Signature Detail

FTP: Command "site exec"

This signature detects attempts to exploit a configuration vulnerability in wuFTPd. Version 2.4.1 is susceptible. pathnames.h sets _PATH_EXECPATH to /bin, which is relative to ~ftp for anonymous users, but relative to / for users with accounts (specifying the actual /bin rather than ~ftp/bin). Attackers can establish an FTP account on the system and run the site exec command to gain access to the /bin directory.

Extended Description

Due to a misconfiguration in the configuration file pathnames.h, some distributed binaries of wuftp version 2.4.1 and earlier allow an attacker with an FTP account on the system to gain root access. This is accomplished by running the "site exec" command. The problem lies in the fact that pathnames.h erroneously set _PATH_EXECPATH to /bin - this pathname is relative to ~ftp for anonymous users, but for users with accounts it is relative to / and therefore specifies the real /bin rather than ~ftp/bin. If SITE EXEC is enabled, the user can gain root access by running a shell or other command using site exec.

Affected Products

• Washington University wu-ftpd 2.4.1

References

• BugTraq: 2241
• CVE: CVE-1999-0080
• URL: http://www.cert.org/advisories/CA-1995-16.html