[原文]Format string vulnerability in wu-ftp 2.6.1 and earlier, when running with debug mode enabled, allows remote attackers to execute arbitrary commands via a malformed argument that is recorded in a PASV port assignment.
Wu-ftpd is a widely used unix ftp server. It contains a format string vulnerability that may be exploitable under certain (perhaps 'extreme') circumstances.
When running in debug mode, Wu-ftpd logs user activity to syslog in an insecure manner. An attacker with control over the server's hostname resolving facility could exploit this vulnerability to get root access remotely on the victim host.
The following example demonstrates the vulnerability.
Note: /etc/hosts is used as the example name resolving mechanism. Could be DNS, NIS, etc.
$ grep 127.0.0.1 /etc/hosts
$ grep ftpd /etc/inetd.conf
ftp stream tcp nowait root /usr/sbin/tcpd /tmp/wuftpd-2.6.0/src/ftpd -v
$ ncftpget -F 127.0.0.1 /tmp /usr/lib/ld.so
$ tail /var/log/syslog.debug
Jan 24 14:17:01 xxx ftpd: PASV port 47479 assigned to 80862b0806487eb9778084da87bffff16c9640151020bfffe108401c9004 [127.0.0.1]
..<snip extra output>..
WU-FTPD Debug Mode Client Hostname Remote Format String
Local / Remote,
Loss of Integrity
WU-FTPD contains a flaw that may allow a remote attacker to execute arbitrary code. The issue occurs when the service runs in 'debug' mode and an attacker has control over ident information being returned to the server. By manipulating the ident data returned to the host when requested by RFC 931 based authentication, an attacker can provide custom data with user-supplied format string identifiers that are passed to the syslog facility. This can be abused to overwrite portions of the system memory and execute arbitrary code.
Upgrade to version 2.6.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.