Red Hat accidentally pre-releases information on a devastating Linux security hole, sends other vendors scrambling
By Kevin Poulsen
Nov 28 2001 1:48PM PT
On the surface, it was just another turn of the endless cycle of software release, hole discovery, and patching: operating system vendor Red Hat issued an advisory Tuesday warning the world about a serious security hole in a file transfer program that comes with Linux, and urged customers to download a patch.
There was just one problem: Red Hat's advisory jumped the gun on what was intended to be a simultaneous multi-vendor release, carefully coordinated by the government-funded Computer Emergency Response Team (CERT), and scheduled for December 3rd. Caught off guard, other Linux vendors were rushing Wednesday to finalize their own patches for the hole-- a memory-allocation bug in the ubiquitous Washington University WU-FTPd program.
(...)
The hole is the result of a programming error in the portion of WU-FTPd that processes file names containing special characters. BindView's Matt Power discovered in April that the server would crash if presented with the file name '~{', but the program's maintainers believed the bug could not be exploited. Then researchers at Argentina-based Core Security Technologies discovered the bug themselves in November, and proved that careful manipulation of the bug yields remote 'root' access to vulnerable systems.
Complete Article: http://www.securityfocus.com/news/293
