SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Wu-ftpd Vendors:   WU-FTPD Development Group
wu-ftpd Off-by-one Overflow in fb_realpath() May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007353
SecurityTracker URL:  http://securitytracker.com/id/1007353
CVE Reference:   CVE-2003-0466   (Links to External Site)
Date:  Jul 31 2003
Impact:   Execution of arbitrary code via network, Root access via network
Vendor Confirmed:  Yes  
Version(s): 2.5.0 - 2.6.2
Description:   A buffer overflow vulnerability was reported in wu-ftpd. A remote authenticated user can execute arbitrary code on the system.

iSEC Security Research reported that there is an "off-by-one" overflow in the fb_realpath() function. A remote authenticated user (including an anonymous user with certain write privileges) can create a path of length MAXPATHLEN+1 to overflow a buffer of length MAXPATHLEN and trigger a stack overflow. The path is composed of the current working directory name and a user-specified file name, according to the report.

The flaw can reportedly be triggered using the STOR, RETR, APPE, DELE, MKD, RMD, STOU, and RNTO commands.

The following notification timeline is provided:

June 1, 2003 security@wu-ftpd.org has been notified
June 9, 2003 Request for confirmation of receipt sent to security@wu-ftpd.org
June 11, 2003 Response received from Kent Landfield
July 3, 2003 Request for status update sent
July 19, 2003 vendor-sec list notified
July 31, 2003 Coordinated public disclosure

Impact:   A remote user can execute arbitrary code with root privileges.
Solution:   It appears that there was no upstream solution available at the time of this entry.

Vendors of various distributions are releasing fixed versions [see the Message History for separata Alerts regarding those fixes].

Vendor URL:  www.wuftpd.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 31 2003 (Mandrake Issues Fix) wu-ftpd Off-by-one Overflow in fb_realpath() May Let Remote Users Execute Arbitrary Code
Mandrake has released a fix.
Jul 31 2003 (SuSE Issues Fix) wu-ftpd Off-by-one Overflow in fb_realpath() May Let Remote Users Execute Arbitrary Code
SuSE has released a fix.
Jul 31 2003 (Red Hat Issues Fix) wu-ftpd Off-by-one Overflow in fb_realpath() May Let Remote Users Execute Arbitrary Code
Red Hat has released a fix.
Aug 1 2003 (Debian Issues Fix) wu-ftpd Off-by-one Overflow in fb_realpath() May Let Remote Users Execute Arbitrary Code
Debian has released a fix.
Aug 1 2003 (Conectiva Issues Fix) wu-ftpd Off-by-one Overflow in fb_realpath() May Let Remote Users Execute Arbitrary Code
Conectiva has released a fix.
Aug 4 2003 (Turbolinux Issues Fix) Re: wu-ftpd Off-by-one Overflow in fb_realpath() May Let Remote Users Execute Arbitrary Code
Turbolinux has issued a fix.
Aug 28 2003 (HP Issues Fix for Internet Express) wu-ftpd Off-by-one Overflow in fb_realpath() May Let Remote Users Execute Arbitrary Code
HP has released a a temporary patch for wu-fptd (in their Internet Express package).
Sep 3 2003 (HP Issues Fix for HP/UX) wu-ftpd Off-by-one Overflow in fb_realpath() May Let Remote Users Execute Arbitrary Code
HP has released a fix for wu-ftpd on HP/UX.
Sep 25 2003 (SCO Issues Fix) Re: wu-ftpd Off-by-one Overflow in fb_realpath() May Let Remote Users Execute Arbitrary Code
SCO has issued a fix for OpenServer.



 Source Message Contents

Subject:  wu-ftpd fb_realpath() off-by-one bug



Synopsis:	wu-ftpd fb_realpath() off-by-one bug
Product:	wu-ftpd
Version: 	2.5.0 <= 2.6.2
Vendor:		http://www.wuftpd.org/

URL:		http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
CVE:            http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0466
Author:		Wojciech Purczynski <cliph@isec.pl>
		Janusz Niewiadomski <funkysh@isec.pl>
Date:		July 31, 2003 


Issue:
======

Wu-ftpd FTP server contains remotely exploitable off-by-one bug. A local
or remote attacker could exploit this vulnerability to gain root
privileges on a vulnerable system.


Details:
========

An off-by-one bug exists in fb_realpath() function. An overflow occurs
when the length of a constructed path is equal to the MAXPATHLEN+1
characters while the size of the buffer is MAXPATHLEN characters only.
The overflowed buffer lies on the stack.

The bug results from misuse of rootd variable in the calculation of
length of a concatenated string:

------8<------cut-here------8<------
    /*
     * Join the two strings together, ensuring that the right thing
     * happens if the last component is empty, or the dirname is root.
     */
    if (resolved[0] == '/' && resolved[1] == '\0')
        rootd = 1;
    else
        rootd = 0;

    if (*wbuf) {
        if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) {
            errno = ENAMETOOLONG;
            goto err1;
        }
        if (rootd == 0)
            (void) strcat(resolved, "/");
        (void) strcat(resolved, wbuf);
    }
------8<------cut-here------8<------

Since the path is constructed from current working directory and a file
name specified as an parameter to various FTP commands attacker needs to
create deep directory structure.

Following FTP commands may be used to cause buffer overflow:

	STOR
	RETR
	APPE
	DELE
	MKD
	RMD
	STOU
	RNTO

This bug may be non-exploitable if size of the buffer is greater than
MAXPATHLEN characters. This may occur for example if wu-ftpd is compiled
with some versions of Linux kernel where PATH_MAX (and MAXPATHLEN 
accordingly) is defined to be exactly 4095 characters. In such cases,
the buffer is padded with an extra byte because of variable alignment 
which is a result of code optimization.

Linux 2.2.x and some early 2.4.x kernel versions defines PATH_MAX to be 
4095 characters, thus only wu-ftpd binaries compiled on 2.0.x or later 2.4.x
kernels are affected.


Exploit:
========

We investigated and successfully exploited this vulnerability on x86 based
Linux system running 2.4.19 kernel. We believe that exploitation of other
little-endian systems is also possible.
 

Impact:
=======

Authenticated local user or anonymous FTP user with write-access could
execute arbitrary code with root privileges.


Vendor Status:
==============

June  1, 2003	security@wu-ftpd.org has been notified
June  9, 2003	Request for confirmation of receipt sent to security@wu-ftpd.org
June 11, 2003	Response received from Kent Landfield
July  3, 2003   Request for status update sent
July 19, 2003	vendor-sec list notified
July 31, 2003	Coordinated public disclosure


The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0466 to this issue.

-- 
Janusz Niewiadomski
iSEC Security Research
http://isec.pl/


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC