Signature Detail

FTP: WU-FTPD Linux x86 Buffer Overflow

This signature detects attempts to exploit the input validation vulnerability in wuFTPd running on LINUX. All versions are susceptible. Because user input goes directly into a format string for a *printf function, attackers can overwrite data on a stack, such as a return address, access the shell code pointed to by the overwritten eip, and execute arbitrary commands. This same attack can be successful seen against ProFTPD servers.

Extended Description

There is a vulnerability in ProFTPD versions 1.2.0pre1 and earlier and in wu-ftpd 2.4.2 (beta 18) VR9 and earlier. This vulnerability is a buffer overflow triggered by unusually long path names (directory structures). For example, if a user has write privilages he or she may create an unusually long pathname which due to insuficient bounds checking in ProFTPD will overwrite the stack. This will allow the attacker to insert their own instruction set on the stack to be excuted thereby elavating their access. The problem is in a bad implementation of the "realpath" function.

Affected Products

• Caldera OpenLinux 1.3.0
• Debian Linux 2.0.0
• ProFTPD Project ProFTPD 1.2.0 Pre1
• Red Hat Linux 5.0.0
• Red Hat Linux 5.1.0
• Red Hat wu-ftpd 2.4.2 b18-2
• SCO Open Server 5.0.0
• SCO Open Server 5.0.2
• SCO Open Server 5.0.3
• SCO Open Server 5.0.4
• SCO Open Server 5.0.5
• SCO Unixware 7.0.0
• SCO Unixware 7.0.1
• Slackware Linux 3.4.0
• Slackware Linux 3.5.0
• Slackware Linux 3.6.0
• Washington University wu-ftpd 2.4.2 academ[BETA-18]
• Washington University wu-ftpd 2.4.2 (beta 18) VR9

References

• BugTraq: 113
• CERT: CA-1999-03
• CVE: CVE-1999-0368
• URL: http://seclists.org/lists/vuln-dev/2001/Sep/0258.html