Signature Detail
Short Name |
FTP:WU-FTP:SETPROCTITLE |
|---|---|
Severity |
Critical |
Recommended |
No |
Recommended Action |
Drop |
Category |
FTP |
Keywords |
WU-FTPD Setproctitle() Format String |
Release Date |
2003/04/23 |
Update Number |
1213 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
FTP: WU-FTPD Setproctitle() Format String
This signature detects an attempt to exploit a ftp daemon by submitting a malicious SITE request containing format string characters. Successful exploitation can allow an attacker to execute arbitrary code with user privileges running the ftp daemon.
Extended Description
A number of ftp daemons, including versions of wu-ftpd, OpenBSD ftpd (ports of this package are distributed with some Linux distributions), HP-UX ftpd, and proftpd, have a vulnerability caused by the passing of user input to the set_proc_title() function. This function in turn calls setproctitle() after using this user data to generate a buffer to pass to setproctitle. setproctitle is defined as setproctitle(char *fmt, ...). The buffer created is passed as the format argument to setproctitle. setproctitle will make a call to the vsnprintf() call, taking the buffer passed as the format string. By carefully manipulating the contents of this buffer, a remote user can cause values on the stack to be overwritten, and potentially cause arbitrary code to be executed as root.
Affected Products
- Debian Linux 2.1.0
- Debian Linux 2.2.0
- FreeBSD 1.1.5 .1
- FreeBSD 2.0.0
- FreeBSD 2.0.5
- FreeBSD 2.1.0
- FreeBSD 2.1.5
- FreeBSD 2.1.6
- FreeBSD 2.1.6 .1
- FreeBSD 2.1.7 .1
- HP HP-UX 10.10.0
- HP HP-UX 10.20.0
- HP HP-UX 11.0.0
- Linux ftpd 0.16.0
- NetBSD 1.0.0
- NetBSD 1.1.0
- NetBSD 1.2.0
- NetBSD 1.2.1
- NetBSD 1.3.0
- NetBSD 1.3.1
- NetBSD 1.3.2
- NetBSD 1.3.3
- NetBSD 1.4.0 Alpha
- NetBSD 1.4.0 arm32
- NetBSD 1.4.0 SPARC
- NetBSD 1.4.0 x86
- NetBSD 1.4.1 Alpha
- NetBSD 1.4.1 arm32
- NetBSD 1.4.1 SPARC
- NetBSD 1.4.1 x86
- NetBSD 1.4.2 Alpha
- NetBSD 1.4.2 arm32
- NetBSD 1.4.2 SPARC
- NetBSD 1.4.2 x86
- OpenBSD 2.0.0
- OpenBSD 2.1.0
- OpenBSD 2.2.0
- OpenBSD 2.3.0
- OpenBSD 2.4.0
- OpenBSD 2.5.0
- OpenBSD 2.6.0
- OpenBSD 2.7.0
- opieftpd ftp 1.3.0
- ProFTPD Project ProFTPD 1.2.0 Pre1
- ProFTPD Project ProFTPD 1.2.0 Pre10
- ProFTPD Project ProFTPD 1.2.0 Pre2
- ProFTPD Project ProFTPD 1.2.0 Pre3
- ProFTPD Project ProFTPD 1.2.0 Pre4
- ProFTPD Project ProFTPD 1.2.0 Pre5
- ProFTPD Project ProFTPD 1.2.0 Pre6
- ProFTPD Project ProFTPD 1.2.0 Pre7
- ProFTPD Project ProFTPD 1.2.0 Pre8
- ProFTPD Project ProFTPD 1.2.0 Pre9
- SuSE Linux 6.0.0
- SuSE Linux 6.1.0
- SuSE Linux 6.2.0
- SuSE Linux 6.3.0
- SuSE Linux 6.3.0 alpha
- SuSE Linux 6.3.0 ppc
- SuSE Linux 6.4.0
- SuSE Linux 6.4.0 Alpha
- SuSE Linux 6.4.0 ppc
References