Vulnerability Report For WU-FTPD Server

Advisory ID Internal

Bugtraq ID: 3581

CVE Name: CVE-2001-0550

CERT: VU#886083

Title: WU-FTPD Improper Ftpglob Error Handling Vulnerability

Class: Failure to handle exceptional conditions

Remotely Exploitable: Yes

Locally Exploitable: Yes


Vulnerability Description:

The Washington University FTP daemon (WU-FTPD) is a highly modified and significantly complex version of FTPD that provides some extra features: custom logging, limited remote command support, and other enhancements to the standard BSD version of FTPD.

A problem was found in all versions of Wu-FTPD included by default in all major Linux distributions. Other platforms that ship wu-ftpd and FTP server programs derived from it are affected.

By exploiting this problem, any user who is able to log into a vulnerable version of the WU-FTPD server may be able to execute arbitrary code remotely with the privileges of the server process (usually root) which can lead to complete system compromise.

The problem is due to a combination of bugs, one located within the function responsible for the globbing feature, which fails to properly signal an error to its caller under certain conditions. The glob function does not properly handle the string "~{" as an illegal parameter. The other bug is at the caller, a command parser function, that incorrectly handles the error status returned by the glob function allowing the corruption of the process memory space.

For those interested in a technical description and proof of concept follow towards the end of this advisory.

Vulnerable Packages:


All versions of wu-ftpd including and up to 2.6.1 are vulnerable.
Version 2.7.0 snapshots are also vulnerable.
Note that 2.7.0 is has not been released officially and is currently a
testing version, nonetheless certain Linux vendors ship vulnerable
wu-ftpd version 2.7.0 intheir distributions.

Washington University wu-ftpd 2.6.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1
+ Cobalt Qube 1.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Linux Mandrake 8.1
+ MandrakeSoft Linux Mandrake 8.0 ppc
+ MandrakeSoft Linux Mandrake 8.0
+ MandrakeSoft Linux Mandrake 7.2
+ MandrakeSoft Linux Mandrake 7.1
+ MandrakeSoft Linux Mandrake 7.0
+ MandrakeSoft Linux Mandrake 6.1
+ MandrakeSoft Linux Mandrake 6.0
+ RedHat Linux 7.2 noarch
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i686
+ RedHat Linux 7.2 i586
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 athlon
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 noarch
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i686
+ RedHat Linux 7.1 i586
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ TurboLinux TL Workstation 6.1
+ TurboLinux Turbo Linux 6.0.5
+ TurboLinux Turbo Linux 6.0.4
+ TurboLinux Turbo Linux 6.0.3
+ TurboLinux Turbo Linux 6.0.2
+ TurboLinux Turbo Linux 6.0.1
+ TurboLinux Turbo Linux 6.0
+ Wirex Immunix OS 7.0-Beta
+ Wirex Immunix OS 7.0
Washington University wu-ftpd 2.6.0
+ Cobalt Qube 1.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
+ Conectiva Linux 4.1
+ Conectiva Linux 4.0es
+ Conectiva Linux 4.0
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 i386
+ RedHat Linux 6.0 alpha
+ RedHat Linux 5.2 sparc
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 alpha
+ S.u.S.E. Linux 6.4ppc
+ S.u.S.E. Linux 6.4alpha
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.3 ppc
+ S.u.S.E. Linux 6.3 alpha
+ S.u.S.E. Linux 6.3
+ S.u.S.E. Linux 6.2
+ S.u.S.E. Linux 6.1 alpha
+ S.u.S.E. Linux 6.1
+ TurboLinux Turbo Linux 4.0
+ Wirex Immunix OS 6.2
Washington University wu-ftpd 2.5.0
+ Caldera eDesktop 2.4
+ Caldera eServer 2.3.1
+ Caldera eServer 2.3
+ Caldera OpenLinux 2.4
+ Caldera OpenLinux Desktop 2.3
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 i386
+ RedHat Linux 6.0 alpha

Sun Microsystems Inc.

The Sun Cobalt Qube1 is vulnerable.

Solaris is NOT vulnerable to this problem.

As reported by Brent Paulson from Sun regarding Solaris ISP server that ships with a wu-ftpd derived server:
"The Sun engineering group for the SISP in.ftpd product
has verified that we are not vulnerable to the issue
described in the described vulnerability."

Hewlett Packard

As reported by Dan Grove from HP:

" HP-UX is immune to this issue. It was fixed
in conjunction with the last "globbing" issue
announced in CERT Advisory CA-2001-07, released
April 10, 2001. The lab did a complete check/scan
of the globbing software, and fixed this issue then
as well. Customers should apply the patches listed
in HP Security Bulletin #162 released July 19,2001:

HPSBUX0107-162 Security Vulnerability in ftpd and ftp"

Solution/Vendor Information/Workaround:


The WU-FTPD Development Group has released a patch against version 2.6.1.
This patch is available at

Additional patches to version 2.6.1 are available in the same directory.
Those running earlier versions are advised to update to version 2.6.1
and apply all supplied patches.

A new version with all these patches applied will be made available
shortly as version 2.6.2. To avoid confusion, we will skip the 2.7.0
version number.

The WU-FTPD Development Group has been made aware that some vendors are shipping vulnerable pre-release, development versions of WU-FTPD software bearing, at least internally, version 2.7.0. All users are advised to verify the version claimed on the initial greeting upon connection to the software (you may need to remove your greeting clause from the WU-FTPD configuration to allow the version information to be displayed). If this greeting claims version 2.7.0 or earlier, they are advised to DOWNGRADE
IMMEDIATELY to version 2.6.1 and apply all supplied patches. To avoid confusion, the WU-FTPD Development Group WILL NOT release version 2.7.0; instead their next version will be numbered 2.8.0. (Users participating the field trials of the develpment version are advised to verify their CVS snapshot, and, if dated on or before July 1, 2001, either upgrade to the current snapshot or downgrade to a patched version 2.6.1.)


RedHat Linux had released and advisory and and
SRPMs to address the problem, they can be obtained

Conectiva Linux

Fixed packages will be made available in the next days
for all supported Conectiva Linux distributions at

Caldera Systems

OpenLinux 2.3

Fixed packages were released on 2001/11/28:

OpenLinux eServer 2.3.1

Fixed packages were released on 2001/11/28:

OpenLinux eDesktop 2.4

Fixed packages were released on 2001/11/28:

OpenLinux Workstation 3.1

Not vulnerable. (Does not include wu-ftpd)

OpenLinux Server 3.1

Fixed packages were released on 2001/11/28:

Sun Microsystems

"The only Sun Cobalt Server Appliance that is vulnerable to this exploit is the Qube1. The Qube1 is no longer a supported appliance,
but we do understand the need of having updates available. The following RPM is not officially supported by Sun Cobalt, but offers legacy customers the ability to maintain a limited level of security."


SuSE Linux

SuSE have the set of patches to fix the vulnerability. Updated packages that fix the vulnerability are available from the following URLs:

i386 Intel Platform:

source rpm:

source rpm:

source rpm:

source rpm:

source rpm:

source rpm:

Sparc Platform:

source rpm:

source rpm:

source rpm:

AXP Alpha Platform:

source rpm:

source rpm:

source rpm:

source rpm:

PPC Power PC Platform:

source rpm:

source rpm:

source rpm:

source rpm:


MandrakeSoft has developed a patch for the problem, fixed packages
will be made available shortly.

Turbo Linux

Contact Turbo-linux for patch information and fixed packages.

Debian Linux

Debian has developed a patch for the problem, fixed packages will be made available shortly.

Wirex Inmunix

WireX has developed a patch for the problem, fixed packages will be made available shortly.


To prevent exploitation of this bug it is advised to disable anonymous FTP access until patches are applied. Notice that legit users with FTP accounts can still exploit the problem even if anonymous access is disabled. If legit ftp accoutn posse a security risk, FTP service should be disabled completly until fixed packages are deployed.

Vendors notified on: November 14th, 2001


This vulnerability was initially reported to the vuln-dev mailing list at by Matt Power from Bindview Corp. on April 30th, 2001. At that moment, it was thought as a not exploitable bug and no further research was conducted.

The bug was re-discovered independantly by Core Security Technologies and confirmed to be exploitable on Nov. 1st, 2001

This advisory was drafted with the aid of the Vulnerability Help team at

We would like to thank the VulnHelp Team, CERT,the WU-ftpd development team and the Linux vendors for their efforts trying to coordinate the release of information and availability of fixes.

Technical Description - Exploit/Concept Code:

Tests were performed using wu-ftp server versions 2.6.1 and 2.7.0 snapshots

WU-FTPD server features globbing capabilities, allowing a user to search pathnames matching patterns according to the rules used by the shell. The feature does not use the glibc implementation of the glob() function, instead it implements its own in the the glob.c file

This implementation fails to set the globerr variable under certain circunstances, bypassing error checking after the call, and trying to free an uninitialized memory address. This memory address is located in the process heap and can be manipulated by the user, issuing especially crafted commands beforehand to the server. This issue was found twice in the source code.

The handling of the globbing metacharacters is done by the ftpglob() function included in the glob.c file. The function is called for example from ftpcmd.y line 1277 and line 1303 while processing pathnames for restricted and non-restricted users beggining with a '/' or a '~'
character respectively.

if (restricted_user && logged_in && $1 && strncmp($1, "/", 1) == 0){
globlist = ftpglob(t);

else if (logged_in && $1 && strncmp($1, "~", 1) == 0) {
char **globlist;

globlist = ftpglob($1);

After that, the variable globerr is checked to handle any possible error that could had happened during the globbing process, setting this variable is responsability of the ftpglob() function.

Under certain circunstances not properly handled by the function, globerr is not set even though an error condition is present

Being not initialized explicitly, globlist contains what was in the heap before, which can be properly set with specially crafted requests to the server.

As the globerr was not set properly, the function attempts to free
the provided pointer in ftpcmd.y line 1282 and line 1288.

if (globerr) {
reply(550, globerr);
$$ = NULL;
if (globlist) {
free((char *) globlist);
else if (globlist) {
$$ = *globlist;
free((char *) globlist);

As shown, during the processing of a globbing pattern, the Wu-Ftpd implementation creates a list of the files that match.
The memory where this data is stored is on the heap, allocated using malloc(). The globbing function simply returns a pointer to the list. It is up to the calling functions to free the allocated memory.

If an error occurs processing the pattern, memory will not be allocated and a variable indicating this should be set.
The calling functions must check the value of this variable before attempting to use the globbed filenames (and later freeing the memory).

Under certain circumstances, the globbing function does not set this variable when an error occurs. As a result of this, Wu-Ftpd will eventually attempt to free uninitialized memory.

If this region of memory contained user-controllable data before the free call, it is possible to have an arbitrary word in memory overwritten with an arbitrary value. This can lead to execution of arbitrary code if function pointers or return addresses are overwritten.

Details of hwo to exploit this type of problems are in the public domain and can be found in Phrack Magazine #57 article 9:

Unsuccessful explotation of the problem does not lead to denial of service attacks as the ftp server continues normal execution, only the thread handling the request fails, helping the attacker to success.

The following excerpt is a sample verification of the existence of the problem:

ftp> open localhost
Connected to localhost (
220 sasha FTP server (Version wu-2.6.1-18) ready.
Name (localhost:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
227 Entering Passive Mode (127,0,0,1,241,205)
421 Service not available, remote server has closed connection

1405 ? S 0:00 ftpd: accepting connections on port 21
7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd
26256 ? S 0:00 ftpd:
26265 tty3 R 0:00 bash -c ps ax | grep ftpd
(gdb) at 26256
Attaching to program: /usr/sbin/wu.ftpd, process 26256
Symbols already loaded for /lib/
Symbols already loaded for /lib/
Symbols already loaded for /lib/
Symbols already loaded for /lib/
Symbols already loaded for /lib/
Symbols already loaded for /lib/i686/
Symbols already loaded for /lib/
Symbols already loaded for /lib/
Symbols already loaded for /lib/
Symbols already loaded for /lib/
0x40165544 in __libc_read () from /lib/i686/
(gdb) c

Program received signal SIGSEGV, Segmentation fault.
__libc_free (mem=0x61616161) at malloc.c:3136
3136 in malloc.c

Note that the segmentation fault is generated because the program is trying to free() a user provided (and in this case invalid) memory chunk referenced by the value 0x61616161 (or its ASCII equivalent 'aaaa', sent earlier in the session as the user password), this should be enough hint on the existence and exploitability of the bug


The contents of this advisory are copyright (c) 2001 CORE Security Technologies and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

$Id: WUFTPD_free_advisory.txt,v 1.6 2001/11/29 17:13:20 iarce Exp $