var-200308-0014
Vulnerability from variot
Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO. A function originally derived from 4.4BSD, realpath(3), contains a vulnerability that may permit a malicious user to gain root access to the server. This function was derived from the FreeBSD 3.x tree. Other applications and operating systems that use or were derived from this code base may be affected. This problem was originally reported to affect WU-FTPd. It has been discoved to affect various BSD implementations as well. WU-FTPD is implemented in fb_realpath() In the function, the size of the buffer for handling the path is MAXPATHLEN However, the length of the path actually delivered is longer than that. (MAXPATHLEN+1) , one shift (off-by-one) A buffer overflow vulnerability exists.root Arbitrary commands may be executed with sufficient privileges. The 'realpath()' function is a C-library procedure to resolve the canonical, absolute pathname of a file based on a path that may contain values such as '/', './', '../', or symbolic links. A vulnerability that was reported to affect the implementation of 'realpath()' in WU-FTPD has lead to the discovery that at least one implementation of the C library is also vulnerable. FreeBSD has announced that the off-by-one stack- buffer-overflow vulnerability is present in their libc. Other systems are also likely vulnerable. Reportedly, this vulnerability has been successfully exploited against WU-FTPD to execute arbitrary instructions. NOTE: Patching the C library alone may not remove all instances of this vulnerability. Statically linked programs may need to be rebuilt with a patched version of the C library. Also, some applications may implement their own version of 'realpath()'. These applications would require their own patches. FreeBSD has published a large list of applications that use 'realpath()'. Administrators of FreeBSD and other systems are urged to review it. For more information, see the advisory 'FreeBSD-SA-03:08.realpath'. The realpath(3) function is used to determine the absolute path name of the rule in the given path name. The realpath(3) function is part of the FreeBSD standard C language library file. If the parsed pathname is 1024 bytes long and contains two directory separators, the buffer passed to the realpath(3) function can be overwritten with a single NUL byte. Applications that typically use the realpath(3) function can cause denial of service, or execute arbitrary code and privilege escalation attacks. sftp-server(8) is part of OpenSSH, and realpath(3) is used to process the chdir command. 1 cdparanoia-3.9. Synopsis: wu-ftpd fb_realpath() off-by-one bug Product: wu-ftpd Version: 2.5.0 <= 2.6.2 Vendor: http://www.wuftpd.org/
URL: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0466 Author: Wojciech Purczynski cliph@isec.pl Janusz Niewiadomski funkysh@isec.pl Date: July 31, 2003
Issue:
Wu-ftpd FTP server contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability to gain root privileges on a vulnerable system.
Details:
An off-by-one bug exists in fb_realpath() function. The overflowed buffer lies on the stack.
The bug results from misuse of rootd variable in the calculation of length of a concatenated string:
------8<------cut-here------8<------ / * Join the two strings together, ensuring that the right thing * happens if the last component is empty, or the dirname is root. / if (resolved[0] == '/' && resolved[1] == '\0') rootd = 1; else rootd = 0;
if (*wbuf) {
if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) {
errno = ENAMETOOLONG;
goto err1;
}
if (rootd == 0)
(void) strcat(resolved, "/");
(void) strcat(resolved, wbuf);
}
------8<------cut-here------8<------
Since the path is constructed from current working directory and a file name specified as an parameter to various FTP commands attacker needs to create deep directory structure. This may occur for example if wu-ftpd is compiled with some versions of Linux kernel where PATH_MAX (and MAXPATHLEN accordingly) is defined to be exactly 4095 characters. In such cases, the buffer is padded with an extra byte because of variable alignment which is a result of code optimization.
Linux 2.2.x and some early 2.4.x kernel versions defines PATH_MAX to be 4095 characters, thus only wu-ftpd binaries compiled on 2.0.x or later 2.4.x kernels are affected. We believe that exploitation of other little-endian systems is also possible.
Impact:
Authenticated local user or anonymous FTP user with write-access could execute arbitrary code with root privileges.
Vendor Status:
June 1, 2003 security@wu-ftpd.org has been notified June 9, 2003 Request for confirmation of receipt sent to security@wu-ftpd.org June 11, 2003 Response received from Kent Landfield July 3, 2003 Request for status update sent July 19, 2003 vendor-sec list notified July 31, 2003 Coordinated public disclosure
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0466 to this issue.
-- Janusz Niewiadomski iSEC Security Research http://isec.pl/
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-200308-0014", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "solaris", "scope": "eq", "trust": 1.6, "vendor": "sun", "version": "9.0" }, { "model": "netbsd", "scope": "lte", "trust": 1.0, "vendor": "netbsd", "version": "1.6.1" }, { "model": "wu ftpd", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "2.6.1-16" }, { "model": "mac os x server", "scope": "eq", "trust": 1.0, "vendor": "apple", "version": "10.2.6" }, { "model": "openbsd", "scope": "gte", "trust": 1.0, "vendor": "openbsd", "version": "2.0" }, { "model": "openbsd", "scope": "lte", "trust": 1.0, "vendor": "openbsd", "version": "3.3" }, { "model": "wu-ftpd", "scope": "gte", "trust": 1.0, "vendor": "wuftpd", "version": "2.5.0" }, { "model": "freebsd", "scope": "gte", "trust": 1.0, "vendor": "freebsd", "version": "4.0" }, { "model": "mac os x", "scope": "eq", "trust": 1.0, "vendor": "apple", "version": "10.2.6" }, { "model": "netbsd", "scope": "gte", "trust": 1.0, "vendor": "netbsd", "version": "1.5" }, { "model": "freebsd", "scope": "lte", "trust": 1.0, "vendor": "freebsd", "version": "5.0" }, { "model": "wu-ftpd", "scope": "lte", "trust": 1.0, "vendor": "wuftpd", "version": "2.6.2" }, { "model": null, "scope": null, "trust": 0.8, "vendor": "apple computer", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "conectiva", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "debian", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "freebsd", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "hewlett packard", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "immunix", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "mandrakesoft", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "netbsd", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "openbsd", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "red hat", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "suse", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "sun microsystems", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "turbolinux", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "wu ftpd group", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "wind river", "version": null }, { "model": "red hat linux", "scope": "eq", "trust": 0.8, "vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8", "version": "7.2" }, { "model": "red hat linux", "scope": "eq", "trust": 0.8, "vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8", "version": "7.3" }, { "model": "red hat linux", "scope": "eq", "trust": 0.8, "vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8", "version": "7.1" }, { "model": "red hat linux", "scope": "eq", "trust": 0.8, "vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8", "version": "8.0" }, { "model": "wu-ftpd", "scope": null, "trust": 0.8, "vendor": "university of washington", "version": null }, { "model": "hp-ux", "scope": null, "trust": 0.8, "vendor": "\u30d2\u30e5\u30fc\u30ec\u30c3\u30c8 \u30d1\u30c3\u30ab\u30fc\u30c9", "version": null }, { "model": "asianux server", "scope": null, "trust": 0.8, "vendor": "\u30b5\u30a4\u30d0\u30fc\u30c8\u30e9\u30b9\u30c8\u682a\u5f0f\u4f1a\u793e", "version": null }, { "model": "university wu-ftpd", "scope": "eq", "trust": 0.3, "vendor": "washington", "version": "2.6.2" }, { "model": "university wu-ftpd", "scope": "eq", "trust": 0.3, "vendor": "washington", "version": "2.6.1" }, { "model": "university wu-ftpd", "scope": "eq", "trust": 0.3, "vendor": "washington", "version": "2.6.0" }, { "model": "university wu-ftpd", "scope": "eq", "trust": 0.3, "vendor": "washington", "version": "2.5.0" }, { "model": "solaris 9 x86", "scope": null, "trust": 0.3, "vendor": "sun", "version": null }, { "model": "solaris", "scope": "eq", "trust": 0.3, "vendor": "sun", "version": "9" }, { "model": "communications security ssh2", "scope": "eq", "trust": 0.3, "vendor": "ssh", "version": "3.2.9.1" }, { "model": "wu-ftpd-2.6.2-8.i386.rpm", "scope": null, "trust": 0.3, "vendor": "redhat", "version": null }, { "model": "wu-ftpd-2.6.2-5.i386.rpm", "scope": null, "trust": 0.3, "vendor": "redhat", "version": null }, { "model": "wu-ftpd-2.6.1-18.ia64.rpm", "scope": null, "trust": 0.3, "vendor": "redhat", "version": null }, { "model": "wu-ftpd-2.6.1-18.i386.rpm", "scope": null, "trust": 0.3, "vendor": "redhat", "version": null }, { "model": "wu-ftpd-2.6.1-16.ppc.rpm", "scope": null, "trust": 0.3, "vendor": "redhat", "version": null }, { "model": "wu-ftpd-2.6.1-16.i386.rpm", "scope": null, "trust": 0.3, "vendor": "redhat", "version": null }, { "model": "openbsd", "scope": "eq", "trust": 0.3, "vendor": "openbsd", "version": "2.9" }, { "model": "openbsd", "scope": "eq", "trust": 0.3, "vendor": "openbsd", "version": "2.8" }, { "model": "openbsd", "scope": "eq", "trust": 0.3, "vendor": "openbsd", "version": "2.7" }, { "model": "openbsd", "scope": "eq", "trust": 0.3, "vendor": "openbsd", "version": "2.6" }, { "model": "openbsd", "scope": "eq", "trust": 0.3, "vendor": "openbsd", "version": "2.5" }, { "model": "openbsd", "scope": "eq", "trust": 0.3, "vendor": "openbsd", "version": "2.4" }, { "model": "openbsd", "scope": "eq", "trust": 0.3, "vendor": "openbsd", "version": "2.3" }, { "model": "openbsd", "scope": "eq", "trust": 0.3, "vendor": "openbsd", "version": "2.2" }, { "model": "openbsd", "scope": "eq", "trust": 0.3, "vendor": "openbsd", "version": "2.1" }, { "model": "openbsd", "scope": "eq", "trust": 0.3, "vendor": "openbsd", "version": "2.0" }, { "model": "openbsd", "scope": "eq", "trust": 0.3, "vendor": "openbsd", "version": "3.3" }, { "model": "openbsd", "scope": "eq", "trust": 0.3, "vendor": "openbsd", "version": "3.2" }, { "model": "openbsd", "scope": "eq", "trust": 0.3, "vendor": "openbsd", "version": "3.1" }, { "model": "openbsd", "scope": "eq", "trust": 0.3, "vendor": "openbsd", "version": "3.0" }, { "model": "netbsd", "scope": "eq", "trust": 0.3, "vendor": "netbsd", "version": "1.6.1" }, { "model": "netbsd", "scope": "eq", "trust": 0.3, "vendor": "netbsd", "version": "1.6" }, { "model": "netbsd", "scope": "eq", "trust": 0.3, "vendor": "netbsd", "version": "1.5.3" }, { "model": "netbsd", "scope": "eq", "trust": 0.3, "vendor": "netbsd", "version": "1.5.2" }, { "model": "netbsd", "scope": "eq", "trust": 0.3, "vendor": "netbsd", "version": "1.5.1" }, { "model": "netbsd", "scope": "eq", "trust": 0.3, "vendor": "netbsd", "version": "1.5" }, { "model": "hp-ux", "scope": "eq", "trust": 0.3, "vendor": "hp", "version": "11.22" }, { "model": "hp-ux", "scope": "eq", "trust": 0.3, "vendor": "hp", "version": "11.11" }, { "model": "hp-ux", "scope": "eq", "trust": 0.3, "vendor": "hp", "version": "11.0" }, { "model": "alpha", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "5.0" }, { "model": "freebsd", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "5.0" }, { "model": "-prerelease", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.8" }, { "model": "freebsd", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.8" }, { "model": "-stable", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.7" }, { "model": "-release", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.7" }, { "model": "freebsd", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.7" }, { "model": "freebsd", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.6.2" }, { "model": "-stable", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.6" }, { "model": "-release", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.6" }, { "model": "freebsd", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.6" }, { "model": "-stablepre2002-03-07", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.5" }, { "model": "-stable", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.5" }, { "model": "-release", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.5" }, { "model": "freebsd", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.5" }, { "model": "-stable", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.4" }, { "model": "-releng", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.4" }, { "model": "freebsd", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.4" }, { "model": "-stable", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.3" }, { "model": "-releng", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.3" }, { "model": "-release", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.3" }, { "model": "freebsd", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.3" }, { "model": "-stablepre122300", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.2" }, { "model": "-stablepre050201", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.2" }, { "model": "-stable", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.2" }, { "model": "-release", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.2" }, { "model": "freebsd", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.2" }, { "model": "-stable", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.1.1" }, { "model": "-release", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.1.1" }, { "model": "freebsd", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.1.1" }, { "model": "freebsd", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.1" }, { "model": "freebsd", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.0.x" }, { "model": "alpha", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.0" }, { "model": "freebsd", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "4.0" }, { "model": "-stablepre2001-07-20", "scope": "eq", "trust": 0.3, "vendor": "freebsd", "version": "3.5.1" }, { "model": "mac os server", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "x10.2.6" }, { "model": "mac os", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "x10.2.6" } ], "sources": [ { "db": "CERT/CC", "id": "VU#743092" }, { "db": "BID", "id": "8315" }, { "db": "JVNDB", "id": "JVNDB-2003-000237" }, { "db": "CNNVD", "id": "CNNVD-200308-136" }, { "db": "NVD", "id": "CVE-2003-0466" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Janusz Niewiadomski\u203b funkysh@isec.pl\u203bWojciech Purczynski\u203b cliph@isec.pl", "sources": [ { "db": "CNNVD", "id": "CNNVD-200308-136" } ], "trust": 0.6 }, "cve": "CVE-2003-0466", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "nvd@nist.gov", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "exploitabilityScore": 10.0, "id": "CVE-2003-0466", "impactScore": 10.0, "integrityImpact": "COMPLETE", "severity": "HIGH", "trust": 1.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "VULHUB", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "exploitabilityScore": 10.0, "id": "VHN-7294", "impactScore": 10.0, "integrityImpact": "COMPLETE", "severity": "HIGH", "trust": 0.1, "vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "nvd@nist.gov", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "exploitabilityScore": 3.9, "id": "CVE-2003-0466", "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 9.8, "baseSeverity": "Critical", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2003-0466", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "nvd@nist.gov", "id": "CVE-2003-0466", "trust": 1.0, "value": "CRITICAL" }, { "author": "CARNEGIE MELLON", "id": "VU#743092", "trust": 0.8, "value": "6.75" }, { "author": "NVD", "id": "CVE-2003-0466", "trust": 0.8, "value": "Critical" }, { "author": "CNNVD", "id": "CNNVD-200308-136", "trust": 0.6, "value": "CRITICAL" }, { "author": "VULHUB", "id": "VHN-7294", "trust": 0.1, "value": "HIGH" } ] } ], "sources": [ { "db": "CERT/CC", "id": "VU#743092" }, { "db": "VULHUB", "id": "VHN-7294" }, { "db": "JVNDB", "id": "JVNDB-2003-000237" }, { "db": "CNNVD", "id": "CNNVD-200308-136" }, { "db": "NVD", "id": "CVE-2003-0466" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO. A function originally derived from 4.4BSD,\u00a0realpath(3), contains a vulnerability that may permit a malicious user to gain root access to the server. This function was derived from the FreeBSD 3.x tree. Other applications and operating systems that use or were derived from this code base may be affected. This problem was originally reported to affect WU-FTPd. It has been discoved to affect various BSD implementations as well. WU-FTPD is implemented in fb_realpath() In the function, the size of the buffer for handling the path is MAXPATHLEN However, the length of the path actually delivered is longer than that. (MAXPATHLEN+1) , one shift (off-by-one) A buffer overflow vulnerability exists.root Arbitrary commands may be executed with sufficient privileges. The \u0027realpath()\u0027 function is a C-library procedure to resolve the canonical, absolute pathname of a file based on a path that may contain values such as \u0027/\u0027, \u0027./\u0027, \u0027../\u0027, or symbolic links. A vulnerability that was reported to affect the implementation of \u0027realpath()\u0027 in WU-FTPD has lead to the discovery that at least one implementation of the C library is also vulnerable. FreeBSD has announced that the off-by-one stack- buffer-overflow vulnerability is present in their libc. Other systems are also likely vulnerable. \nReportedly, this vulnerability has been successfully exploited against WU-FTPD to execute arbitrary instructions. \nNOTE: Patching the C library alone may not remove all instances of this vulnerability. Statically linked programs may need to be rebuilt with a patched version of the C library. Also, some applications may implement their own version of \u0027realpath()\u0027. These applications would require their own patches. FreeBSD has published a large list of applications that use \u0027realpath()\u0027. Administrators of FreeBSD and other systems are urged to review it. For more information, see the advisory \u0027FreeBSD-SA-03:08.realpath\u0027. The realpath(3) function is used to determine the absolute path name of the rule in the given path name. The realpath(3) function is part of the FreeBSD standard C language library file. If the parsed pathname is 1024 bytes long and contains two directory separators, the buffer passed to the realpath(3) function can be overwritten with a single NUL byte. Applications that typically use the realpath(3) function can cause denial of service, or execute arbitrary code and privilege escalation attacks. sftp-server(8) is part of OpenSSH, and realpath(3) is used to process the chdir command. 1 cdparanoia-3.9. \nSynopsis:\twu-ftpd fb_realpath() off-by-one bug\nProduct:\twu-ftpd\nVersion: \t2.5.0 \u003c= 2.6.2\nVendor:\t\thttp://www.wuftpd.org/\n\nURL:\t\thttp://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt\nCVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0466\nAuthor:\t\tWojciech Purczynski \u003ccliph@isec.pl\u003e\n\t\tJanusz Niewiadomski \u003cfunkysh@isec.pl\u003e\nDate:\t\tJuly 31, 2003 \n\n\nIssue:\n======\n\nWu-ftpd FTP server contains remotely exploitable off-by-one bug. A local\nor remote attacker could exploit this vulnerability to gain root\nprivileges on a vulnerable system. \n\n\nDetails:\n========\n\nAn off-by-one bug exists in fb_realpath() function. \nThe overflowed buffer lies on the stack. \n\nThe bug results from misuse of rootd variable in the calculation of\nlength of a concatenated string:\n\n------8\u003c------cut-here------8\u003c------\n /*\n * Join the two strings together, ensuring that the right thing\n * happens if the last component is empty, or the dirname is root. \n */\n if (resolved[0] == \u0027/\u0027 \u0026\u0026 resolved[1] == \u0027\\0\u0027)\n rootd = 1;\n else\n rootd = 0;\n\n if (*wbuf) {\n if (strlen(resolved) + strlen(wbuf) + rootd + 1 \u003e MAXPATHLEN) {\n errno = ENAMETOOLONG;\n goto err1;\n }\n if (rootd == 0)\n (void) strcat(resolved, \"/\");\n (void) strcat(resolved, wbuf);\n }\n------8\u003c------cut-here------8\u003c------\n\nSince the path is constructed from current working directory and a file\nname specified as an parameter to various FTP commands attacker needs to\ncreate deep directory structure. This may occur for example if wu-ftpd is compiled\nwith some versions of Linux kernel where PATH_MAX (and MAXPATHLEN \naccordingly) is defined to be exactly 4095 characters. In such cases,\nthe buffer is padded with an extra byte because of variable alignment \nwhich is a result of code optimization. \n\nLinux 2.2.x and some early 2.4.x kernel versions defines PATH_MAX to be \n4095 characters, thus only wu-ftpd binaries compiled on 2.0.x or later 2.4.x\nkernels are affected. We believe that exploitation of other\nlittle-endian systems is also possible. \n \n\nImpact:\n=======\n\nAuthenticated local user or anonymous FTP user with write-access could\nexecute arbitrary code with root privileges. \n\n\nVendor Status:\n==============\n\nJune 1, 2003\tsecurity@wu-ftpd.org has been notified\nJune 9, 2003\tRequest for confirmation of receipt sent to security@wu-ftpd.org\nJune 11, 2003\tResponse received from Kent Landfield\nJuly 3, 2003 Request for status update sent\nJuly 19, 2003\tvendor-sec list notified\nJuly 31, 2003\tCoordinated public disclosure\n\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2003-0466 to this issue. \n\n-- \nJanusz Niewiadomski\niSEC Security Research\nhttp://isec.pl/\n\n\n", "sources": [ { "db": "NVD", "id": "CVE-2003-0466" }, { "db": "CERT/CC", "id": "VU#743092" }, { "db": "JVNDB", "id": "JVNDB-2003-000237" }, { "db": "BID", "id": "8315" }, { "db": "VULHUB", "id": "VHN-7294" }, { "db": "PACKETSTORM", "id": "31479" } ], "trust": 2.79 }, "exploit_availability": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "reference": "https://www.scap.org.cn/vuln/vhn-7294", "trust": 0.1, "type": "unknown" } ], "sources": [ { "db": "VULHUB", "id": "VHN-7294" } ] }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2003-0466", "trust": 3.7 }, { "db": "CERT/CC", "id": "VU#743092", "trust": 3.3 }, { "db": "BID", "id": "8315", "trust": 2.8 }, { "db": "SECUNIA", "id": "9423", "trust": 1.7 }, { "db": "SECUNIA", "id": "9447", "trust": 1.7 }, { "db": "SECUNIA", "id": "9446", "trust": 1.7 }, { "db": "SECUNIA", "id": "9535", "trust": 1.7 }, { "db": "SECTRACK", "id": "1007380", "trust": 1.7 }, { "db": "OSVDB", "id": "6602", "trust": 1.7 }, { "db": "SECUNIA", "id": "9406", "trust": 0.8 }, { "db": "JVNDB", "id": "JVNDB-2003-000237", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-200308-136", "trust": 0.7 }, { "db": "BUGTRAQ", "id": "20030731 WU-FTPD FB_REALPATH() OFF-BY-ONE BUG", "trust": 0.6 }, { "db": "BUGTRAQ", "id": "20030804 WU-FTPD-2.6.2 OFF-BY-ONE REMOTE EXPLOIT.", "trust": 0.6 }, { "db": "BUGTRAQ", "id": "20060214 RE: LATEST WU-FTPD EXPLOIT :-S", "trust": 0.6 }, { "db": "BUGTRAQ", "id": "20060213 LATEST WU-FTPD EXPLOIT :-S", "trust": 0.6 }, { "db": "BUGTRAQ", "id": "20030804 OFF-BY-ONE BUFFER OVERFLOW VULNERABILITY IN BSD LIBC REALPATH(3)", "trust": 0.6 }, { "db": "REDHAT", "id": "RHSA-2003:245", "trust": 0.6 }, { "db": "REDHAT", "id": "RHSA-2003:246", "trust": 0.6 }, { "db": "VULNWATCH", "id": "20030731 WU-FTPD FB_REALPATH() OFF-BY-ONE BUG", "trust": 0.6 }, { "db": "SUSE", "id": "SUSE-SA:2003:032", "trust": 0.6 }, { "db": "NETBSD", "id": "NETBSD-SA2003-011.TXT.ASC", "trust": 0.6 }, { "db": "SUNALERT", "id": "1001257", "trust": 0.6 }, { "db": "TURBO", "id": "TLSA-2003-46", "trust": 0.6 }, { "db": "IMMUNIX", "id": "IMNX-2003-7+-019-01", "trust": 0.6 }, { "db": "MANDRAKE", "id": "MDKSA-2003:080", "trust": 0.6 }, { "db": "OVAL", "id": "OVAL:ORG.MITRE.OVAL:DEF:1970", "trust": 0.6 }, { "db": "XF", "id": "12785", "trust": 0.6 }, { "db": "FREEBSD", "id": "FREEBSD-SA-03:08", "trust": 0.6 }, { "db": "DEBIAN", "id": "DSA-357", "trust": 0.6 }, { "db": "PACKETSTORM", "id": "31479", "trust": 0.2 }, { "db": "EXPLOIT-DB", "id": "22976", "trust": 0.1 }, { "db": "EXPLOIT-DB", "id": "22974", "trust": 0.1 }, { "db": "EXPLOIT-DB", "id": "22975", "trust": 0.1 }, { "db": "SEEBUG", "id": "SSVID-62739", "trust": 0.1 }, { "db": "SEEBUG", "id": "SSVID-76759", "trust": 0.1 }, { "db": "SEEBUG", "id": "SSVID-76761", "trust": 0.1 }, { "db": "SEEBUG", "id": "SSVID-76760", "trust": 0.1 }, { "db": "VULHUB", "id": "VHN-7294", "trust": 0.1 } ], "sources": [ { "db": "CERT/CC", "id": "VU#743092" }, { "db": "VULHUB", "id": "VHN-7294" }, { "db": "BID", "id": "8315" }, { "db": "JVNDB", "id": "JVNDB-2003-000237" }, { "db": "PACKETSTORM", "id": "31479" }, { "db": "CNNVD", "id": "CNNVD-200308-136" }, { "db": "NVD", "id": "CVE-2003-0466" } ] }, "id": "VAR-200308-0014", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VULHUB", "id": "VHN-7294" } ], "trust": 0.01 }, "last_update_date": "2024-11-22T23:00:38.773000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "245", "trust": 0.8, "url": "http://www.miraclelinux.com/support/update/data/wu-ftpd.html" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2003-000237" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-193", "trust": 1.0 }, { "problemtype": "Determination of boundary conditions (CWE-193) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2003-000237" }, { "db": "NVD", "id": "CVE-2003-0466" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 3.6, "url": "http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt" }, { "trust": 3.5, "url": "http://www.securityfocus.com/bid/8315" }, { "trust": 3.5, "url": "http://www.kb.cert.org/vuls/id/743092" }, { "trust": 3.0, "url": "ftp://ftp.netbsd.org/pub/netbsd/security/advisories/netbsd-sa2003-011.txt.asc" }, { "trust": 3.0, "url": "http://www.turbolinux.com/security/tlsa-2003-46.txt" }, { "trust": 2.7, "url": "http://www.securityfocus.com/archive/1/424852/100/0/threaded" }, { "trust": 2.7, "url": "http://www.securityfocus.com/archive/1/425061/100/0/threaded" }, { "trust": 2.7, "url": "http://www.debian.org/security/2003/dsa-357" }, { "trust": 2.7, "url": "http://download.immunix.org/immunixos/7+/updates/errata/imnx-2003-7+-019-01" }, { "trust": 2.7, "url": "http://www.mandriva.com/security/advisories?name=mdksa-2003:080" }, { "trust": 2.7, "url": "http://www.osvdb.org/6602" }, { "trust": 2.7, "url": "http://www.redhat.com/support/errata/rhsa-2003-245.html" }, { "trust": 2.7, "url": "http://www.redhat.com/support/errata/rhsa-2003-246.html" }, { "trust": 2.7, "url": "http://securitytracker.com/id?1007380" }, { "trust": 2.7, "url": "http://secunia.com/advisories/9423" }, { "trust": 2.7, "url": "http://secunia.com/advisories/9446" }, { "trust": 2.7, "url": "http://secunia.com/advisories/9447" }, { "trust": 2.7, "url": "http://secunia.com/advisories/9535" }, { "trust": 2.7, "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-77-1001257.1-1" }, { "trust": 2.7, "url": "http://www.novell.com/linux/security/advisories/2003_032_wuftpd.html" }, { "trust": 2.7, "url": "http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0065.html" }, { "trust": 2.1, "url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a1970" }, { "trust": 2.1, "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/12785" }, { "trust": 2.0, "url": "http://marc.info/?l=bugtraq\u0026m=105967301604815\u0026w=2" }, { "trust": 2.0, "url": "http://marc.info/?l=bugtraq\u0026m=106001410028809\u0026w=2" }, { "trust": 2.0, "url": "http://marc.info/?l=bugtraq\u0026m=106001702232325\u0026w=2" }, { "trust": 2.0, "url": "http://marc.info/?l=bugtraq\u0026m=106002488209129\u0026w=2" }, { "trust": 0.9, "url": "http://www.wuftpd.org/" }, { "trust": 0.8, "url": "http://www.secunia.com/advisories/9406/" }, { "trust": 0.8, "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2003-0466" }, { "trust": 0.6, "url": "http://xforce.iss.net/xforce/xfdb/12785" }, { "trust": 0.6, "url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=106002488209129\u0026w=2" }, { "trust": 0.6, "url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=106001702232325\u0026w=2" }, { "trust": 0.6, "url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=106001410028809\u0026w=2" }, { "trust": 0.6, "url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=105967301604815\u0026w=2" }, { "trust": 0.6, "url": "http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:1970" }, { "trust": 0.3, "url": "http://www.info.apple.com/usen/security/security_updates.html" }, { "trust": 0.3, "url": "http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2f56121" }, { "trust": 0.3, "url": "http://sunsolve.sun.com/patches/linux/security.html" }, { "trust": 0.3, "url": "http://www.wu-ftpd.org" }, { "trust": 0.3, "url": "/archive/1/331295" }, { "trust": 0.3, "url": "/archive/1/331723" }, { "trust": 0.1, "url": "http://marc.info/?l=bugtraq\u0026amp;m=105967301604815\u0026amp;w=2" }, { "trust": 0.1, "url": "http://marc.info/?l=bugtraq\u0026amp;m=106002488209129\u0026amp;w=2" }, { "trust": 0.1, "url": "http://marc.info/?l=bugtraq\u0026amp;m=106001702232325\u0026amp;w=2" }, { "trust": 0.1, "url": "http://marc.info/?l=bugtraq\u0026amp;m=106001410028809\u0026amp;w=2" }, { "trust": 0.1, "url": "" }, { "trust": 0.1, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2003-0466" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2003-0466" }, { "trust": 0.1, "url": "http://isec.pl/" } ], "sources": [ { "db": "CERT/CC", "id": "VU#743092" }, { "db": "VULHUB", "id": "VHN-7294" }, { "db": "BID", "id": "8315" }, { "db": "JVNDB", "id": "JVNDB-2003-000237" }, { "db": "PACKETSTORM", "id": "31479" }, { "db": "CNNVD", "id": "CNNVD-200308-136" }, { "db": "NVD", "id": "CVE-2003-0466" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "CERT/CC", "id": "VU#743092" }, { "db": "VULHUB", "id": "VHN-7294" }, { "db": "BID", "id": "8315" }, { "db": "JVNDB", "id": "JVNDB-2003-000237" }, { "db": "PACKETSTORM", "id": "31479" }, { "db": "CNNVD", "id": "CNNVD-200308-136" }, { "db": "NVD", "id": "CVE-2003-0466" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2003-07-31T00:00:00", "db": "CERT/CC", "id": "VU#743092" }, { "date": "2003-08-27T00:00:00", "db": "VULHUB", "id": "VHN-7294" }, { "date": "2003-07-31T00:00:00", "db": "BID", "id": "8315" }, { "date": "2007-04-01T00:00:00", "db": "JVNDB", "id": "JVNDB-2003-000237" }, { "date": "2003-08-05T16:57:23", "db": "PACKETSTORM", "id": "31479" }, { "date": "2003-07-31T00:00:00", "db": "CNNVD", "id": "CNNVD-200308-136" }, { "date": "2003-08-27T04:00:00", "db": "NVD", "id": "CVE-2003-0466" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2003-08-15T00:00:00", "db": "CERT/CC", "id": "VU#743092" }, { "date": "2018-05-03T00:00:00", "db": "VULHUB", "id": "VHN-7294" }, { "date": "2007-05-15T19:08:00", "db": "BID", "id": "8315" }, { "date": "2024-02-28T04:21:00", "db": "JVNDB", "id": "JVNDB-2003-000237" }, { "date": "2007-05-11T00:00:00", "db": "CNNVD", "id": "CNNVD-200308-136" }, { "date": "2024-11-20T23:44:48.267000", "db": "NVD", "id": "CVE-2003-0466" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-200308-136" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "realpath(3) function contains off-by-one buffer overflow", "sources": [ { "db": "CERT/CC", "id": "VU#743092" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Boundary Condition Error", "sources": [ { "db": "BID", "id": "8315" }, { "db": "CNNVD", "id": "CNNVD-200308-136" } ], "trust": 0.9 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.