2133 : WU-FTPD fb_realpath() Function Off-by-one Error
Printer | http://osvdb.org/2133 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
7	497	over 8 years ago	over 2 years ago	4 times	90%

Timeline

Disclosure Date	Exploit Publish Date
2003-07-31	2003-08-04

Description

A local off-by-one overflow exists in WU-FTPD. The fb_realpath() function fails to validate user input resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Classification

Location: Local Access Required, Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified

Technical

An off-by-one bug exists in fb_realpath() function. An overflow occurs when the length of a constructed path is equal to the MAXPATHLEN+1 characters while the size of the buffer is MAXPATHLEN characters only. The overflowed buffer lies on the stack. The bug results from misuse of the "rootd" variable in the calculation of length of a concatenated string.

This issue can be exploited remotely via anonymous FTP access. If your FTP server is configured to allow anonymous access, this may allow remote exploitation. If anonymous access is not allowed, this is a local issue only.

Solution

Upgrade to version 2.6.2-12 (Available on some Linux distributions) or higher, as it has been reported to fix this vulnerability. In addition, WU-FTPD Development Group has released a patch for some older versions of the primary distribution.

Products

WU-FTPD Development Group	wu-ftpd	2.5.0
		2.6.0
		2.6.1
		2.6.2

References

ISS X-Force ID: 12785
CVE ID: 2003-0466 (see also: NVD)
SCIP VulDB ID: 218
Related OSVDB ID: 6602
Exploit Database: 74 78
Milw0rm: 74 78
CERT VU: 743092
Bugtraq ID: 8315
Secunia Advisory ID: 9406 9521 9535
Vendor Specific Solution URL: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.2/realpath.patch
Generic Informational URL: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=105967301604815&w=2
Generic Exploit URL: http://marc.theaimsgroup.com/?l=bugtraq&m=106001702232325&w=2
http://www.frsirt.com/exploits/08.11.0x82-wu262-advanced.c.php
Vendor Specific Advisory URL: http://www.debian.org/security/2003/dsa-357
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:080
http://www.suse.de/de/security/2003_032_wuftpd.html
http://www.turbolinux.com/security/TLSA-2003-46.txt
http://your.hp.com/m/S.asp?HB14091692265X3612511X395967
https://rhn.redhat.com/errata/RHSA-2003-245.html
Vendor URL: http://www.wuftpd.org/
CIAC Advisory: n-132

Tools & Filters

	11811 12413 13555 13605 13801 15194
Snort	2389 2390 2391

Credit

Wojciech Purczynski - cliphisec.pl - isec.pl
Janusz Niewiadomski - funkyshisec.pl - Isec

CVSSv2 Score

CVSSv2 Base Score = 10.0
Source: nvd.nist.gov | Generated: 2003-12-31 | Disagree?

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.