WU-FTPD contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the restricted-gid feature is used. A malicious user can change the permissions on their home directory to deny themselves access. A subsequent connection by that user will exploit the flaw, and put them into the home directory of the root user, which will disclose files that an ordinary user would not have access to resulting in a loss of confidentiality.

The following is the patch that Red Hat has applied. It should work for all platforms:

--- wu-ftpd/src/ftpd.c.escape 2001-05-17 20:36:44.000000000 +0200
+++ wu-ftpd/src/ftpd.c 2004-03-01 11:56:17.541416616 +0100
@@ -3365,7 +3365,7 @@
}
#endif /* ALT_HOMEDIR */
#else /* DISABLE_STRICT_HOMEDIR is defined */
- if (chdir("/") < 0) {
+ if (restricted_user || chdir("/") < 0) {
#ifdef VERBOSE_ERROR_LOGING
syslog(LOG_NOTICE, "FTP LOGIN FAILED (cannot chdir) for %s, %s",
remoteident, pw->pw_name);

Upgrade to version 2.6.2-13 (Available on some Linux distributions) or higher, as it has been reported to fix this vulnerability. In addition, WU-FTPD Development Group has released a patch for some older versions of the main distribution.

• Security Tracker: 1009349
• Secunia Advisory ID: 11055 11350 12086 14013 20168
• ISS X-Force ID: 15423
• CVE ID: 2004-0148 (see also: NVD)
• SCIP VulDB ID: 550
• Bugtraq ID: 9832
• Keyword: BugIDs: 5012436
• Other Advisory URL: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.6/SCOSA-2005.6.txt ftp://patches.sgi.com/support/free/security/advisories/20040303-01-U.asc http://www.debian.org/security/2004/dsa-457
  http://www.turbolinux.com/security/2004/TLSA-2004-8.txt
  http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01012
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-07/0173.html
• Vendor Specific Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102356-1
• Vendor URL: http://www.wuftpd.org/
• CIAC Advisory: o-095
• RedHat RHSA: RHSA-2004:096

• Glenn Stewart -