Title: Multiple Vendor FTPD realpath Vulnerability
Severity: HIGH
Description:
There is a vulnerability in ProFTPD versions 1.2.0pre1 and earlier and in wu-ftpd 2.4.2 (beta 18) VR9 and earlier. This vulnerability is a buffer overflow triggered by unusually long path names (directory structures). For example, if a user has write privilages he or she may create an unusually long pathname which due to insuficient bounds checking in ProFTPD will overwrite the stack. This will allow the attacker to insert their own instruction set on the stack to be excuted thereby elavating their access.
The problem is in a bad implementation of the "realpath" function.
Affected Products:
- Caldera OpenLinux 1.3.0
- Debian Linux 2.0.0
- ProFTPD Project ProFTPD 1.2.0pre1
- RedHat Linux 5.0.0
- RedHat Linux 5.1.0
- RedHat Linux 5.2.0 i386
- RedHat wu-ftpd 2.4.2b18-2
- SCO Open Server 5.0.0
- SCO Open Server 5.0.2
- SCO Open Server 5.0.3
- SCO Open Server 5.0.4
- SCO Open Server 5.0.5
- SCO Unixware 7.0.0
- SCO Unixware 7.0.1
- Slackware Linux 3.4.0
- Slackware Linux 3.5.0
- Slackware Linux 3.6.0
- Washington University wu-ftpd 2.4.2 (beta 18) VR9
- Washington University wu-ftpd 2.4.2 academ[BETA-18]
References:
- Debian GNU/Linux: Debian FTP packages: Buffer overflow in some ftp servers
- Netect: Netect Discovers Threatening FTP Server Vulnerability
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
