what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

isec-0011-wu-ftpd.txt

isec-0011-wu-ftpd.txt
Posted Aug 5, 2003
Authored by Wojciech Purczynski, Janusz Niewiadomski

wu-ftpd versions 2.5.0 to 2.6.2 have been found to be susceptible to an off-by-one bug in fb_realpath(). A local or remote attacker could exploit this vulnerability to gain root privileges on a vulnerable system.

tags | advisory, remote, local, root
advisories | CVE-2003-0466
SHA-256 | 26d10c27b7202a5cb1389a5a1f1668d76a81ead7b06f38bae80956501c6824ce

isec-0011-wu-ftpd.txt

Change Mirror Download

Synopsis: wu-ftpd fb_realpath() off-by-one bug
Product: wu-ftpd
Version: 2.5.0 <= 2.6.2
Vendor: http://www.wuftpd.org/

URL: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0466
Author: Wojciech Purczynski <cliph@isec.pl>
Janusz Niewiadomski <funkysh@isec.pl>
Date: July 31, 2003


Issue:
======

Wu-ftpd FTP server contains remotely exploitable off-by-one bug. A local
or remote attacker could exploit this vulnerability to gain root
privileges on a vulnerable system.


Details:
========

An off-by-one bug exists in fb_realpath() function. An overflow occurs
when the length of a constructed path is equal to the MAXPATHLEN+1
characters while the size of the buffer is MAXPATHLEN characters only.
The overflowed buffer lies on the stack.

The bug results from misuse of rootd variable in the calculation of
length of a concatenated string:

------8<------cut-here------8<------
/*
* Join the two strings together, ensuring that the right thing
* happens if the last component is empty, or the dirname is root.
*/
if (resolved[0] == '/' && resolved[1] == '\0')
rootd = 1;
else
rootd = 0;

if (*wbuf) {
if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) {
errno = ENAMETOOLONG;
goto err1;
}
if (rootd == 0)
(void) strcat(resolved, "/");
(void) strcat(resolved, wbuf);
}
------8<------cut-here------8<------

Since the path is constructed from current working directory and a file
name specified as an parameter to various FTP commands attacker needs to
create deep directory structure.

Following FTP commands may be used to cause buffer overflow:

STOR
RETR
APPE
DELE
MKD
RMD
STOU
RNTO

This bug may be non-exploitable if size of the buffer is greater than
MAXPATHLEN characters. This may occur for example if wu-ftpd is compiled
with some versions of Linux kernel where PATH_MAX (and MAXPATHLEN
accordingly) is defined to be exactly 4095 characters. In such cases,
the buffer is padded with an extra byte because of variable alignment
which is a result of code optimization.

Linux 2.2.x and some early 2.4.x kernel versions defines PATH_MAX to be
4095 characters, thus only wu-ftpd binaries compiled on 2.0.x or later 2.4.x
kernels are affected.


Exploit:
========

We investigated and successfully exploited this vulnerability on x86 based
Linux system running 2.4.19 kernel. We believe that exploitation of other
little-endian systems is also possible.


Impact:
=======

Authenticated local user or anonymous FTP user with write-access could
execute arbitrary code with root privileges.


Vendor Status:
==============

June 1, 2003 security@wu-ftpd.org has been notified
June 9, 2003 Request for confirmation of receipt sent to security@wu-ftpd.org
June 11, 2003 Response received from Kent Landfield
July 3, 2003 Request for status update sent
July 19, 2003 vendor-sec list notified
July 31, 2003 Coordinated public disclosure


The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0466 to this issue.

--
Janusz Niewiadomski
iSEC Security Research
http://isec.pl/


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close