(HP Issues Fix) WU-FTPD wu_fnmatch() Globbing Error Lets Remote Users Deny Service - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (File Transfer/Sharing) > Wu-ftpd

Vendors: WU-FTPD Development Group

(HP Issues Fix) WU-FTPD wu_fnmatch() Globbing Error Lets Remote Users Deny Service

SecurityTracker Alert ID: 1015875

SecurityTracker URL: http://securitytracker.com/id/1015875

CVE Reference: CVE-2005-0256 (Links to External Site)

Date: Apr 6 2006

Impact: Denial of service via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 2.6.1, 2.6.2; possibly earlier versions

Description: iDEFENSE reported a vulnerability in WU-FTPD. A remote authenticated user can cause denial of service conditions.

The wu_fnmatch() function in 'wu_fnmatch.c' does not properly process strings containing an asterik ('*') character. A remote authenticated user can supply a string with a large number of asterik characters to cause the target system to consume excessive resources.

A demonstration exploit command is provided:

ftp> dir ***************************************************************
***************************************************************
***************************************************************
**.*

The vendor was notified on February 9, 2005, without response.

Adam Zabrocki (pi3 / pi3ki31ny) discovered this vulnerability.

The original advisory is available at:

http://www.idefense.com/application/poi/display?id=207&type=vulnerabilities

Impact: A remote user can cause the ftp daemon to consume excessive resources on the target system.

Solution: HP has issued the following patches, available at:

http://itrc.hp.com

B.11.23 PHNE_34306

B.11.11 PHNE_34544

B.11.00 PHNE_34543

HP has also issued the following software updates, available at:

http://www.hp.com/go/softwaredepot

B.11.11: revision B.11.11.01.008 or subsequent.

B.11.00: revision B.11.00.01.006 or subsequent.

Vendor URL: www.wu-ftpd.org/ (Links to External Site)

Cause: Input validation error

Underlying OS: UNIX (HP/UX)

Message History: This archive entry is a follow-up to the message listed below.

WU-FTPD wu_fnmatch() Globbing Error Lets Remote Users Deny Service

Source Message Contents

Date: Thu, 6 Apr 2006 08:13:46 -0400
Subject: HPSBUX02110 SSRT061110 rev.1 - HP-UX Running wu-ftpd Remote Denial of Service (DoS)



http://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c00637342

CVE-2005-0256

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC