exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Sep 23, 1999


SHA-256 | a9d09fcf0c68254fc5d5910986d5d49106cfa8576d7e7a48be432c5c60f340ed


Change Mirror Download

Caldera Security Advisory SA-1997.31: Additional Vulnerabilities in wu-ftpd

Original report date: 11-Dec-1997
RPM build date: 12-Dec-1997
Advisory issue date: 16-Dec-1997

Topic: Additional Vulnerabilities in wu-ftpd 2.4.2 beta 15

I. Problem Description

This document summarizes additional vulnerabilities in the
wu-ftpd 2.4.2 beta 15 FTP server not covered by CERT Advisory
CA-97.27 - "FTP_bounce". The list of affected platforms may not
be limited to systems running under Linux.

II. Impact

Under certain circumstances wu-ftpd 2.4.2 beta 15 allows a remote
user to open a connection to any service on a server running the
vulnerable version of wu-ftpd. Under Linux, the connection will be
established via the loopback interface which could bypass access
controls that assume that connections can be established only via
Ethernet, PPP or SLIP interfaces. Other types of exploits are

This problem was present on the following OpenLinux releases:

Base 1.0
Lite 1.1
Base 1.1
Standard 1.1

To determine if you are affected and need this update execute the

rpm -q wu-ftpd

If the results show wu-ftpd-2.4.2b15-4 or earlier then you will need
to update.

NOTE: The problem described in CERT Advisory CA-97.27 suggests
using wu-ftpd 2.4.2 beta 15. Versions of OpenLinux prior to 1.2
included wu-ftpd release 2.4.2 beta 13 or earlier. However,
this should not be a problem if Caldera Security Advisory
SA-1997.27 has already been applied since it recommends that
wu-ftpd-2.4.2b15-4 be installed. But the version of wu-ftpd 2.4.2
beta 15 described in this document (wu-ftpd-2.4.2b15-5) contains
*additional* security fixes.

III. Solution

The proper solution is to install the new wu-ftpd package.
This package is located on Caldera's FTP server (ftp.caldera.com):

The binary RPM can be obtained at:

The source RPM can be obtained at:

All that is required to do to install the fix is the following:

rpm -U wu-ftpd-2.4.2b15-5.i386.rpm

The MD5 checksums (from the "md5sum" command) for these packages are:

1ce8038acc06eb200e87f2c8024df633 wu-ftpd-2.4.2b15-5.i386.rpm
e81777eae4b6631fd3a9a238bd5da0be wu-ftpd-2.4.2b15-5.src.rpm

IV. References / Credits

This vulnerability was discovered and fixed by Olaf Kirch (email:
okir@caldera.de). Other Linux vendors and CERT have been apprised
of this vulnerability. Time is being given to other vendors
to release their fixes before more details will be published.
According to its maintainer, Stan Barber, release wu-ftpd 2.4.2
Beta 16 is expected on or before 25-Dec-1997.

The CERT Coordination Center is located at:


CERT Advisory CA-97.27: "FTP Bounce" (10-Dec-1997):


CERT Tech Tip "Problems With The FTP PORT Command" (10-Dec-1997):


White Paper: "The FTP Bounce Attack" (12-Jul-1995):


Caldera Security Advisory SA-1997.27: "Vulnerability in wu-ftpd":


This advisory and other Caldera security resources are located at:


This Security Alert closes Caldera internal problem report #1361.

V. PGP Signature

This message was signed with the PGP key for security@caldera.com.

This key can be obtained from:

Or on an OpenLinux CDROM under:

$Id: SA-1997.31,v 1.2 1997/12/16 06:09:27 ron Exp $

Version: 2.6.2

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By