Bugtraq mailing list archives

Re: Possible WU-ftpd Worm ?

From: gbnewby () ILS UNC EDU (Gregory Newby)
Date: Wed, 14 Apr 1999 14:04:11 -0400


On Wed, 14 Apr 1999, Stu Alchor wrote:

I'm a system administrator of a educational domain which deals with
...
But what took my attention is that he had a script called ftp-w0rm.tgz
which was able to look for ftpd bug around the world, exploit it and
reproduce the script like the worm. We found out that once the worm gets
in a new host, it will install a backdoor (bindcode) in the port 31337
and starts the new scan. By taking a look at the time stamp, the intruder
is running this toy since march.


I sent a message related to this two weeks ago which Aleph
(evidently) chose not to post.  The message and associated
programs/documents is at http://blue.ils.unc.edu/Apr1/hack/
(blue-bugtraq.txt is the post).

This program, like ADMwuftpd.c, exploits
WRITE-able directories on your Linux FTP server.
It then uses a hole in wu-ftpd (found in all versions,
including the VR patches) to get a root shell.

The program you included, Stu, seems to combine the scanning
for a writable directory with the exploit.  ADMwuftpd.c,
which was posted to Bugtraq around the end of March,
needs to be told where to run the exploit.  Other
programs (a few are available) actually look for writable
directories.

The hole is a buffer overflow for very long directory
names.

From there, everything's easy...  the program

which started out as a remote FTP connection ends up as
a root shell to the remote machine.  You don't even
get logged, because it's not an actual login.  But
the intruder could, of course, set up a username or
do anything else s/he chooses.  You mentioned that
a backdoor was installed...sure, that's viable.
Once you get that root shell, anything is fair game.

The solution is simply to not have any world writeable
directories under your anonymous FTP tree.  This is
good policy anyway, regardless of this particular exploit,
because a world writeable directory is just an invitation
for your site to be turned into a warez distribution point.

  -- Greg

// Gregory B. Newby, Assistant Professor in the School of Information
// and Library Science, University of North Carolina at Chapel Hill
// CB# 3360 Manning Hall, Chapel Hill, NC, 27599-3360  E: gbnewby () ils unc edu
// V: 919-962-8064 F: 919-962-8071  W: http://www.ils.unc.edu/~gbnewby/

Current thread:

Serious security holes in web anonimyzing services, (continued)
- - - Serious security holes in web anonimyzing services Patrick Oonk (Apr 13)
    - Re: Serious security holes in web anonimyzing services Jeremey Barrett (Apr 13)
    - Re: ARP problem in Windows9X/NT route () RESENTMENT INFONEXUS COM (Apr 13)
    - Re: ARP problem in Windows9X/NT gandalf () POBOX COM (Apr 13)
    - Re: ARP problem in Windows9X/NT route () RESENTMENT INFONEXUS COM (Apr 13)
    - Re: ARP problem in Windows9X/NT Alan DeKok (Apr 13)
    - Re: ARP problem in Windows9X/NT Joseph Gooch (Apr 14)
    - Re: ARP problem in Windows9X/NT gandalf () POBOX COM (Apr 15)
    - Possible WU-ftpd Worm ? Stu Alchor (Apr 13)
    - Re: Possible WU-ftpd Worm ? Gregory A Lundberg (Apr 14)
    - Re: Possible WU-ftpd Worm ? Gregory Newby (Apr 14)
    - Re: Possible WU-ftpd Worm ? M.Brands (Apr 14)
    - Real Media Server stores passwords in plain text Francisco M. Marzoa Alonso (Apr 14)
    - Announce: Secure UNIX Programming FAQ Thamer Al-Herbish (Apr 13)
    - Bugs in anonymity services Avi Rubin (Apr 13)
  - NetBSD Security Advisory 1999-008 matthew green (Apr 12)
- Re: ICQ Webserver bug Scott (Apr 08)