Vulnerabilities > CVE-2003-0466 - Off-by-one Error vulnerability in multiple products

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and patch checks in this plugin were 
# extracted from HP patch PHNE_29462. The text itself is
# copyright (C) Hewlett-Packard Development Company, L.P.
#

include("compat.inc");

if (description)
{
  script_id(16907);
  script_version("$Revision: 1.12 $");
  script_cvs_date("$Date: 2016/01/14 15:20:32 $");

  script_cve_id("CVE-2003-0466", "CVE-2004-0148", "CVE-2004-1332", "CVE-2005-0547");
  script_xref(name:"HP", value:"emr_na-c00572225");
  script_xref(name:"HP", value:"emr_na-c00951272");
  script_xref(name:"HP", value:"emr_na-c00951289");
  script_xref(name:"HP", value:"emr_na-c01035676");
  script_xref(name:"HP", value:"emr_na-c01035678");
  script_xref(name:"HP", value:"HPSBUX00277");
  script_xref(name:"HP", value:"HPSBUX01050");
  script_xref(name:"HP", value:"HPSBUX01059");
  script_xref(name:"HP", value:"HPSBUX01118");
  script_xref(name:"HP", value:"HPSBUX01119");
  script_xref(name:"HP", value:"SSRT3456");
  script_xref(name:"HP", value:"SSRT3606");
  script_xref(name:"HP", value:"SSRT4694");
  script_xref(name:"HP", value:"SSRT4704");
  script_xref(name:"HP", value:"SSRT4883");

  script_name(english:"HP-UX PHNE_29462 : s700_800 11.22 ftpd(1M) and ftp(1) patch");
  script_summary(english:"Checks for the patch in the swlist output");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote HP-UX host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"s700_800 11.22 ftpd(1M) and ftp(1) patch : 

The remote HP-UX host is affected by multiple vulnerabilities :

  - A potential vulnerability has been identified with HP-UX
    running ftpd where the vulnerability could be exploited
    to allow a remote authorized user unauthorized access to
    files. (HPSBUX01119 SSRT4694)

  - A potential security vulnerability has been identified
    with HP-UX running ftp where the vulnerability could be
    exploited remotely to allow unauthorized access.
    (HPSBUX01050 SSRT3456)

  - The wu-ftpd program is potentially vulnerable to a
    buffer overflow. (HPSBUX00277 SSRT3606)

  - A potential security vulnerability has been identified
    with HP-UX running ftpd, where a buffer overflow in ftpd
    could be remotely exploited to allow an unauthorized
    user to gain privileged access. (HPSBUX01118 SSRT4883)

  - A potential vulnerability has been identified with HP-UX
    running wu-ftpd with the restricted gid option enabled
    where the vulnerability could be exploited by a local
    user to gain unauthorized access to files. (HPSBUX01059
    SSRT4704)"
  );
  # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00951272
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?6ca73dfe"
  );
  # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00951289
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?353e3f75"
  );
  # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00572225
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?2fb36360"
  );
  # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01035676
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?0e3b95fe"
  );
  # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01035678
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?9d4b2076"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Install patch PHNE_29462 or subsequent."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");

  script_set_attribute(attribute:"patch_publication_date", value:"2004/06/03");
  script_set_attribute(attribute:"patch_modification_date", value:"2006/01/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/16");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2005-2016 Tenable Network Security, Inc.");
  script_family(english:"HP-UX Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("hpux.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);

if (!hpux_check_ctx(ctx:"11.22"))
{
  exit(0, "The host is not affected since PHNE_29462 applies to a different OS release.");
}

patches = make_list("PHNE_29462");
foreach patch (patches)
{
  if (hpux_installed(app:patch))
  {
    exit(0, "The host is not affected because patch "+patch+" is installed.");
  }
}


flag = 0;
if (hpux_check_patch(app:"InternetSrvcs.INETSVCS2-RUN", version:"B.11.22")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#

# Ref:
# 
# Date: Thu, 31 Jul 2003 18:16:03 +0200 (CEST)
# From: Janusz Niewiadomski <[email protected]>
# To: [email protected], <[email protected]>
# Subject: [VulnWatch] wu-ftpd fb_realpath() off-by-one bug



include("compat.inc");

if(description)
{
 script_id(11811);
 script_bugtraq_id(8315);
 script_cve_id("CVE-2003-0466");
 script_xref(name:"RHSA", value:"2003:245-01");
 script_xref(name:"SuSE", value:"SUSE-SA:2003:032");
 script_version ("1.28");
 
 script_name(english:"WU-FTPD fb_realpath() Function Off-by-one Overflow");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote FTP server is affected by a buffer overflow vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote WU-FTPD server seems to be vulnerable to an off-by-one
overflow when dealing with huge directory structures. 

An attacker may exploit this flaw to obtain a shell on this host. 

Note that Nessus has solely relied on the banner of the remote server
to issue this warning so it may be a false-positive, especially if the
patch has already been applied." );
 script_set_attribute(attribute:"see_also", value:"http://www.securiteam.com/unixfocus/5ZP010AAUI.html" );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2003/Aug/43" );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9eabbd45" );
 script_set_attribute(attribute:"solution", value:
"Apply the realpath.patch patch." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
		
 script_set_attribute(attribute:"plugin_publication_date", value: "2003/07/31");
 script_set_attribute(attribute:"vuln_publication_date", value: "2003/07/31");
 script_cvs_date("Date: 2018/11/15 20:50:22");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

		    
 script_summary(english:"Checks the banner of the remote wu-ftpd server");
 script_category(ACT_GATHER_INFO);
 script_family(english:"FTP");
 
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
		  
 script_dependencie("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl");
 script_require_keys("ftp/wuftpd", "Settings/ParanoidReport");
 script_require_ports("Services/ftp", 21);
  
 exit(0);
}

#
# The script code starts here : 
#
include("ftp_func.inc");
include("backport.inc");
include("global_settings.inc");
include("audit.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_ftp_port(default: 21);

banner = get_backport_banner(banner:get_ftp_banner(port: port));
if (! banner ) exit(1);
if(egrep(pattern:".*(wu|wuftpd)-(2\.(5\.|6\.[012])).*", string:banner))security_hole(port);

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and patch checks in this plugin were 
# extracted from HP patch PHNE_29460. The text itself is
# copyright (C) Hewlett-Packard Development Company, L.P.
#

include("compat.inc");

if (description)
{
  script_id(16909);
  script_version("$Revision: 1.13 $");
  script_cvs_date("$Date: 2016/01/14 15:20:32 $");

  script_cve_id("CVE-2003-0466", "CVE-2004-1332");
  script_xref(name:"HP", value:"emr_na-c00951272");
  script_xref(name:"HP", value:"emr_na-c00951289");
  script_xref(name:"HP", value:"emr_na-c01035676");
  script_xref(name:"HP", value:"HPSBUX00277");
  script_xref(name:"HP", value:"HPSBUX01050");
  script_xref(name:"HP", value:"HPSBUX01118");
  script_xref(name:"HP", value:"SSRT3456");
  script_xref(name:"HP", value:"SSRT3606");
  script_xref(name:"HP", value:"SSRT4883");

  script_name(english:"HP-UX PHNE_29460 : s700_800 11.00 ftpd(1M) and ftp(1) patch");
  script_summary(english:"Checks for the patch in the swlist output");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote HP-UX host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"s700_800 11.00 ftpd(1M) and ftp(1) patch : 

The remote HP-UX host is affected by multiple vulnerabilities :

  - A potential security vulnerability has been identified
    with HP-UX running ftp where the vulnerability could be
    exploited remotely to allow unauthorized access.
    (HPSBUX01050 SSRT3456)

  - A potential security vulnerability has been identified
    with HP-UX running ftpd, where a buffer overflow in ftpd
    could be remotely exploited to allow an unauthorized
    user to gain privileged access. (HPSBUX01118 SSRT4883)

  - The wu-ftpd program is potentially vulnerable to a
    buffer overflow. (HPSBUX00277 SSRT3606)"
  );
  # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00951272
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?6ca73dfe"
  );
  # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00951289
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?353e3f75"
  );
  # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01035676
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?0e3b95fe"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Install patch PHNE_29460 or subsequent."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");

  script_set_attribute(attribute:"patch_publication_date", value:"2004/02/10");
  script_set_attribute(attribute:"patch_modification_date", value:"2007/04/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/16");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2005-2016 Tenable Network Security, Inc.");
  script_family(english:"HP-UX Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("hpux.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);

if (!hpux_check_ctx(ctx:"11.00"))
{
  exit(0, "The host is not affected since PHNE_29460 applies to a different OS release.");
}

patches = make_list("PHNE_29460", "PHNE_30989", "PHNE_33406", "PHNE_34543");
foreach patch (patches)
{
  if (hpux_installed(app:patch))
  {
    exit(0, "The host is not affected because patch "+patch+" is installed.");
  }
}


flag = 0;
if (hpux_check_patch(app:"InternetSrvcs.INET-ENG-A-MAN", version:"B.11.00")) flag++;
if (hpux_check_patch(app:"InternetSrvcs.INETSVCS-RUN", version:"B.11.00")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandrake Linux Security Advisory MDKSA-2003:080. 
# The text itself is copyright (C) Mandriva S.A.
#

include("compat.inc");

if (description)
{
  script_id(61921);
  script_version("1.6");
  script_cvs_date("Date: 2019/08/02 13:32:46");

  script_cve_id("CVE-2003-0466");
  script_xref(name:"MDKSA", value:"2003:080");

  script_name(english:"Mandrake Linux Security Advisory : wu-ftpd (MDKSA-2003:080)");
  script_summary(english:"Checks rpm output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Mandrake Linux host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A vulnerability was discovered by Janusz Niewiadomski and Wojciech
Purczynski in the wu-ftpd FTP server package. They found an off-by-
one bug in the fb_realpath() function which could be used by a remote
attacker to obtain root privileges on the server. This bug can only be
successfully accomplished by using wu-ftpd binaries compiled on Linux
2.0.x and later 2.4.x kernels because the 2.2.x and earlier 2.4.x
kernels define PATH_MAX to be 4095 characters.

wu-ftpd is no longer shipped with Mandrake Linux, however Mandrake
Linux 8.2 did come with wu-ftpd. If you use wu-ftpd, you are
encouraged to upgrade to these patched packages."
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected wu-ftpd package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:wu-ftpd");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");

  script_set_attribute(attribute:"patch_publication_date", value:"2003/07/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/06");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"wu-ftpd-2.6.2-1.1mdk", yank:"mdk")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-357. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(15194);
  script_version("1.21");
  script_cvs_date("Date: 2019/08/02 13:32:17");

  script_cve_id("CVE-2003-0466");
  script_bugtraq_id(8315);
  script_xref(name:"DSA", value:"357");

  script_name(english:"Debian DSA-357-1 : wu-ftpd - remote root exploit");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"iSEC Security Research reports that wu-ftpd contains an off-by-one bug
in the fb_realpath function which could be exploited by a logged-in
user (local or anonymous) to gain root privileges. A demonstration
exploit is reportedly available."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2003/dsa-357"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the wu-ftpd package immediately.

For the current stable distribution (woody) this problem has been
fixed in version 2.6.2-3woody1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wu-ftpd");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2003/07/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
  script_set_attribute(attribute:"vuln_publication_date", value:"2003/07/31");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"3.0", prefix:"wu-ftpd", reference:"2.6.2-3woody1")) flag++;
if (deb_check(release:"3.0", prefix:"wu-ftpd-academ", reference:"2.6.2-3woody1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2003:246. The text 
# itself is copyright (C) Red Hat, Inc.
#

include("compat.inc");

if (description)
{
  script_id(12413);
  script_version ("1.27");
  script_cvs_date("Date: 2019/10/25 13:36:10");

  script_cve_id("CVE-2003-0466");
  script_xref(name:"RHSA", value:"2003:246");

  script_name(english:"RHEL 2.1 : wu-ftpd (RHSA-2003:246)");
  script_summary(english:"Checks the rpm output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated wu-ftpd packages are available that fix an off-by-one buffer
overflow.

The wu-ftpd package contains the Washington University FTP (File
Transfer Protocol) server daemon. FTP is a method of transferring
files between machines.

An off-by-one bug has been discovered in versions of wu-ftpd up to and
including 2.6.2. On a vulnerable system, a remote attacker would be
able to exploit this bug to gain root privileges.

Red Hat Enterprise Linux contains a version of wu-ftpd that is
affected by this bug, although it is believed that this issue will not
be remotely exploitable due to compiler padding of the buffer that is
the target of the overflow. However, Red Hat still advises that all
users of wu-ftpd upgrade to these erratum packages, which contain a
security patch.

Red Hat would like to thank Wojciech Purczynski and Janusz
Niewiadomski of ISEC Security Research for their responsible
disclosure of this issue."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2003-0466"
  );
  # http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
  script_set_attribute(
    attribute:"see_also",
    value:"https://isec.pl/en/vulnerabilities/isec-0011-wu-ftpd.txt"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/errata/RHSA-2003:246"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected wu-ftpd package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:wu-ftpd");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");

  script_set_attribute(attribute:"vuln_publication_date", value:"2003/08/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2003/07/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);

yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo)) 
{
  rhsa = "RHSA-2003:246";
  yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
  if (!empty_or_null(yum_report))
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : yum_report 
    );
    exit(0);
  }
  else
  {
    audit_message = "affected by Red Hat security advisory " + rhsa;
    audit(AUDIT_OS_NOT, audit_message);
  }
}
else
{
  flag = 0;
  if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"wu-ftpd-2.6.1-21")) flag++;

  if (flag)
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get() + redhat_report_package_caveat()
    );
    exit(0);
  }
  else
  {
    tested = pkg_tests_get();
    if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
    else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wu-ftpd");
  }
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and patch checks in this plugin were 
# extracted from HP patch PHNE_29461. The text itself is
# copyright (C) Hewlett-Packard Development Company, L.P.
#

include("compat.inc");

if (description)
{
  script_id(16908);
  script_version("$Revision: 1.16 $");
  script_cvs_date("$Date: 2016/01/14 15:20:32 $");

  script_cve_id("CVE-2003-0466", "CVE-2004-1332");
  script_xref(name:"HP", value:"emr_na-c00951272");
  script_xref(name:"HP", value:"emr_na-c00951289");
  script_xref(name:"HP", value:"emr_na-c01035676");
  script_xref(name:"HP", value:"HPSBUX00277");
  script_xref(name:"HP", value:"HPSBUX01050");
  script_xref(name:"HP", value:"HPSBUX01118");
  script_xref(name:"HP", value:"SSRT3456");
  script_xref(name:"HP", value:"SSRT3606");
  script_xref(name:"HP", value:"SSRT4883");

  script_name(english:"HP-UX PHNE_29461 : s700_800 11.11 ftpd(1M) and ftp(1) patch");
  script_summary(english:"Checks for the patch in the swlist output");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote HP-UX host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"s700_800 11.11 ftpd(1M) and ftp(1) patch : 

The remote HP-UX host is affected by multiple vulnerabilities :

  - The wu-ftpd program is potentially vulnerable to a
    buffer overflow. (HPSBUX00277 SSRT3606)

  - A potential security vulnerability has been identified
    with HP-UX running ftpd, where a buffer overflow in ftpd
    could be remotely exploited to allow an unauthorized
    user to gain privileged access. (HPSBUX01118 SSRT4883)

  - A potential security vulnerability has been identified
    with HP-UX running ftp where the vulnerability could be
    exploited remotely to allow unauthorized access.
    (HPSBUX01050 SSRT3456)"
  );
  # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00951272
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?6ca73dfe"
  );
  # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00951289
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?353e3f75"
  );
  # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01035676
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?0e3b95fe"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Install patch PHNE_29461 or subsequent."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");

  script_set_attribute(attribute:"patch_publication_date", value:"2003/12/17");
  script_set_attribute(attribute:"patch_modification_date", value:"2007/04/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/16");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2005-2016 Tenable Network Security, Inc.");
  script_family(english:"HP-UX Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("hpux.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);

if (!hpux_check_ctx(ctx:"11.11"))
{
  exit(0, "The host is not affected since PHNE_29461 applies to a different OS release.");
}

patches = make_list("PHNE_29461", "PHNE_30432", "PHNE_30990", "PHNE_33412", "PHNE_34544", "PHNE_36129", "PHNE_36192", "PHNE_38458", "PHNE_40774");
foreach patch (patches)
{
  if (hpux_installed(app:patch))
  {
    exit(0, "The host is not affected because patch "+patch+" is installed.");
  }
}


flag = 0;
if (hpux_check_patch(app:"InternetSrvcs.INETSVCS-RUN", version:"B.11.11")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2003:032
#


if ( ! defined_func("bn_random") ) exit(0);

include("compat.inc");

if(description)
{
 script_id(13801);
 script_bugtraq_id(8315);
 script_version ("1.16");
 script_cve_id("CVE-2003-0466");
 
 name["english"] = "SUSE-SA:2003:032: wuftpd";
 
 script_name(english:name["english"]);
 
 script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a vendor-supplied security patch" );
 script_set_attribute(attribute:"description", value:
"The remote host is missing the patch for the advisory SUSE-SA:2003:032 (wuftpd).


Janusz Niewiadomski and Wojciech Purczynski of iSEC Security Research
have found a single byte buffer overflow in the Washington University
ftp daemon (wuftpd), a widely used ftp server for Linux-like systems.
It is yet unclear if this bug is (remotely) exploitable. Positive
exploitability may result in a remote root compromise of a system
running the wuftpd ftp daemon.

Notes:
* SUSE LINUX products do not contain wuftpd any more starting with SUSE
Linux 8.0 and SUSE LINUX Enterprise Server 8. The wuftpd package has
been substituted by a different server implementation of the file
transfer protocol server.
* The affected wuftpd packages in products as stated in the header of
this announcement actually ship two different wuftpd ftp daemon
versions: The older version 2.4.x that is installed as
/usr/sbin/wu.ftpd, the newer version 2.6 is installed as
/usr/sbin/wu.ftpd-2.6 . The 2.4.x version does not contain the
defective parts of the code and is therefore not vulnerable to the
weakness found.
* If you are using the wuftpd ftp daemon in version 2.4.x, you might
want to update the package anyway in order not to risk an insecure
configuration once you switch to the newer version.

There exists no workaround that can fix this vulnerability on a temporary
basis other than just using the 2.4.x version as mentioned above.
The proper fix for the weakness is to update the package using the
provided update packages.

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command 'rpm -Fhv file.rpm' to apply
the update." );
 script_set_attribute(attribute:"solution", value:
"http://www.suse.de/security/2003_032_wuftpd.html" );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");




 script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/25");
 script_cvs_date("Date: 2019/10/25 13:36:27");
 script_end_attributes();

 
 summary["english"] = "Check for the version of the wuftpd package";
 script_summary(english:summary["english"]);
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
 family["english"] = "SuSE Local Security Checks";
 script_family(english:family["english"]);
 
 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/SuSE/rpm-list");
 exit(0);
}

include("rpm.inc");
if ( rpm_check( reference:"wuftpd-2.6.0-403", release:"SUSE7.2") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"wuftpd-2.6.0-403", release:"SUSE7.3") )
{
 security_hole(0);
 exit(0);
}
if (rpm_exists(rpm:"wuftpd-", release:"SUSE7.2")
 || rpm_exists(rpm:"wuftpd-", release:"SUSE7.3") )
{
 set_kb_item(name:"CVE-2003-0466", value:TRUE);
}