Vulnerabilities > CVE-2003-0466 - Off-by-one Error vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
wuftpd
redhat
apple
sun
freebsd
netbsd
openbsd
CWE-193
critical
nessus
exploit available

Summary

Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.

Common Weakness Enumeration (CWE)

Exploit-Db

  • descriptionwu-ftpd 2.6.2, 2.6.0, 2.6.1 realpath() Off-By-One Buffer Overflow Vulnerability. CVE-2003-0466. Remote exploit for unix platform
    idEDB-ID:22975
    last seen2016-02-02
    modified2003-08-06
    published2003-08-06
    reporterXpl017Elz
    sourcehttps://www.exploit-db.com/download/22975/
    titlewu-ftpd 2.6.2, 2.6.0, 2.6.1 realpath Off-By-One Buffer Overflow Vulnerability
  • descriptionfreeBSD 4.8 realpath() Off-By-One Buffer Overflow Vulnerability. CVE-2003-0466. Remote exploit for freebsd platform
    idEDB-ID:22976
    last seen2016-02-02
    modified2003-07-31
    published2003-07-31
    reporter[email protected]
    sourcehttps://www.exploit-db.com/download/22976/
    titlefreeBSD 4.8 realpath Off-By-One Buffer Overflow Vulnerability
  • descriptionwu-ftpd 2.6.2 off-by-one Remote Root Exploit. CVE-2003-0466. Remote exploit for linux platform
    idEDB-ID:74
    last seen2016-01-31
    modified2003-08-03
    published2003-08-03
    reporterXpl017Elz
    sourcehttps://www.exploit-db.com/download/74/
    titlewu-ftpd 2.6.2 - off-by-one Remote Root Exploit
  • descriptionwu-ftpd 2.6.2 Remote Root Exploit (advanced version). CVE-2003-0466. Remote exploit for linux platform
    idEDB-ID:78
    last seen2016-01-31
    modified2003-08-11
    published2003-08-11
    reporterXpl017Elz
    sourcehttps://www.exploit-db.com/download/78/
    titlewu-ftpd 2.6.2 - Remote Root Exploit
  • descriptionwu-ftpd 2.6.2 realpath() Off-By-One Buffer Overflow Vulnerability. CVE-2003-0466. Remote exploit for unix platform
    idEDB-ID:22974
    last seen2016-02-02
    modified2003-08-02
    published2003-08-02
    reporterXpl017Elz
    sourcehttps://www.exploit-db.com/download/22974/
    titlewu-ftpd 2.6.2 - realpath Off-By-One Buffer Overflow Vulnerability

Nessus

  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHNE_29462.NASL
    descriptions700_800 11.22 ftpd(1M) and ftp(1) patch : The remote HP-UX host is affected by multiple vulnerabilities : - A potential vulnerability has been identified with HP-UX running ftpd where the vulnerability could be exploited to allow a remote authorized user unauthorized access to files. (HPSBUX01119 SSRT4694) - A potential security vulnerability has been identified with HP-UX running ftp where the vulnerability could be exploited remotely to allow unauthorized access. (HPSBUX01050 SSRT3456) - The wu-ftpd program is potentially vulnerable to a buffer overflow. (HPSBUX00277 SSRT3606) - A potential security vulnerability has been identified with HP-UX running ftpd, where a buffer overflow in ftpd could be remotely exploited to allow an unauthorized user to gain privileged access. (HPSBUX01118 SSRT4883) - A potential vulnerability has been identified with HP-UX running wu-ftpd with the restricted gid option enabled where the vulnerability could be exploited by a local user to gain unauthorized access to files. (HPSBUX01059 SSRT4704)
    last seen2020-06-01
    modified2020-06-02
    plugin id16907
    published2005-02-16
    reporterThis script is Copyright (C) 2005-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16907
    titleHP-UX PHNE_29462 : s700_800 11.22 ftpd(1M) and ftp(1) patch
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and patch checks in this plugin were 
    # extracted from HP patch PHNE_29462. The text itself is
    # copyright (C) Hewlett-Packard Development Company, L.P.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16907);
      script_version("$Revision: 1.12 $");
      script_cvs_date("$Date: 2016/01/14 15:20:32 $");
    
      script_cve_id("CVE-2003-0466", "CVE-2004-0148", "CVE-2004-1332", "CVE-2005-0547");
      script_xref(name:"HP", value:"emr_na-c00572225");
      script_xref(name:"HP", value:"emr_na-c00951272");
      script_xref(name:"HP", value:"emr_na-c00951289");
      script_xref(name:"HP", value:"emr_na-c01035676");
      script_xref(name:"HP", value:"emr_na-c01035678");
      script_xref(name:"HP", value:"HPSBUX00277");
      script_xref(name:"HP", value:"HPSBUX01050");
      script_xref(name:"HP", value:"HPSBUX01059");
      script_xref(name:"HP", value:"HPSBUX01118");
      script_xref(name:"HP", value:"HPSBUX01119");
      script_xref(name:"HP", value:"SSRT3456");
      script_xref(name:"HP", value:"SSRT3606");
      script_xref(name:"HP", value:"SSRT4694");
      script_xref(name:"HP", value:"SSRT4704");
      script_xref(name:"HP", value:"SSRT4883");
    
      script_name(english:"HP-UX PHNE_29462 : s700_800 11.22 ftpd(1M) and ftp(1) patch");
      script_summary(english:"Checks for the patch in the swlist output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote HP-UX host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "s700_800 11.22 ftpd(1M) and ftp(1) patch : 
    
    The remote HP-UX host is affected by multiple vulnerabilities :
    
      - A potential vulnerability has been identified with HP-UX
        running ftpd where the vulnerability could be exploited
        to allow a remote authorized user unauthorized access to
        files. (HPSBUX01119 SSRT4694)
    
      - A potential security vulnerability has been identified
        with HP-UX running ftp where the vulnerability could be
        exploited remotely to allow unauthorized access.
        (HPSBUX01050 SSRT3456)
    
      - The wu-ftpd program is potentially vulnerable to a
        buffer overflow. (HPSBUX00277 SSRT3606)
    
      - A potential security vulnerability has been identified
        with HP-UX running ftpd, where a buffer overflow in ftpd
        could be remotely exploited to allow an unauthorized
        user to gain privileged access. (HPSBUX01118 SSRT4883)
    
      - A potential vulnerability has been identified with HP-UX
        running wu-ftpd with the restricted gid option enabled
        where the vulnerability could be exploited by a local
        user to gain unauthorized access to files. (HPSBUX01059
        SSRT4704)"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00951272
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6ca73dfe"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00951289
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?353e3f75"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00572225
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?2fb36360"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01035676
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0e3b95fe"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01035678
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?9d4b2076"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install patch PHNE_29462 or subsequent."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/06/03");
      script_set_attribute(attribute:"patch_modification_date", value:"2006/01/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2016 Tenable Network Security, Inc.");
      script_family(english:"HP-UX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("hpux.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
    if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    if (!hpux_check_ctx(ctx:"11.22"))
    {
      exit(0, "The host is not affected since PHNE_29462 applies to a different OS release.");
    }
    
    patches = make_list("PHNE_29462");
    foreach patch (patches)
    {
      if (hpux_installed(app:patch))
      {
        exit(0, "The host is not affected because patch "+patch+" is installed.");
      }
    }
    
    
    flag = 0;
    if (hpux_check_patch(app:"InternetSrvcs.INETSVCS2-RUN", version:"B.11.22")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFTP
    NASL idWU_FTPD_FB_REALPATH_OFFBY1.NASL
    descriptionThe remote WU-FTPD server seems to be vulnerable to an off-by-one overflow when dealing with huge directory structures. An attacker may exploit this flaw to obtain a shell on this host. Note that Nessus has solely relied on the banner of the remote server to issue this warning so it may be a false-positive, especially if the patch has already been applied.
    last seen2020-06-01
    modified2020-06-02
    plugin id11811
    published2003-07-31
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11811
    titleWU-FTPD fb_realpath() Function Off-by-one Overflow
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # Ref:
    # 
    # Date: Thu, 31 Jul 2003 18:16:03 +0200 (CEST)
    # From: Janusz Niewiadomski <[email protected]>
    # To: [email protected], <[email protected]>
    # Subject: [VulnWatch] wu-ftpd fb_realpath() off-by-one bug
    
    
    
    include("compat.inc");
    
    if(description)
    {
     script_id(11811);
     script_bugtraq_id(8315);
     script_cve_id("CVE-2003-0466");
     script_xref(name:"RHSA", value:"2003:245-01");
     script_xref(name:"SuSE", value:"SUSE-SA:2003:032");
     script_version ("1.28");
     
     script_name(english:"WU-FTPD fb_realpath() Function Off-by-one Overflow");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote FTP server is affected by a buffer overflow vulnerability." );
     script_set_attribute(attribute:"description", value:
    "The remote WU-FTPD server seems to be vulnerable to an off-by-one
    overflow when dealing with huge directory structures. 
    
    An attacker may exploit this flaw to obtain a shell on this host. 
    
    Note that Nessus has solely relied on the banner of the remote server
    to issue this warning so it may be a false-positive, especially if the
    patch has already been applied." );
     script_set_attribute(attribute:"see_also", value:"http://www.securiteam.com/unixfocus/5ZP010AAUI.html" );
     script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2003/Aug/43" );
     script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9eabbd45" );
     script_set_attribute(attribute:"solution", value:
    "Apply the realpath.patch patch." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    		
     script_set_attribute(attribute:"plugin_publication_date", value: "2003/07/31");
     script_set_attribute(attribute:"vuln_publication_date", value: "2003/07/31");
     script_cvs_date("Date: 2018/11/15 20:50:22");
    script_set_attribute(attribute:"potential_vulnerability", value:"true");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_end_attributes();
    
    		    
     script_summary(english:"Checks the banner of the remote wu-ftpd server");
     script_category(ACT_GATHER_INFO);
     script_family(english:"FTP");
     
     script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
    		  
     script_dependencie("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl");
     script_require_keys("ftp/wuftpd", "Settings/ParanoidReport");
     script_require_ports("Services/ftp", 21);
      
     exit(0);
    }
    
    #
    # The script code starts here : 
    #
    include("ftp_func.inc");
    include("backport.inc");
    include("global_settings.inc");
    include("audit.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    port = get_ftp_port(default: 21);
    
    banner = get_backport_banner(banner:get_ftp_banner(port: port));
    if (! banner ) exit(1);
    if(egrep(pattern:".*(wu|wuftpd)-(2\.(5\.|6\.[012])).*", string:banner))security_hole(port);
    
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHNE_29460.NASL
    descriptions700_800 11.00 ftpd(1M) and ftp(1) patch : The remote HP-UX host is affected by multiple vulnerabilities : - A potential security vulnerability has been identified with HP-UX running ftp where the vulnerability could be exploited remotely to allow unauthorized access. (HPSBUX01050 SSRT3456) - A potential security vulnerability has been identified with HP-UX running ftpd, where a buffer overflow in ftpd could be remotely exploited to allow an unauthorized user to gain privileged access. (HPSBUX01118 SSRT4883) - The wu-ftpd program is potentially vulnerable to a buffer overflow. (HPSBUX00277 SSRT3606)
    last seen2020-06-01
    modified2020-06-02
    plugin id16909
    published2005-02-16
    reporterThis script is Copyright (C) 2005-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16909
    titleHP-UX PHNE_29460 : s700_800 11.00 ftpd(1M) and ftp(1) patch
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and patch checks in this plugin were 
    # extracted from HP patch PHNE_29460. The text itself is
    # copyright (C) Hewlett-Packard Development Company, L.P.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16909);
      script_version("$Revision: 1.13 $");
      script_cvs_date("$Date: 2016/01/14 15:20:32 $");
    
      script_cve_id("CVE-2003-0466", "CVE-2004-1332");
      script_xref(name:"HP", value:"emr_na-c00951272");
      script_xref(name:"HP", value:"emr_na-c00951289");
      script_xref(name:"HP", value:"emr_na-c01035676");
      script_xref(name:"HP", value:"HPSBUX00277");
      script_xref(name:"HP", value:"HPSBUX01050");
      script_xref(name:"HP", value:"HPSBUX01118");
      script_xref(name:"HP", value:"SSRT3456");
      script_xref(name:"HP", value:"SSRT3606");
      script_xref(name:"HP", value:"SSRT4883");
    
      script_name(english:"HP-UX PHNE_29460 : s700_800 11.00 ftpd(1M) and ftp(1) patch");
      script_summary(english:"Checks for the patch in the swlist output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote HP-UX host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "s700_800 11.00 ftpd(1M) and ftp(1) patch : 
    
    The remote HP-UX host is affected by multiple vulnerabilities :
    
      - A potential security vulnerability has been identified
        with HP-UX running ftp where the vulnerability could be
        exploited remotely to allow unauthorized access.
        (HPSBUX01050 SSRT3456)
    
      - A potential security vulnerability has been identified
        with HP-UX running ftpd, where a buffer overflow in ftpd
        could be remotely exploited to allow an unauthorized
        user to gain privileged access. (HPSBUX01118 SSRT4883)
    
      - The wu-ftpd program is potentially vulnerable to a
        buffer overflow. (HPSBUX00277 SSRT3606)"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00951272
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6ca73dfe"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00951289
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?353e3f75"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01035676
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0e3b95fe"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install patch PHNE_29460 or subsequent."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/02/10");
      script_set_attribute(attribute:"patch_modification_date", value:"2007/04/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2016 Tenable Network Security, Inc.");
      script_family(english:"HP-UX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("hpux.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
    if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    if (!hpux_check_ctx(ctx:"11.00"))
    {
      exit(0, "The host is not affected since PHNE_29460 applies to a different OS release.");
    }
    
    patches = make_list("PHNE_29460", "PHNE_30989", "PHNE_33406", "PHNE_34543");
    foreach patch (patches)
    {
      if (hpux_installed(app:patch))
      {
        exit(0, "The host is not affected because patch "+patch+" is installed.");
      }
    }
    
    
    flag = 0;
    if (hpux_check_patch(app:"InternetSrvcs.INET-ENG-A-MAN", version:"B.11.00")) flag++;
    if (hpux_check_patch(app:"InternetSrvcs.INETSVCS-RUN", version:"B.11.00")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2003-080.NASL
    descriptionA vulnerability was discovered by Janusz Niewiadomski and Wojciech Purczynski in the wu-ftpd FTP server package. They found an off-by- one bug in the fb_realpath() function which could be used by a remote attacker to obtain root privileges on the server. This bug can only be successfully accomplished by using wu-ftpd binaries compiled on Linux 2.0.x and later 2.4.x kernels because the 2.2.x and earlier 2.4.x kernels define PATH_MAX to be 4095 characters. wu-ftpd is no longer shipped with Mandrake Linux, however Mandrake Linux 8.2 did come with wu-ftpd. If you use wu-ftpd, you are encouraged to upgrade to these patched packages.
    last seen2020-06-01
    modified2020-06-02
    plugin id61921
    published2012-09-06
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/61921
    titleMandrake Linux Security Advisory : wu-ftpd (MDKSA-2003:080)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2003:080. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(61921);
      script_version("1.6");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2003-0466");
      script_xref(name:"MDKSA", value:"2003:080");
    
      script_name(english:"Mandrake Linux Security Advisory : wu-ftpd (MDKSA-2003:080)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Mandrake Linux host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability was discovered by Janusz Niewiadomski and Wojciech
    Purczynski in the wu-ftpd FTP server package. They found an off-by-
    one bug in the fb_realpath() function which could be used by a remote
    attacker to obtain root privileges on the server. This bug can only be
    successfully accomplished by using wu-ftpd binaries compiled on Linux
    2.0.x and later 2.4.x kernels because the 2.2.x and earlier 2.4.x
    kernels define PATH_MAX to be 4095 characters.
    
    wu-ftpd is no longer shipped with Mandrake Linux, however Mandrake
    Linux 8.2 did come with wu-ftpd. If you use wu-ftpd, you are
    encouraged to upgrade to these patched packages."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected wu-ftpd package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:wu-ftpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/07/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"wu-ftpd-2.6.2-1.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-357.NASL
    descriptioniSEC Security Research reports that wu-ftpd contains an off-by-one bug in the fb_realpath function which could be exploited by a logged-in user (local or anonymous) to gain root privileges. A demonstration exploit is reportedly available.
    last seen2020-06-01
    modified2020-06-02
    plugin id15194
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15194
    titleDebian DSA-357-1 : wu-ftpd - remote root exploit
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-357. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15194);
      script_version("1.21");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2003-0466");
      script_bugtraq_id(8315);
      script_xref(name:"DSA", value:"357");
    
      script_name(english:"Debian DSA-357-1 : wu-ftpd - remote root exploit");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "iSEC Security Research reports that wu-ftpd contains an off-by-one bug
    in the fb_realpath function which could be exploited by a logged-in
    user (local or anonymous) to gain root privileges. A demonstration
    exploit is reportedly available."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2003/dsa-357"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the wu-ftpd package immediately.
    
    For the current stable distribution (woody) this problem has been
    fixed in version 2.6.2-3woody1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wu-ftpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/07/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2003/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"wu-ftpd", reference:"2.6.2-3woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"wu-ftpd-academ", reference:"2.6.2-3woody1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2003-246.NASL
    descriptionUpdated wu-ftpd packages are available that fix an off-by-one buffer overflow. The wu-ftpd package contains the Washington University FTP (File Transfer Protocol) server daemon. FTP is a method of transferring files between machines. An off-by-one bug has been discovered in versions of wu-ftpd up to and including 2.6.2. On a vulnerable system, a remote attacker would be able to exploit this bug to gain root privileges. Red Hat Enterprise Linux contains a version of wu-ftpd that is affected by this bug, although it is believed that this issue will not be remotely exploitable due to compiler padding of the buffer that is the target of the overflow. However, Red Hat still advises that all users of wu-ftpd upgrade to these erratum packages, which contain a security patch. Red Hat would like to thank Wojciech Purczynski and Janusz Niewiadomski of ISEC Security Research for their responsible disclosure of this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id12413
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12413
    titleRHEL 2.1 : wu-ftpd (RHSA-2003:246)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2003:246. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12413);
      script_version ("1.27");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2003-0466");
      script_xref(name:"RHSA", value:"2003:246");
    
      script_name(english:"RHEL 2.1 : wu-ftpd (RHSA-2003:246)");
      script_summary(english:"Checks the rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated wu-ftpd packages are available that fix an off-by-one buffer
    overflow.
    
    The wu-ftpd package contains the Washington University FTP (File
    Transfer Protocol) server daemon. FTP is a method of transferring
    files between machines.
    
    An off-by-one bug has been discovered in versions of wu-ftpd up to and
    including 2.6.2. On a vulnerable system, a remote attacker would be
    able to exploit this bug to gain root privileges.
    
    Red Hat Enterprise Linux contains a version of wu-ftpd that is
    affected by this bug, although it is believed that this issue will not
    be remotely exploitable due to compiler padding of the buffer that is
    the target of the overflow. However, Red Hat still advises that all
    users of wu-ftpd upgrade to these erratum packages, which contain a
    security patch.
    
    Red Hat would like to thank Wojciech Purczynski and Janusz
    Niewiadomski of ISEC Security Research for their responsible
    disclosure of this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0466"
      );
      # http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
      script_set_attribute(
        attribute:"see_also",
        value:"https://isec.pl/en/vulnerabilities/isec-0011-wu-ftpd.txt"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2003:246"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected wu-ftpd package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:wu-ftpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2003/08/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2003/07/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2003:246";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"wu-ftpd-2.6.1-21")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wu-ftpd");
      }
    }
    
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHNE_29461.NASL
    descriptions700_800 11.11 ftpd(1M) and ftp(1) patch : The remote HP-UX host is affected by multiple vulnerabilities : - The wu-ftpd program is potentially vulnerable to a buffer overflow. (HPSBUX00277 SSRT3606) - A potential security vulnerability has been identified with HP-UX running ftpd, where a buffer overflow in ftpd could be remotely exploited to allow an unauthorized user to gain privileged access. (HPSBUX01118 SSRT4883) - A potential security vulnerability has been identified with HP-UX running ftp where the vulnerability could be exploited remotely to allow unauthorized access. (HPSBUX01050 SSRT3456)
    last seen2020-06-01
    modified2020-06-02
    plugin id16908
    published2005-02-16
    reporterThis script is Copyright (C) 2005-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16908
    titleHP-UX PHNE_29461 : s700_800 11.11 ftpd(1M) and ftp(1) patch
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and patch checks in this plugin were 
    # extracted from HP patch PHNE_29461. The text itself is
    # copyright (C) Hewlett-Packard Development Company, L.P.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16908);
      script_version("$Revision: 1.16 $");
      script_cvs_date("$Date: 2016/01/14 15:20:32 $");
    
      script_cve_id("CVE-2003-0466", "CVE-2004-1332");
      script_xref(name:"HP", value:"emr_na-c00951272");
      script_xref(name:"HP", value:"emr_na-c00951289");
      script_xref(name:"HP", value:"emr_na-c01035676");
      script_xref(name:"HP", value:"HPSBUX00277");
      script_xref(name:"HP", value:"HPSBUX01050");
      script_xref(name:"HP", value:"HPSBUX01118");
      script_xref(name:"HP", value:"SSRT3456");
      script_xref(name:"HP", value:"SSRT3606");
      script_xref(name:"HP", value:"SSRT4883");
    
      script_name(english:"HP-UX PHNE_29461 : s700_800 11.11 ftpd(1M) and ftp(1) patch");
      script_summary(english:"Checks for the patch in the swlist output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote HP-UX host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "s700_800 11.11 ftpd(1M) and ftp(1) patch : 
    
    The remote HP-UX host is affected by multiple vulnerabilities :
    
      - The wu-ftpd program is potentially vulnerable to a
        buffer overflow. (HPSBUX00277 SSRT3606)
    
      - A potential security vulnerability has been identified
        with HP-UX running ftpd, where a buffer overflow in ftpd
        could be remotely exploited to allow an unauthorized
        user to gain privileged access. (HPSBUX01118 SSRT4883)
    
      - A potential security vulnerability has been identified
        with HP-UX running ftp where the vulnerability could be
        exploited remotely to allow unauthorized access.
        (HPSBUX01050 SSRT3456)"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00951272
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6ca73dfe"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00951289
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?353e3f75"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01035676
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0e3b95fe"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install patch PHNE_29461 or subsequent."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/12/17");
      script_set_attribute(attribute:"patch_modification_date", value:"2007/04/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2016 Tenable Network Security, Inc.");
      script_family(english:"HP-UX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("hpux.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
    if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    if (!hpux_check_ctx(ctx:"11.11"))
    {
      exit(0, "The host is not affected since PHNE_29461 applies to a different OS release.");
    }
    
    patches = make_list("PHNE_29461", "PHNE_30432", "PHNE_30990", "PHNE_33412", "PHNE_34544", "PHNE_36129", "PHNE_36192", "PHNE_38458", "PHNE_40774");
    foreach patch (patches)
    {
      if (hpux_installed(app:patch))
      {
        exit(0, "The host is not affected because patch "+patch+" is installed.");
      }
    }
    
    
    flag = 0;
    if (hpux_check_patch(app:"InternetSrvcs.INETSVCS-RUN", version:"B.11.11")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2003_032.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2003:032 (wuftpd). Janusz Niewiadomski and Wojciech Purczynski of iSEC Security Research have found a single byte buffer overflow in the Washington University ftp daemon (wuftpd), a widely used ftp server for Linux-like systems. It is yet unclear if this bug is (remotely) exploitable. Positive exploitability may result in a remote root compromise of a system running the wuftpd ftp daemon. Notes: * SUSE LINUX products do not contain wuftpd any more starting with SUSE Linux 8.0 and SUSE LINUX Enterprise Server 8. The wuftpd package has been substituted by a different server implementation of the file transfer protocol server. * The affected wuftpd packages in products as stated in the header of this announcement actually ship two different wuftpd ftp daemon versions: The older version 2.4.x that is installed as /usr/sbin/wu.ftpd, the newer version 2.6 is installed as /usr/sbin/wu.ftpd-2.6 . The 2.4.x version does not contain the defective parts of the code and is therefore not vulnerable to the weakness found. * If you are using the wuftpd ftp daemon in version 2.4.x, you might want to update the package anyway in order not to risk an insecure configuration once you switch to the newer version. There exists no workaround that can fix this vulnerability on a temporary basis other than just using the 2.4.x version as mentioned above. The proper fix for the weakness is to update the package using the provided update packages. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command
    last seen2020-06-01
    modified2020-06-02
    plugin id13801
    published2004-07-25
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13801
    titleSUSE-SA:2003:032: wuftpd
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2003:032
    #
    
    
    if ( ! defined_func("bn_random") ) exit(0);
    
    include("compat.inc");
    
    if(description)
    {
     script_id(13801);
     script_bugtraq_id(8315);
     script_version ("1.16");
     script_cve_id("CVE-2003-0466");
     
     name["english"] = "SUSE-SA:2003:032: wuftpd";
     
     script_name(english:name["english"]);
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a vendor-supplied security patch" );
     script_set_attribute(attribute:"description", value:
    "The remote host is missing the patch for the advisory SUSE-SA:2003:032 (wuftpd).
    
    
    Janusz Niewiadomski and Wojciech Purczynski of iSEC Security Research
    have found a single byte buffer overflow in the Washington University
    ftp daemon (wuftpd), a widely used ftp server for Linux-like systems.
    It is yet unclear if this bug is (remotely) exploitable. Positive
    exploitability may result in a remote root compromise of a system
    running the wuftpd ftp daemon.
    
    Notes:
    * SUSE LINUX products do not contain wuftpd any more starting with SUSE
    Linux 8.0 and SUSE LINUX Enterprise Server 8. The wuftpd package has
    been substituted by a different server implementation of the file
    transfer protocol server.
    * The affected wuftpd packages in products as stated in the header of
    this announcement actually ship two different wuftpd ftp daemon
    versions: The older version 2.4.x that is installed as
    /usr/sbin/wu.ftpd, the newer version 2.6 is installed as
    /usr/sbin/wu.ftpd-2.6 . The 2.4.x version does not contain the
    defective parts of the code and is therefore not vulnerable to the
    weakness found.
    * If you are using the wuftpd ftp daemon in version 2.4.x, you might
    want to update the package anyway in order not to risk an insecure
    configuration once you switch to the newer version.
    
    There exists no workaround that can fix this vulnerability on a temporary
    basis other than just using the 2.4.x version as mentioned above.
    The proper fix for the weakness is to update the package using the
    provided update packages.
    
    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, install the package using the command 'rpm -Fhv file.rpm' to apply
    the update." );
     script_set_attribute(attribute:"solution", value:
    "http://www.suse.de/security/2003_032_wuftpd.html" );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
    
    
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/25");
     script_cvs_date("Date: 2019/10/25 13:36:27");
     script_end_attributes();
    
     
     summary["english"] = "Check for the version of the wuftpd package";
     script_summary(english:summary["english"]);
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
     family["english"] = "SuSE Local Security Checks";
     script_family(english:family["english"]);
     
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/SuSE/rpm-list");
     exit(0);
    }
    
    include("rpm.inc");
    if ( rpm_check( reference:"wuftpd-2.6.0-403", release:"SUSE7.2") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"wuftpd-2.6.0-403", release:"SUSE7.3") )
    {
     security_hole(0);
     exit(0);
    }
    if (rpm_exists(rpm:"wuftpd-", release:"SUSE7.2")
     || rpm_exists(rpm:"wuftpd-", release:"SUSE7.3") )
    {
     set_kb_item(name:"CVE-2003-0466", value:TRUE);
    }
    

Oval

accepted2010-09-20T04:00:18.853-04:00
classvulnerability
contributors
  • nameBrian Soby
    organizationThe MITRE Corporation
  • nameTodd Dolinsky
    organizationOpsware, Inc.
  • nameJonathan Baker
    organizationThe MITRE Corporation
descriptionOff-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.
familyunix
idoval:org.mitre.oval:def:1970
statusaccepted
submitted2005-04-13T12:00:00.000-04:00
titleOff-by-one Error in fb_realpath()
version38

Redhat

advisories
  • rhsa
    idRHSA-2003:245
  • rhsa
    idRHSA-2003:246

References