ID CVE-2004-0148
Summary wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.
References
Vulnerable Configurations
  • SGI ProPack 2.3
    cpe:2.3:a:sgi:propack:2.3
  • SGI ProPack 2.4
    cpe:2.3:a:sgi:propack:2.4
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.1
    cpe:2.3:a:washington_university:wu-ftpd:2.4.1
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta2:-:academ
    cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta2:-:academ
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18:-:academ
    cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18:-:academ
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr4
    cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr4
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr5
    cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr5
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr6
    cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr6
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr7
    cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr7
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr8
    cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr8
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr9
    cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr9
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr10
    cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr10
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr11
    cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr11
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr12
    cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr12
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr13
    cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr13
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr14
    cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr14
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr15
    cpe:2.3:a:washington_university:wu-ftpd:2.4.2_beta18_vr15
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.2_vr16
    cpe:2.3:a:washington_university:wu-ftpd:2.4.2_vr16
  • cpe:2.3:a:washington_university:wu-ftpd:2.4.2_vr17
    cpe:2.3:a:washington_university:wu-ftpd:2.4.2_vr17
  • cpe:2.3:a:washington_university:wu-ftpd:2.5.0
    cpe:2.3:a:washington_university:wu-ftpd:2.5.0
  • cpe:2.3:a:washington_university:wu-ftpd:2.6.0
    cpe:2.3:a:washington_university:wu-ftpd:2.6.0
  • cpe:2.3:a:washington_university:wu-ftpd:2.6.1
    cpe:2.3:a:washington_university:wu-ftpd:2.6.1
  • cpe:2.3:a:washington_university:wu-ftpd:2.6.2
    cpe:2.3:a:washington_university:wu-ftpd:2.6.2
CVSS
Base: 7.2 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family FTP
    NASL id WU_FTPD_RESTRICTED_GID_BYPASS.NASL
    description The remote host is running wu-ftpd 2.6.2 or older. There is a bug in this version which may allow an attacker to bypass the 'restricted-gid' feature and gain unauthorized access to otherwise restricted directories. *** Nessus solely relied on the banner of the remote FTP server, so this might *** be a false positive.
    last seen 2019-02-21
    modified 2018-08-07
    plugin id 12098
    published 2004-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12098
    title WU-FTPD restricted-gid Directory Access Restriction Bypass
  • NASL family HP-UX Local Security Checks
    NASL id HPUX_PHNE_29462.NASL
    description s700_800 11.22 ftpd(1M) and ftp(1) patch : The remote HP-UX host is affected by multiple vulnerabilities : - A potential vulnerability has been identified with HP-UX running ftpd where the vulnerability could be exploited to allow a remote authorized user unauthorized access to files. (HPSBUX01119 SSRT4694) - A potential security vulnerability has been identified with HP-UX running ftp where the vulnerability could be exploited remotely to allow unauthorized access. (HPSBUX01050 SSRT3456) - The wu-ftpd program is potentially vulnerable to a buffer overflow. (HPSBUX00277 SSRT3606) - A potential security vulnerability has been identified with HP-UX running ftpd, where a buffer overflow in ftpd could be remotely exploited to allow an unauthorized user to gain privileged access. (HPSBUX01118 SSRT4883) - A potential vulnerability has been identified with HP-UX running wu-ftpd with the restricted gid option enabled where the vulnerability could be exploited by a local user to gain unauthorized access to files. (HPSBUX01059 SSRT4704)
    last seen 2019-02-21
    modified 2016-01-14
    plugin id 16907
    published 2005-02-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16907
    title HP-UX PHNE_29462 : s700_800 11.22 ftpd(1M) and ftp(1) patch
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-096.NASL
    description An updated wu-ftpd package that fixes two security issues is now available. The wu-ftpd package contains the Washington University FTP (File Transfer Protocol) server daemon. FTP is a method of transferring files between machines. Glenn Stewart discovered a flaw in wu-ftpd. When configured with 'restricted-gid home', an authorized user could use this flaw to circumvent the configured home directory restriction by using chmod. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0148 to this issue. Michael Hendrickx found a flaw in the S/Key login handling. On servers using S/Key authentication, a remote attacker could overflow a buffer and potentially execute arbitrary code. Users of wu-ftpd are advised to upgrade to this updated package, which contains backported security patches and is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12475
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12475
    title RHEL 2.1 : wu-ftpd (RHSA-2004:096)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-457.NASL
    description Two vulnerabilities were discovered in wu-ftpd : - CAN-2004-0148 Glenn Stewart discovered that users could bypass the directory access restrictions imposed by the restricted-gid option by changing the permissions on their home directory. On a subsequent login, when access to the user's home directory was denied, wu-ftpd would fall back to the root directory. - CAN-2004-0185 A buffer overflow existed in wu-ftpd's code which deals with S/key authentication.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15294
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15294
    title Debian DSA-457-1 : wu-ftpd - several vulnerabilities
  • NASL family HP-UX Local Security Checks
    NASL id HPUX_PHNE_31732.NASL
    description s700_800 11.23 ftpd(1M) and ftp(1) patch : A potential vulnerability has been identified with HP-UX running wu-ftpd with the restricted gid option enabled where the vulnerability could be exploited by a local user to gain unauthorized access to files.
    last seen 2019-02-21
    modified 2013-04-20
    plugin id 26128
    published 2007-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26128
    title HP-UX PHNE_31732 : HP-UX Running wu-ftpd Local Unauthorized Access (HPSBUX01059 SSRT4704 rev.4)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_WUFTPD_262_3.NASL
    description The following package needs to be updated: wu-ftpd+ipv6
    last seen 2016-09-26
    modified 2011-10-03
    plugin id 12622
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12622
    title FreeBSD : wu-ftpd ftpaccess `restricted-uid'/`restricted-gid' directive may be bypassed (201)
  • NASL family HP-UX Local Security Checks
    NASL id HPUX_PHNE_30983.NASL
    description s700_800 11.23 ftpd(1M) patch : The remote HP-UX host is affected by multiple vulnerabilities : - A potential vulnerability has been identified with HP-UX running wu-ftpd with the restricted gid option enabled where the vulnerability could be exploited by a local user to gain unauthorized access to files. (HPSBUX01059 SSRT4704) - A potential vulnerability has been identified with HP-UX running ftpd where the vulnerability could be exploited to allow a remote authorized user unauthorized access to files. (HPSBUX01119 SSRT4694)
    last seen 2019-02-21
    modified 2013-04-20
    plugin id 17422
    published 2005-03-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17422
    title HP-UX PHNE_30983 : s700_800 11.23 ftpd(1M) patch
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_3B7C7F6C710211D8873F0020ED76EF5A.NASL
    description Glenn Stewart reports a bug in wu-ftpd's ftpaccess `restricted-uid'/`restricted-gid' directives : Users can get around the restriction to their home directory by issuing a simple chmod command on their home directory. On the next ftp log in, the user will have '/' as their root directory. Matt Zimmerman discovered that the cause of the bug was a missing check for a restricted user within a code path that is executed only when a certain error is encountered.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 37480
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37480
    title FreeBSD : wu-ftpd ftpaccess `restricted-uid'/`restricted-gid' directive may be bypassed (3b7c7f6c-7102-11d8-873f-0020ed76ef5a)
oval via4
  • accepted 2006-03-09T12:19:00.000-04:00
    class vulnerability
    contributors
    name Robert L. Hollis
    organization ThreatGuard, Inc.
    description wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.
    family unix
    id oval:org.mitre.oval:def:1147
    status accepted
    submitted 2006-01-30T07:20:00.000-04:00
    title HP-UX wuftpd Privilege Escalation Vulnerability (B.11.11)
    version 31
  • accepted 2010-09-20T04:00:15.821-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Todd Dolinsky
      organization Opsware, Inc.
    • name Jonathan Baker
      organization The MITRE Corporation
    description wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.
    family unix
    id oval:org.mitre.oval:def:1636
    status accepted
    submitted 2006-01-30T07:20:00.000-04:00
    title HP-UX wuftpd Privilege Escalation Vulnerability (B.11.22)
    version 35
  • accepted 2006-03-09T12:19:00.000-04:00
    class vulnerability
    contributors
    name Robert L. Hollis
    organization ThreatGuard, Inc.
    description wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.
    family unix
    id oval:org.mitre.oval:def:1637
    status accepted
    submitted 2006-01-30T07:20:00.000-04:00
    title HP-UX wuftpd Privilege Escalation Vulnerability (B.11.00)
    version 31
  • accepted 2010-09-20T04:00:34.087-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Matthew Wojcik
      organization The MITRE Corporation
    • name Todd Dolinsky
      organization Opsware, Inc.
    • name Jonathan Baker
      organization The MITRE Corporation
    description wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.
    family unix
    id oval:org.mitre.oval:def:648
    status accepted
    submitted 2006-01-30T07:20:00.000-04:00
    title HP-UX wuftpd Privilege Escalation Vulnerability (B.11.23)
    version 36
redhat via4
advisories
rhsa
id RHSA-2004:096
refmap via4
bid 9832
debian DSA-457
frsirt ADV-2006-1867
hp SSRT4704
sco SCOSA-2005.6
secunia
  • 11055
  • 20168
sunalert 102356
xf wuftpd-restrictedgid-gain-access(15423)
Last major update 17-10-2016 - 22:41
Published 15-04-2004 - 00:00
Last modified 02-05-2018 - 21:29
Back to Top