directories on the server. You will still need to upgrade ftpd to fix the other vulnerabilities.
Finally, ftp access can be restricted by using TCP wrappers.
To correct the buffer overflow in replydirname in OpenBSD or NetBSD, apply the patch given in the OpenBSD Security Advisory or NetBSD Security Advisory 2000-018.