A remote overflow exists in WU-FTPD if S/KEY support is enabled. The skey_challenge function in ftpd.c fails to perform bounds checking on the name variable resulting in a buffer overflow. With a specially crafted request, a remote attacker can execute arbitrary code.

Upgrade to version 2.6.2-13 (Available on some Linux distributions) or higher, as it has been reported to fix this vulnerability. In addition, WU-FTPD Development Group has released a patch for some older versions of the main distribution.

• Secunia Advisory ID: 10077 11350
• ISS X-Force ID: 13518
• CVE ID: 2004-0185 (see also: NVD)
• Bugtraq ID: 8893
• Vendor Specific Solution URL: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.2/skeychallenge.patch
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-06/0040.html
• Other Advisory URL: http://packetstormsecurity.org/0310-advisories/wuftpd-skey.txt
  http://www.debian.org/security/2004/dsa-457
  http://www.fedoralegacy.org/updates/RH7.3/2004-07-19-FLSA_2004_1553__Updated_sysklogd_resolves_memory_buffer_bug.html
  http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01012
• CIAC Advisory: o-119
• RedHat RHSA: RHSA-2004:096

• Michal Zalewski - lcamtufcoredump.cx -
• Michael Hendrickx - michaelscanit.be - scanit

We currently have no CVSS2 data on this vulnerability. Feel free to suggest it.