Wu-ftpd Remote Root Hole 515
Ademar writes: "A remote exploitable vulnerability was found in wu_ftp, which is distributed in all major distros. The CERT has a (private) list to coordinate this kind of disclosure so vendors can release updates together, but RH broke the schedule and released their advisory first. You can see the full advisory from securityfocus in bugtraq, but here is a quote: "This vulnerability was initially scheduled for public release on December 3, 2001. Red Hat pre-emptively released an advisory on November 27, 2001. As a result, other vendors may not yet have fixes available."" CNET has a story about this too.
Wu-FTP not in OpenBSD (Score:3, Interesting)
You're a nit. You're a nit. Here's another one!
I've changed my mind (Score:5, Interesting)
Until 5 mins ago I was a beleiver in complete disclosure,
But with 6 wu-ftpd boxes to admin I'm not so sure any more.
Hope I see a fix today.
linuxtoday.com (Score:2, Interesting)
My favorite quote (Score:3, Interesting)
The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service.
Whew! Your whole system is only wide open if you can access the FTP service. That makes me feel better!
CERT and private lists (Score:5, Interesting)
So, once again use an occasion such as this to resoundingly denounce the fact the CERT, and major Linux distros other than Red Hat, have chosen to do the essentially same.
I suspect that the complaints of this type of behavior will be much less in the case of CERT, since Microsoft's disclosure policies simply allow slashdotters to take pot shots at MS, but we'll see...The shoe's on the other foot this time.
Re:Nice. (Score:5, Interesting)
I'm somewhat surprised--but either way it brings the unresolved question of disclosure bubbling to the froth again.
Know what you're doing. (Score:3, Interesting)
I think it's better that Red Hat released the advisory ahead of time. The faster sysadmins, programmers, and other users know about remote root exploits, the faster the exploit can be closed.
Of course, there are some folks out there who won't patch their system. For those people, advisories like this don't help at all. But then, if you're running anything important, you should take the time to learn how to properly configure and maintain the system. Trying to hide known exploits from the public only serves to make things more difficult and dangerous for those of us who DO know what we're doing.
In other words, if you don't know what you're doing, you shouldn't be using a computer.
OH WELL.
Re:Another globbing bug? (Score:5, Interesting)
LS
Secret awareness of security exploitability: scary (Score:2, Interesting)
I just know that the powerful interests, not just the federal government, but also foreign governments and corporate espionage types, become aware of these things, and likely have crack teams of dedicated crackers to rapidly turn out an in house exploit.
Asymetric information is inequitable, giving an inevitable advantage to the elite in the know.
Lack of knowledge is powerlessness.
Re:My favorite quote (Score:2, Interesting)
For outgoing data, you can just use HTTP.
ironic.. (Score:3, Interesting)
Then this comes out. I hope he got my email.
Re:Wu-FTP in Debian but not as default (Score:3, Interesting)
#apt-get install bsd-ftpd
which is a port of the audited OpenBSD FTP server.
Ok - What does this attack LOOK like? (Score:3, Interesting)
Re:Nice. (Score:3, Interesting)
What's open source's role in the security-by-obscurity debate?
Open-source software is neither more nor less secure than closed-source software. And the whole issue of whether open source is more secure is a red herring. We have a chapter in the book about it. Security by obscurity doesn't work. But just because you have your source code sitting around in public doesn't mean someone's going to do a free security review on it, either, which is what the open-source guys think. That's wrong.
Re:My favorite quote (Score:2, Interesting)
both require a new connection for each dir listing or file transfer - except HTTP/1.1 which can reuse a connection. HTTP wins.
FTP requires an additional TCP connection for the control info. More setup and teardown cost. HTTP wins.
Many sites are already running an HTTP server, so using that for file transfer means one less daemon. Mitigated by running ftpd out of inetd, which most people do, but still ... HTTP wins.
HTTP can use auth methods other than plaintext, and can easily have different sets of auth'd users in different directories
What are the advantages to FTP for downloads ... I honestly can't think of any ATM.
Re:Ok - What does this attack LOOK like? (Score:2, Interesting)
"The hole is the result of a programming error in the portion of WU-FTPd that processes file names containing special characters. BindView's Matt Power discovered in April that the server would crash if presented with the file name '~{', but the program's maintainers believed the bug could not be exploited. "
URL for the article is http://www.theregister.co.uk/content/4/23082.html [theregister.co.uk]
Re:more to the story (Score:3, Interesting)
don't get me wrong here - i don't use wu-ftpd, either. i use the openbsd ftpd [debian.org] ported to linux.
i just felt that people should be aware that there was more to the story.
Re:I've changed my mind (Score:2, Interesting)
I believe this is flawed thinking in regards to security. I'm sure you have seen the many times on Slashdot that such-and-such method of encryption, which everyone believes to be the most superior, gets cracked in a matter of days. Then I hear "it was cracked by a team" or "it took 4 days." This lessens the impact and makes it appear as if RSA is still very secure.
I believe it is a huge flaw to think RSA will keep you safe because it is well known and peer-reviewed. It may be secure from those script kiddie attacks, which would only install an IRC bot or maybe erase your hard drives. It is not secure if you ever run into someone with a strong motivation to get into your system. The same strong motivation that was able to break the such-and-such encryption in only so many days.
Another problem with open security methods is that they can be detected. If you don't tell anyone what encryption method you are using on a certain site then it will be hard to break in. Now, if you don't tell anyone (obscurity), but you use a well known algorithm (peer-reviewed) then your security method is more easily detected. Crackers will pick up on certain reoccuring bit-patterns, the length of the encryption key or a number of other things. What happens is most sites proudly state "using PGP encryption," or something similar. Which is not really security at all, but just prancing around saying "we are hiding our private stuff in bank X, bet you can't get it!" And most people using PGP or some such are using it for meaningless data which does not need security.
I feel a big part of this debate is people have some sort of urge or agenda to make all software open. If "security through obscurity is bad" really means "proprietary software vs. open software" then we should skip the debate about security and look at facts about software methods producing secure software.
Those facts for wu-ftp are:
- wu-ftp is open and peer-reviewed
- wu-ftp had a serious flaw
- wu-ftp's flaw was released publicly
- wu-ftp is (was?) not yet patched on most systems
This is a repeating pattern among free software. It has happened more times than I can remember with just the Linux kernel itself. It also happens with sendmail and bind more than I would like to know about. And today someone will surely believe that wu-ftp is secure now that is patched. This is what I call "security after the fact." Which, to me, seems what the open software crowd is more concerned with than "security before the fact."