Signature Detail

FTP: ProFTP/wuFTPd Linux x86 Long Pathname Buffer Overflow (1)

This signature detects attempts to exploit a realpath vulnerability in ProFTPD and wuFTPd running on LINUX. Versions ProFTPD 1.2pre1 and earlier and wuFTPd 2.4.2 (beta 18) VR9 and earlier are susceptible. Attackers can gain write access, remotely create long pathnames, and overflow the buffer to gain root access.

Extended Description

There is a vulnerability in ProFTPD versions 1.2.0pre1 and earlier and in wu-ftpd 2.4.2 (beta 18) VR9 and earlier. This vulnerability is a buffer overflow triggered by unusually long path names (directory structures). For example, if a user has write privilages he or she may create an unusually long pathname which due to insuficient bounds checking in ProFTPD will overwrite the stack. This will allow the attacker to insert their own instruction set on the stack to be excuted thereby elavating their access. The problem is in a bad implementation of the "realpath" function.

Affected Products

• Caldera OpenLinux 1.3.0
• Debian Linux 2.0.0
• ProFTPD Project ProFTPD 1.2.0 Pre1
• Red Hat Linux 5.0.0
• Red Hat Linux 5.1.0
• Red Hat wu-ftpd 2.4.2 b18-2
• SCO Open Server 5.0.0
• SCO Open Server 5.0.2
• SCO Open Server 5.0.3
• SCO Open Server 5.0.4
• SCO Open Server 5.0.5
• SCO Unixware 7.0.0
• SCO Unixware 7.0.1
• Slackware Linux 3.4.0
• Slackware Linux 3.5.0
• Slackware Linux 3.6.0
• Washington University wu-ftpd 2.4.2 academ[BETA-18]
• Washington University wu-ftpd 2.4.2 (beta 18) VR9

References

• BugTraq: 113
• CERT: CA-1999-03
• CVE: CVE-1999-0368
• URL: http://www.securityfocus.com/advisories/611