SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Wu-ftpd Vendors:   WU-FTPD Development Group
(Turbolinux Issues Fix) Re: wu-ftpd Off-by-one Overflow in fb_realpath() May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007400
SecurityTracker URL:  http://securitytracker.com/id/1007400
CVE Reference:   CVE-2003-0466   (Links to External Site)
Date:  Aug 4 2003
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.5.0 - 2.6.2
Description:   A buffer overflow vulnerability was reported in wu-ftpd. A remote authenticated user can execute arbitrary code on the system.

iSEC Security Research reported that there is an "off-by-one" overflow in the fb_realpath() function. A remote authenticated user (including an anonymous user with certain write privileges) can create a path of length MAXPATHLEN+1 to overflow a buffer of length MAXPATHLEN and trigger a stack overflow. The path is composed of the current working directory name and a user-specified file name, according to the report.

The flaw can reportedly be triggered using the STOR, RETR, APPE, DELE, MKD, RMD, STOU, and RNTO commands.

The following notification timeline is provided:

June 1, 2003 security@wu-ftpd.org has been notified
June 9, 2003 Request for confirmation of receipt sent to security@wu-ftpd.org
June 11, 2003 Response received from Kent Landfield
July 3, 2003 Request for status update sent
July 19, 2003 vendor-sec list notified
July 31, 2003 Coordinated public disclosure

Impact:   A remote user can execute arbitrary code with root privileges.
Solution:   Turbolinux has issued a fix. The vendor indicates that you can use the turbopkg tool to apply the update.


<Turbolinux Advanced Server 6>

Source Packages
Size : MD5

wu-ftpd-2.6.2-1.src.rpm
370919 da4c93fb937ff43cb9bc7060d7bcdc16

Binary Packages
Size : MD5

wu-ftpd-2.6.2-1.i386.rpm
193659 11cc9e60aea3084fad22dc61f46174c0

<Turbolinux Server 6.1>

Source Packages
Size : MD5

wu-ftpd-2.6.2-1.src.rpm
370919 38a0906027289b1d56597beefb15a2b8

Binary Packages
Size : MD5

wu-ftpd-2.6.2-1.i386.rpm
193661 d17263391c2771cc5a471a6debf01343

<Turbolinux Workstation 6.0>

Source Packages
Size : MD5

wu-ftpd-2.6.2-1.src.rpm
370919 b92fa542f401a4a8fd36e602c1663885

Binary Packages
Size : MD5

wu-ftpd-2.6.2-1.i386.rpm
193650 4d5c87aaa86f313c8440ce9866264753

Vendor URL:  www.wuftpd.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Turbo Linux)
Underlying OS Comments:  Turbolinux Advanced Server 6, Turbolinux Server 6.1, Turbolinux Workstation 6.0

Message History:   This archive entry is a follow-up to the message listed below.
Jul 31 2003 wu-ftpd Off-by-one Overflow in fb_realpath() May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  [Full-Disclosure] [TURBOLINUX SECURITY INFO] 04/Aug/2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is an announcement only email list for the x86 architecture.
============================================================
Turbolinux Security Announcement 04/Aug/2003
============================================================

The following page contains the security information of Turbolinux Inc.

 - Turbolinux Security Center
   http://www.turbolinux.com/security/

 (1) wu-ftpd -> Wu-ftpd fb_realpath() off-by-one bug


===========================================================
* wu-ftpd -> Wu-ftpd fb_realpath() off-by-one bug
===========================================================

 More information :
    The fb_realpath() function in Wu-ftpd FTP server contains off-by-one bug.

 Impact :
    This vulnerability may allow remote authenticated users to execute
    arbitrary code via commands that cause long pathnames.

 Affected Products :
    - Turbolinux Advanced Server 6
    - Turbolinux Server 6.1
    - Turbolinux Workstation 6.0

 Solution :
    Please use turbopkg tool to apply the update.


 <Turbolinux Advanced Server 6>

   Source Packages
   Size : MD5

   wu-ftpd-2.6.2-1.src.rpm
       370919 da4c93fb937ff43cb9bc7060d7bcdc16

   Binary Packages
   Size : MD5

   wu-ftpd-2.6.2-1.i386.rpm
       193659 11cc9e60aea3084fad22dc61f46174c0

 <Turbolinux Server 6.1>

   Source Packages
   Size : MD5

   wu-ftpd-2.6.2-1.src.rpm
       370919 38a0906027289b1d56597beefb15a2b8

   Binary Packages
   Size : MD5

   wu-ftpd-2.6.2-1.i386.rpm
       193661 d17263391c2771cc5a471a6debf01343

 <Turbolinux Workstation 6.0>

   Source Packages
   Size : MD5

   wu-ftpd-2.6.2-1.src.rpm
       370919 b92fa542f401a4a8fd36e602c1663885

   Binary Packages
   Size : MD5

   wu-ftpd-2.6.2-1.i386.rpm
       193650 4d5c87aaa86f313c8440ce9866264753


 References :

 CVE
   [CAN-2003-0466]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0466


 * You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.

  http://www.turbolinux.com/download/zabom.html
  http://www.turbolinux.com/download/zabomupdate.html

Package Update Path
http://www.turbolinux.com/update

============================================================
 * To obtain the public key

Here is the public key

 http://www.turbolinux.com/security/

 * To unsubscribe from the list

If you ever want to remove yourself from this mailing list,
  you can send a message to <server-users-e-ctl@turbolinux.co.jp> with
the word `unsubscribe' in the body (don't include the quotes).

unsubscribe

 * To change your email address

If you ever want to chage email address in this mailing list,
  you can send a message to <server-users-e-ctl@turbolinux.co.jp> with
the following command in the message body:

  chaddr 'old address' 'new address'

If you have any questions or problems, please contact
<supp_info@turbolinux.co.jp>

Thank you!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/LlQDK0LzjOqIJMwRAjMKAKCkdvhkV9jTwqOgiEp36y7GEARpSwCgvhYG
xU5SXEMxR69jPa90hp5nMaw=
=Q0uD
-----END PGP SIGNATURE-----



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC