Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

 SCAN:MISC:FTP:REALPATH-OF2

Severity

 Low

Recommended

 No

Category

 SCAN

Keywords

 WU-FTPD realpath() Buffer Overflow (2)

Release Date

 2003/04/25

Update Number

 1213

Supported Platforms

 idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

SCAN: WU-FTPD realpath() Buffer Overflow (2)


This signature detects attempts to exploit a known vulnerability against the realpath() function in WU-FTPD, a software package that provides File Transfer Protocol (FTP) services for UNIX and Linux systems. WU-FTPD version 2.5.0 and earlier are vulnerable. Attackers can send a maliciously crafted FTP pathname to overflow a buffer in realpath() and execute arbitrary commands with administrator privileges.

Extended Description

There is a buffer overflow vulnerability present in versions of wu-ftpd 2.5 and below (and its derivatives). It is similar to the previous wu-ftpd bug, being related to path and path translation. The static array mapped_path is copied into a local buffer on the stack without bounds checking, allowing overflowing of the buffer and the execution of arbitrary code (as root). Systems running the vulnerable versions of wu-ftpd allowing anonymous access with writeable directories (ie. incoming) are especially vulnerable. The consequence is a possible remote root compromise through anonymous ftp (if enabled), or an almost guaranteed remote root compromise through a known user account/password. The code in question defines the function 'getcwd' to be 'mapped_path_cwd'. The mapped_path_cwd does not perform bounsd checking. When an FTP client sensd a CWD command the 'pwd' function is called which in turn calls 'getcwd' passing it a buffer in the stack of length MAXPATHLEN + 1.

Affected Products

  • BeroFTPD 1.3.2
  • BeroFTPD 1.3.3
  • BeroFTPD 1.3.4
  • Linux ftpd 0.16.0
  • Washington University wu-ftpd 2.4.2 (beta 18) VR10
  • Washington University wu-ftpd 2.4.2 (beta 18) VR11
  • Washington University wu-ftpd 2.4.2 (beta 18) VR12
  • Washington University wu-ftpd 2.4.2 (beta 18) VR13
  • Washington University wu-ftpd 2.4.2 (beta 18) VR14
  • Washington University wu-ftpd 2.4.2 (beta 18) VR15
  • Washington University wu-ftpd 2.4.2 (beta 18) VR4
  • Washington University wu-ftpd 2.4.2 (beta 18) VR5
  • Washington University wu-ftpd 2.4.2 (beta 18) VR6
  • Washington University wu-ftpd 2.4.2 (beta 18) VR7
  • Washington University wu-ftpd 2.4.2 (beta 18) VR8
  • Washington University wu-ftpd 2.4.2 (beta 18) VR9
  • Washington University wu-ftpd 2.4.2 VR16
  • Washington University wu-ftpd 2.4.2 VR17
  • Washington University wu-ftpd 2.5.0 .0

References

  • BugTraq: 599
  • CERT: CA-1999-13
  • CVE: CVE-1999-0878
  • URL: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out