2133 : WU-FTPD fb_realpath() Function Off-by-one Error
Printer | http://osvdb.org/2133 | Email This | Edit Vulnerability

Views This Week

1

Views All Time

58

Info

Last Modified

6 months ago

Percent Complete

100%

Disclosure

Jul 31, 2003

Discovery

Unknown

Dates

Exploit

Aug 04, 2003

Solution

Unknown

Description

A local off-by-one overflow exists in WU-FTPD. The fb_realpath() function fails to validate user input resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Classification

Location: Local Access Required, Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified

Technical

An off-by-one bug exists in fb_realpath() function. An overflow occurs when the length of a constructed path is equal to the MAXPATHLEN+1 characters while the size of the buffer is MAXPATHLEN characters only. The overflowed buffer lies on the stack. The bug results from misuse of the "rootd" variable in the calculation of length of a concatenated string.

This issue can be exploited remotely via anonymous FTP access. If your FTP server is configured to allow anonymous access, this may allow remote exploitation. If anonymous access is not allowed, this is a local issue only.

Solution

Upgrade to version 2.6.2-12 (Available on some Linux distributions) or higher, as it has been reported to fix this vulnerability. In addition, WU-FTPD Development Group has released a patch for some older versions of the primary distribution.

Products

WU-FTPD Development Group
Watch-list
wu-ftpd
Watch-list
2.5.0
2.6.1
2.6.2
2.6.0

References

Tools & Filters

Nessus

11811 12413 13555 13605 13801 15194

Snort

2389 2390 2391

Credit

  • Wojciech Purczynski - cliphBrand New Doo Dooisec.pl - isec.pl
  • Janusz Niewiadomski - funkyshBrand New Doo Dooisec.pl - Isec

Blogs

None found at this time

Comments

No Comments.

DONATE NOW!

User Status

Quick Searches

Advertisements

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

© Copyright 2008 Open Source Vulnerability Database (OSVDB), All Rights Reserved.
Privacy Statement - Terms of Use