Rule:

--
Sid:
1378

--
Summary:
This event is generated when an attempt is made to exploit a vulnerability in Wu-Ftpd.

--
Impact:
Serious. When properly executed, this vulnerability will allow root access.

--
Detailed Information:
Wu-Ftpd allows for clients to organize files for ftp actions based on "file globbing" patterns. File globbing is also used by various shells. The implementation of file globbing included in Wu-Ftpd contains a heap corruption vulnerability that may allow for an attacker to execute arbitrary code on a server remotely.

wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a "~{" argument to commands such as CWD, which is not properly handled by the glob function.

--
Affected Systems:
	wuftpd 2.5.0, 2.6.0, 2.6.1
	David Madore ftpd-BSD 0.3.2 and 0.3.3

--
Attack Scenarios:
Allowing ftp connection to non trusted users would allow this exploit to be executed as long as the server is running the proper version.

--
Ease of Attack:
Simple. No exploit software required.
The following is a example:
Name (localhost:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
227 Entering Passive Mode (127,0,0,1,241,205)
421 Service not available, remote server has closed connection

1405 ? S 0:00 ftpd: accepting connections on port 21
7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd
26256 ? S 0:00 ftpd: sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
26265 tty3 R 0:00 bash -c ps ax | grep ftpd

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Upgrade to the latest non-affected version of the software.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
Snort documentation contributed by Neal Timm <nrtimm@var-log.com>

--
Additional References:

Bugtraq
http://www.securityfocus.com/bid/3581

CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0550
