Softpanorama
(slightly skeptical)
Open Source Software Educational Society
May the source be with you, but remember the KISS principle ;-)
Softpanorama Search
|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
Softpanorama Search
|
WU-FTPD (more fully wuarchive-ftpd, also frequently spelled in lowercase as wu-ftpd) is a FTP server software (daemon) for Unix-like operating systems. Standard FTPD daemon on Solaris 9.
It was originally written by Chris Myers and Bryan D. O'Connor in Washington University as a replacement of the BSD FTP daemon, for use in the Washington University network, primarily the large wuarchive site.
Up until early 2000s, it was the most common FTP server software in use, though its use has lessened in recent years due to availability of more feature-rich and easier to configure software, and primarily due to its lack of security and the perceived complexity of the source code. In 2001, for example, the Ramen worm used WU-FTPD as one of the possible intrusion mechanisms. Many Linux distributions have deprecated WU-FTPD in favor of other daemons.
WU-ftpd
Requirements: wu-ftpd 2.6.0
/etc/ftpaccess
First, you need to add an additional class for users that are allowed to do FXP (unless you just want to use the predefined class "all"). If you add a new class, this line MUST be before the catch-all class "all", or the client will match class "all" first.
The line is of the form:
class {ArbitraryClassName} {AccessTypes} {HostAddrs} [HostAddrs]Then you add lines to allow PASV and PORT commands to hosts whose IPs don't match the client (to allow FXP)
These lines are of the form:
port-allow {ArbitraryClassName} {HostAddrs}
pasv-allow {ArbitraryClassName} {HostAddrs}
Example
class newclass real,guest,anonymous *.mydomain.net
*.more.client.addresses.com
class all real,guest,anonymous *port-allow newclass 0.0.0.0/0
pasv-allow newclass 0.0.0.0/0This basically adds a new class (creatively called "newclass") - note that it appears BEFORE the line containing the class "all" - this new class contains all hosts in the subdomains mydomain.net and more.client.addresses.com (domains obviously made up by yours truly), in order to limit who we will allow to do FXP. The port-allow and pasv-allow lines basically allow FXP connections to anywhere if your client is in the class "newclass".
WireX discovered a temporary file creation bug in the 2.6.1 release of wu-ftpd. The problem exists in the privatepw helper program. As well, Linux-Mandrake 7.2 users must update to this package as it fixes security problems as discussed in the prior advisory, MDKSA-2000:014, which had not been previously addressed for 7.2.
All of the updated packages for Linux Mandrake versions 6.0 through 7.1 and the packages for Corporate Server 1.0.1 had an incorrect dependency on the xinetd package which prevented MandrakeUpdate from installing the updates. Updated packages for these versions have been released that are no longer dependant upon xinetd.
This release fixes the recent root compromise problems discovered in version 2.6.0, and includes other fixes and improvements.
"Wuarchive-ftpd, more affectionately known as wu-ftpd, is a replacement ftp daemon for Unix systems developed at Washington University. wu-ftpd is the most popular ftp daemon on the Internet, used on many anonymous ftp sites all around the world."
Check the relevant links and changes history at AppWatch.com.
We are working on a new release that fixes this and some other problems. Some Linux vendors (redhat and debian) have already released their patches. source patch is available in the quickfixes directory for release 2.6.0.
WU-FTPD - Wikipedia, the free encyclopedia
WU-FTPD Development Group -- official site
WU-FTPD Server Software -- mirror
How-To Guide for wu-ftpd on Solaris 2.x
Securing an Anonymous FTP Server in Solaris 8 with WU-FTPD
BigAdmin Description - WU-FTPD
Frequently Asked Questions about wu-ftpd Also at Frequently Asked Questions about wu-ftpd
Securing an Anonymous FTP Server in Solaris 8 with WU-FTPD
HP Support Information Digests
===============================================================================
o HP Electronic Support Center World Wide Web Service
---------------------------------------------------
If you subscribed through the HP Electronic Support Center and would
like to be REMOVED from this mailing list, access the
HP Electronic Support Center on the World Wide Web at:
http://us-support.external.hp.com
Login using your HP Electronic Support Center User ID and Password.
Then select Support Information Digests. You may then unsubscribe from the
appropriate digest.
===============================================================================
Digest Name: Daily Security Bulletins Digest
Created: Mon Dec 13 3:00:05 PST 1999
Table of Contents:
Document ID Title
--------------- -----------
HPSBUX9912-106 Security Vulnerability in wu-ftp
The documents are listed below.
-------------------------------------------------------------------------------
Document ID: HPSBUX9912-106
Date Loaded: 19991212
Title: Security Vulnerability in wu-ftp
-------------------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00106, 13 Dec. 1999
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
-------------------------------------------------------------------------
PROBLEM: Multiple vulnerabilities in wu-ftp software.
PLATFORM: HP9000 series 7/800 servers running HP-UX release 11.00 only.
DAMAGE: Any user can gain root privileges.
SOLUTION: Apply the patch noted below.
AVAILABILITY: The patch is available now.
-------------------------------------------------------------------------
I.
A. Background
Starting with HP-UX release 11.00, Hewlett-Packard has made
available the ported wu-ftp code. There are buffer overruns in
the wu-ftpd plus corrections to other client functionality as
mentioned in AUSCERT AA-1999.02 Advisory, dated 19 October 1999.
See www.auscert.org.au.
HP-UX release 10.20 supports only our legacy ftp and is not affected.
Release 11.00 is, however, vulnerable and needs this patch. Our
patch addresses the vulnerabilities that have been fixed in the
2.6.0 release of wu-ftpd which has been made available by the
WU-FTPD Development Group.
B. Fixing the problem - Install patch PHNE_18377.
C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic mail,
do the following:
Use your browser to get to the HP IT Resource Center page
at:
http://us-support.external.hp.com
(for US, Canada, Asia-Pacific, & Latin-America)
http://europe-support.external.hp.com (for Europe)
Under the Maintenance and Support Menu (Electronic Support Center):
click on the "more..." link. Then -
To -subscribe- to future HP Security Bulletins, or
To -review- bulletins already released
click on "Support Information Digests" near the bottom of the
page, under "Notifications".
Login with your user ID and password (or register for one).
(Remember to save the User ID assigned to you, and your password).
On the "Support Information Digest Main" page:
click on the "HP Security Bulletin Archive".
Once in the archive the third link is to our current Security
Patch Matrix. Updated daily, this matrix categorizes security
patches by platform/OS release, and by bulletin topic.
The security patch matrix is also available via anonymous ftp:
us-ffs.external.hp.com
~ftp/export/patches/hp-ux_patch_matrix
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin
is not edited or changed in any way, is attributed to HP, and
provided such reproduction and/or distribution is performed for
non-commercial purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Disclaimer:
Last modified: August 13, 2009