Signature Detail

FTP: WU-FTPD 2.4 Overflow (ADM exploit)

This signature detects attempts to exploit a known vulnerability against the DELE command in a WU-ftpd server. Wu-ftpd versions 2.4 and prior (Academ beta12-18 included) are vulnerable. This can be a standard ADM exploit; attackers can log in anonymously using a different default password. Note: If the default password is changed, this buffer overflow can also be detected as a protocol anomaly (assuming the FTP module is in use).

Extended Description

The 'realpath()' function is a C-library procedure to resolve the canonical, absolute pathname of a file based on a path that may contain values such as '/', './', '../', or symbolic links. A vulnerability that was reported to affect the implementation of 'realpath()' in WU-FTPD has lead to the discovery that at least one implementation of the C library is also vulnerable. FreeBSD has announced that the off-by-one stack- buffer-overflow vulnerability is present in their libc. Other systems are also likely vulnerable. Reportedly, this vulnerability has been successfully exploited against WU-FTPD to execute arbitrary instructions. NOTE: Patching the C library alone may not remove all instances of this vulnerability. Statically linked programs may need to be rebuilt with a patched version of the C library. Also, some applications may implement their own version of 'realpath()'. These applications would require their own patches. FreeBSD has published a large list of applications that use 'realpath()'. Administrators of FreeBSD and other systems are urged to review it. For more information, see the advisory 'FreeBSD-SA-03:08.realpath'.

Affected Products

• Apple Mac OS X 10.2.6
• Apple Mac OS X Server 10.2.6
• FreeBSD 3.5.1 -Stablepre2001-07-20
• FreeBSD 4.0.0
• FreeBSD 4.0.0 Alpha
• FreeBSD 4.0.0 .X
• FreeBSD 4.1.0
• FreeBSD 4.1.1
• FreeBSD 4.1.1 -RELEASE
• FreeBSD 4.1.1 -STABLE
• FreeBSD 4.2.0
• FreeBSD 4.2.0 -RELEASE
• FreeBSD 4.2.0 -STABLE
• FreeBSD 4.2.0 -Stablepre050201
• FreeBSD 4.2.0 -Stablepre122300
• FreeBSD 4.3.0
• FreeBSD 4.3.0 -RELEASE
• FreeBSD 4.3.0 -RELENG
• FreeBSD 4.3.0 -STABLE
• FreeBSD 4.4.0
• FreeBSD 4.4.0 -RELENG
• FreeBSD 4.4.0 -STABLE
• FreeBSD 4.5.0
• FreeBSD 4.5.0 -RELEASE
• FreeBSD 4.5.0 -STABLE
• FreeBSD 4.5.0 -Stablepre2002-03-07
• FreeBSD 4.6.0
• FreeBSD 4.6.0 -RELEASE
• FreeBSD 4.6.0 -STABLE
• FreeBSD 4.6.2
• FreeBSD 4.7.0
• FreeBSD 4.7.0 -RELEASE
• FreeBSD 4.7.0 -STABLE
• FreeBSD 4.8.0
• FreeBSD 4.8.0 -PRERELEASE
• FreeBSD 5.0.0
• FreeBSD 5.0.0 Alpha
• HP HP-UX 11.0.0
• HP HP-UX 11.11.0
• HP HP-UX 11.22.0
• NetBSD 1.5.0
• NetBSD 1.5.1
• NetBSD 1.5.2
• NetBSD 1.5.3
• NetBSD 1.6.0
• NetBSD 1.6.1
• OpenBSD 2.0.0
• OpenBSD 2.1.0
• OpenBSD 2.2.0
• OpenBSD 2.3.0
• OpenBSD 2.4.0
• OpenBSD 2.5.0
• OpenBSD 2.6.0
• OpenBSD 2.7.0
• OpenBSD 2.8.0
• OpenBSD 2.9.0
• OpenBSD 3.0
• OpenBSD 3.1
• OpenBSD 3.2
• OpenBSD 3.3
• Red Hat wu-ftpd-2.6.1-16.i386.rpm
• Red Hat wu-ftpd-2.6.1-16.ppc.rpm
• Red Hat wu-ftpd-2.6.1-18.i386.rpm
• Red Hat wu-ftpd-2.6.1-18.ia64.rpm
• Red Hat wu-ftpd-2.6.2-5.i386.rpm
• Red Hat wu-ftpd-2.6.2-8.i386.rpm
• SSH Communications Security SSH2 3.2.9.1
• Sun Solaris 9 Sparc
• Sun Solaris 9 X86
• Washington University wu-ftpd 2.5.0 .0
• Washington University wu-ftpd 2.6.0 .0
• Washington University wu-ftpd 2.6.1
• Washington University wu-ftpd 2.6.2

References

• BugTraq: 8315
• CVE: CVE-2003-0466
• URL: http://www.securityfocus.com/archive/1/12937/1999-03-20/1999-03-26/0