A local off-by-one overflow exists in WU-FTPD. The fb_realpath() function fails to validate user input resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.
Classification
Location:
Local Access Required,
Remote/Network Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Integrity
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
Technical
An off-by-one bug exists in fb_realpath() function. An overflow occurs when the length of a constructed path is equal to the MAXPATHLEN+1 characters while the size of the buffer is MAXPATHLEN characters only. The overflowed buffer lies on the stack. The bug results from misuse of the "rootd" variable in the calculation of length of a concatenated string.
This issue can be exploited remotely via anonymous FTP access. If your FTP server is configured to allow anonymous access, this may allow remote exploitation. If anonymous access is not allowed, this is a local issue only.
Solution
Upgrade to version 2.6.2-12 (Available on some Linux distributions) or higher, as it has been reported to fix this vulnerability. In addition, WU-FTPD Development Group has released a patch for some older versions of the primary distribution.
isec.pl - isec.pl