National Vulnerability Database (NVD) National Vulnerability Database (CVE-2003-0466)

National Cyber-Alert System

Vulnerability Summary for CVE-2003-0466

Original release date:08/27/2003

Last revised:09/10/2008

Source: US-CERT/NIST

Overview

Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)

Impact Subscore: 10.0

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type:Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

US-CERT Vulnerability Note: VU#743092

Name: VU#743092

Type: Advisory

Hyperlink:http://www.kb.cert.org/vuls/id/743092

External Source: BID

Name: 8315

Type: Advisory; Patch Information

Hyperlink:http://www.securityfocus.com/bid/8315

External Source: XF

Name: libc-realpath-offbyone-bo(12785)

Hyperlink:http://xforce.iss.net/xforce/xfdb/12785

External Source: TURBO

Name: TLSA-2003-46

Hyperlink:http://www.turbolinux.com/security/TLSA-2003-46.txt

External Source: BUGTRAQ

Name: 20060214 Re: Latest wu-ftpd exploit :-s

Hyperlink:http://www.securityfocus.com/archive/1/425061/100/0/threaded

External Source: BUGTRAQ

Name: 20060213 Latest wu-ftpd exploit :-s

Hyperlink:http://www.securityfocus.com/archive/1/424852/100/0/threaded

External Source: REDHAT

Name: RHSA-2003:246

Hyperlink:http://www.redhat.com/support/errata/RHSA-2003-246.html

External Source: REDHAT

Name: RHSA-2003:245

Hyperlink:http://www.redhat.com/support/errata/RHSA-2003-245.html

External Source: OSVDB

Name: 6602

Hyperlink:http://www.osvdb.org/6602

External Source: SUSE

Name: SuSE-SA:2003:032

Hyperlink:http://www.novell.com/linux/security/advisories/2003_032_wuftpd.html

External Source: DEBIAN

Name: DSA-357

Hyperlink:http://www.debian.org/security/2003/dsa-357

External Source: SECTRACK

Name: 1007380

Hyperlink:http://securitytracker.com/id?1007380

External Source: SECUNIA

Name: 9535

Hyperlink:http://secunia.com/advisories/9535

External Source: SECUNIA

Name: 9447

Hyperlink:http://secunia.com/advisories/9447

External Source: SECUNIA

Name: 9446

Hyperlink:http://secunia.com/advisories/9446

External Source: SECUNIA

Name: 9423

Hyperlink:http://secunia.com/advisories/9423

External Source: BUGTRAQ

Name: 20030804 Off-by-one Buffer Overflow Vulnerability in BSD libc realpath(3)

Hyperlink:http://marc.theaimsgroup.com/?l=bugtraq&m=106002488209129&w=2

External Source: BUGTRAQ

Name: 20030804 wu-ftpd-2.6.2 off-by-one remote exploit.

Hyperlink:http://marc.theaimsgroup.com/?l=bugtraq&m=106001702232325&w=2

External Source: FREEBSD

Name: FreeBSD-SA-03:08

Hyperlink:http://marc.theaimsgroup.com/?l=bugtraq&m=106001410028809&w=2

External Source: BUGTRAQ

Name: 20030731 wu-ftpd fb_realpath() off-by-one bug

Type: Advisory

Hyperlink:http://marc.theaimsgroup.com/?l=bugtraq&m=105967301604815&w=2

External Source: MISC

Name: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt

Hyperlink:http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt

External Source: IMMUNIX

Name: IMNX-2003-7+-019-01

Hyperlink:http://download.immunix.org/ImmunixOS/7+/Updates/errata/IMNX-2003-7+-019-01

External Source: VULNWATCH

Name: 20030731 wu-ftpd fb_realpath() off-by-one bug

Type: Advisory

Hyperlink:http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0065.html

External Source: NETBSD

Name: NetBSD-SA2003-011.txt.asc

Hyperlink:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt.asc

External Source: MANDRAKE

Name: MDKSA-2003:080

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2003:080

US Government Resource: oval:org.mitre.oval:def:1970

Name: oval:org.mitre.oval:def:1970

Type: Tool Signature

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1970

Vulnerable software and versions

Configuration 1

* cpe:/a:redhat:wu_ftpd:2.6.1-16::i386

* cpe:/a:redhat:wu_ftpd:2.6.1-16::powerpc

* cpe:/a:redhat:wu_ftpd:2.6.1-18::i386

* cpe:/a:redhat:wu_ftpd:2.6.1-18::ia64

* cpe:/a:redhat:wu_ftpd:2.6.2-5::i386

* cpe:/a:redhat:wu_ftpd:2.6.2-8::i386

* cpe:/a:washington_university:wu-ftpd:2.5.0

* cpe:/a:washington_university:wu-ftpd:2.6.0

* cpe:/a:washington_university:wu-ftpd:2.6.1

* cpe:/a:washington_university:wu-ftpd:2.6.2

Configuration 2

* cpe:/o:apple:mac_os_x:10.2.6

* cpe:/o:apple:mac_os_x_server:10.2.6

* cpe:/o:freebsd:freebsd:4.0

* cpe:/o:freebsd:freebsd:4.0:alpha

* cpe:/o:freebsd:freebsd:4.1

* cpe:/o:freebsd:freebsd:4.1.1

* cpe:/o:freebsd:freebsd:4.1.1:release

* cpe:/o:freebsd:freebsd:4.1.1:stable

* cpe:/o:freebsd:freebsd:4.2

* cpe:/o:freebsd:freebsd:4.2:stable

* cpe:/o:freebsd:freebsd:4.3

* cpe:/o:freebsd:freebsd:4.3:release

* cpe:/o:freebsd:freebsd:4.3:releng

* cpe:/o:freebsd:freebsd:4.3:stable

* cpe:/o:freebsd:freebsd:4.4

* cpe:/o:freebsd:freebsd:4.4:releng

* cpe:/o:freebsd:freebsd:4.4:stable

* cpe:/o:freebsd:freebsd:4.5

* cpe:/o:freebsd:freebsd:4.5:release

* cpe:/o:freebsd:freebsd:4.5:stable

* cpe:/o:freebsd:freebsd:4.6

* cpe:/o:freebsd:freebsd:4.6.2

* cpe:/o:freebsd:freebsd:4.6:release

* cpe:/o:freebsd:freebsd:4.6:stable

* cpe:/o:freebsd:freebsd:4.7

* cpe:/o:freebsd:freebsd:4.7:release

* cpe:/o:freebsd:freebsd:4.7:stable

* cpe:/o:freebsd:freebsd:4.8

* cpe:/o:freebsd:freebsd:4.8:pre-release

* cpe:/o:freebsd:freebsd:5.0

* cpe:/o:freebsd:freebsd:5.0:alpha

* cpe:/o:netbsd:netbsd:1.5

* cpe:/o:netbsd:netbsd:1.5.1

* cpe:/o:netbsd:netbsd:1.5.2

* cpe:/o:netbsd:netbsd:1.5.3

* cpe:/o:netbsd:netbsd:1.6

* cpe:/o:netbsd:netbsd:1.6.1

* cpe:/o:openbsd:openbsd:2.0

* cpe:/o:openbsd:openbsd:2.1

* cpe:/o:openbsd:openbsd:2.2

* cpe:/o:openbsd:openbsd:2.3

* cpe:/o:openbsd:openbsd:2.4

* cpe:/o:openbsd:openbsd:2.5

* cpe:/o:openbsd:openbsd:2.6

* cpe:/o:openbsd:openbsd:2.7

* cpe:/o:openbsd:openbsd:2.8

* cpe:/o:openbsd:openbsd:2.9

* cpe:/o:openbsd:openbsd:3.0

* cpe:/o:openbsd:openbsd:3.1

* cpe:/o:openbsd:openbsd:3.2

* cpe:/o:openbsd:openbsd:3.3

* cpe:/o:sun:solaris:9.0::sparc

* cpe:/o:sun:solaris:9.0::x86

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0466