Posted on 11/28/2001 1:28:10 PM PST by Don Joe
A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.
"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.
"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."
The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.
While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.
The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.
Huger called the flaw "serious."
The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.
While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.
Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.
"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.
"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."
I haven't seen the CERT advisory. It's likely the problem exists with more than just Linux. The last time WU-FTP had a buffer overflow problem, every OS the program ran on was vunderable to it. Solaris, IRIX, Linux, etc. It's possible that the problem could be limited to Intel-based unix systems FreeBSD and Linux or just Linux.
Oh, now I remember you. Bush2000.
IIS is actually written by Microsoft. However, buffer overflow problems with IIS are not problems with the NT executive. They are a server process problem, that allows a maliscious person to hijack the software. This is not a fault of the OS.
If blame is to be laid, the fault lies 1. with the people who maintain WU-FTP and 2. RedHat for including a notoriously buggy FTP server.
No one claims that Free Software is bug-free, only that it tends to have less bugs, and that they are generally fixed faster than proprietary software.
The night is young. I expect this thread's floor will be littered with "winners" before sunrise, perhaps to knee or even waist depth. There's an awful lot of glory to go around, and combined with that moths+candles principle, well, heheheheheheh... :)
That is the most ignorant statement I have read as of recent.
What! I thought Linux was perfect and never had vulnerabilities. You mean Microsoft isn't the only that has bugs in the code. I am shocked!
Actually, I've seen quite a few people post here extolling the infallibility of Linux.
Oh, you mean like these, right?
66.87.26.181 - - [28/Nov/2001:15:09:37 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 290 "-" "-" 66.87.26.181 - - [28/Nov/2001:15:09:40 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 288 "-" "-" 66.87.26.181 - - [28/Nov/2001:15:09:43 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298 "-" "-" 66.87.26.181 - - [28/Nov/2001:15:09:43 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298 "-" "-" 66.87.26.181 - - [28/Nov/2001:15:09:44 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312 "-" "-" 66.87.26.181 - - [28/Nov/2001:15:09:47 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329 "-" "-" 66.87.26.181 - - [28/Nov/2001:15:09:50 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329 "-" "-"
Ok, would you feel better if we said Unix problem? Of course Linux is a derivative of Unix...
Yes, and these buffer overflows are the same reason why IIS gets hammered. Of course, then we hear "Microsoft makes crappy code".
LOL, wonder if they even know what it is
God Bless America
You really should look at your logs before you post something like this. This is ONE, not multiple IIS servers mounting an attack. Check out the TCP/IP address. They are all the same.
Yup, the IIS log from an NT server 4.0 server. Multiple entries from ONE infected server that was exploited by Nimda.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.