SCAN: WU-FTPD realpath() Buffer Overflow (1)

This signature detects attempts to exploit a known vulnerability against the realpath() function in Wu-FTPD, a software package that provides File Transfer Protocol (FTP) services for UNIX and Linux systems. WU-FTPD version 2.5.0 and earlier are vulnerable. Attackers can send a maliciously crafted FTP pathname to overflow a buffer in realpath() and execute arbitrary commands with administrator privileges.

Extended Description

There is a buffer overflow vulnerability present in versions of wu-ftpd 2.5 and below (and its derivatives). It is similar to the previous wu-ftpd bug, being related to path and path translation. The static array mapped_path is copied into a local buffer on the stack without bounds checking, allowing overflowing of the buffer and the execution of arbitrary code (as root). Systems running the vulnerable versions of wu-ftpd allowing anonymous access with writeable directories (ie. incoming) are especially vulnerable. The consequence is a possible remote root compromise through anonymous ftp (if enabled), or an almost guaranteed remote root compromise through a known user account/password. The code in question defines the function 'getcwd' to be 'mapped_path_cwd'. The mapped_path_cwd does not perform bounsd checking. When an FTP client sensd a CWD command the 'pwd' function is called which in turn calls 'getcwd' passing it a buffer in the stack of length MAXPATHLEN + 1.

Affected Products

Beroftpd beroftpd

References

BugTraq: 599

CVE: CVE-1999-0878

URL: http://secunia.com/advisories/9406" http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt

Short Name

SCAN:MISC:FTP:REALPATH-OF1

Severity

Warning

Recommended

False

Recommended Action

None

SCAN: WU-FTPD realpath() Buffer Overflow (1)

Extended Description

Affected Products

References

Found a potential security threat?