Vulnerabilities > CVE-2003-0854
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
ls in the fileutils or coreutils packages allows local users to consume a large amount of memory via a large -w value, which can be remotely exploited via applications that use ls, such as wu-ftpd.
Vulnerable Configurations
Exploit-Db
| description | wu-ftpd 2.6.2 Remote Denial Of Service Exploit (wuftpd-freezer.c). CVE-2003-0854. Dos exploit for linux platform |
| file | exploits/linux/dos/115.c |
| id | EDB-ID:115 |
| last seen | 2016-01-31 |
| modified | 2003-10-31 |
| platform | linux |
| port | |
| published | 2003-10-31 |
| reporter | Angelo Rosiello |
| source | https://www.exploit-db.com/download/115/ |
| title | wu-ftpd 2.6.2 - Remote Denial of Service Exploit wuftpd-freezer.c |
| type | dos |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-106.NASL description A memory starvation denial of service vulnerability in the ls program was discovered by Georgi Guninski. It is possible to allocate a huge amount of memory by specifying certain command-line arguments. It is also possible to exploit this remotely via programs that call ls such as wu-ftpd (although wu-ftpd is no longer shipped with Mandrake Linux). Likewise, a non-exploitable integer overflow problem was discovered in ls, which can be used to crash ls by specifying certain command-line arguments. This can also be triggered via remotely accessible services such as wu-ftpd. The provided packages include a patched ls to fix these problems. last seen 2020-06-01 modified 2020-06-02 plugin id 14088 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14088 title Mandrake Linux Security Advisory : fileutils/coreutils (MDKSA-2003:106) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:106. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14088); script_version ("1.19"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2003-0853", "CVE-2003-0854"); script_xref(name:"MDKSA", value:"2003:106"); script_name(english:"Mandrake Linux Security Advisory : fileutils/coreutils (MDKSA-2003:106)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A memory starvation denial of service vulnerability in the ls program was discovered by Georgi Guninski. It is possible to allocate a huge amount of memory by specifying certain command-line arguments. It is also possible to exploit this remotely via programs that call ls such as wu-ftpd (although wu-ftpd is no longer shipped with Mandrake Linux). Likewise, a non-exploitable integer overflow problem was discovered in ls, which can be used to crash ls by specifying certain command-line arguments. This can also be triggered via remotely accessible services such as wu-ftpd. The provided packages include a patched ls to fix these problems." ); script_set_attribute( attribute:"solution", value: "Update the affected coreutils, coreutils-doc and / or fileutils packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:coreutils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:coreutils-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:fileutils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2"); script_set_attribute(attribute:"patch_publication_date", value:"2003/11/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"fileutils-4.1.11-6.1.90mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"coreutils-4.5.7-1.1.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"coreutils-doc-4.5.7-1.1.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"coreutils-5.0-7.1.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"coreutils-5.0-6.1.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"coreutils-doc-5.0-7.1.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"coreutils-doc-5.0-6.1.92mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-705.NASL description Several denial of service conditions have been discovered in wu-ftpd, the popular FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-0256 Adam Zabrocki discovered a denial of service condition in wu-ftpd that could be exploited by a remote user and cause the server to slow down by resource exhaustion. - CAN-2003-0854 Georgi Guninski discovered that /bin/ls may be called from within wu-ftpd in a way that will result in large memory consumption and hence slow down the server. last seen 2020-06-01 modified 2020-06-02 plugin id 18010 published 2005-04-11 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18010 title Debian DSA-705-1 : wu-ftpd - missing input sanitising code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-705. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(18010); script_version("1.21"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2003-0854", "CVE-2005-0256"); script_xref(name:"DSA", value:"705"); script_name(english:"Debian DSA-705-1 : wu-ftpd - missing input sanitising"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several denial of service conditions have been discovered in wu-ftpd, the popular FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-0256 Adam Zabrocki discovered a denial of service condition in wu-ftpd that could be exploited by a remote user and cause the server to slow down by resource exhaustion. - CAN-2003-0854 Georgi Guninski discovered that /bin/ls may be called from within wu-ftpd in a way that will result in large memory consumption and hence slow down the server." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-705" ); script_set_attribute( attribute:"solution", value: "Upgrade the wu-ftpd package. For the stable distribution (woody) these problems have been fixed in version 2.6.2-3woody5." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wu-ftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2005/04/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/11"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/05/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"wu-ftpd", reference:"2.6.2-3woody5")) flag++; if (deb_check(release:"3.0", prefix:"wu-ftpd-academ", reference:"2.6.2-3woody5")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-310.NASL description Updated fileutils packages that close a potential denial of service vulnerability are now available. The fileutils package contains several basic system utilities. One of these utilities is the last seen 2020-06-01 modified 2020-06-02 plugin id 12428 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12428 title RHEL 2.1 : fileutils (RHSA-2003:310) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:310. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12428); script_version ("1.26"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2003-0853", "CVE-2003-0854"); script_xref(name:"RHSA", value:"2003:310"); script_name(english:"RHEL 2.1 : fileutils (RHSA-2003:310)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "Updated fileutils packages that close a potential denial of service vulnerability are now available. The fileutils package contains several basic system utilities. One of these utilities is the 'ls' program, which is used to list information about files and directories. Georgi Guninski discovered a memory starvation denial of service vulnerability in the ls program. It is possible to make ls allocate a huge amount of memory by specifying certain command line arguments. This vulnerability is remotely exploitable through services like wu-ftpd, which pass user arguments to ls. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0854 to this issue. A non-exploitable integer overflow in ls has been discovered. It is possible to make ls crash by specifying certain command line arguments. This vulnerability is remotely exploitable through services like wu-ftpd, which pass user arguments to ls. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0853 to this issue. Users are advised to update to these erratum packages, which contain backported security patches that correct these vulnerabilities. These packages also add support for the O_DIRECT flag, which controls the use of synchronous I/O on file systems such as OCFS." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0853" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0854" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:310" ); script_set_attribute( attribute:"solution", value:"Update the affected fileutils package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:fileutils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/11/17"); script_set_attribute(attribute:"patch_publication_date", value:"2003/11/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:310"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"fileutils-4.1-10.4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "fileutils"); } }NASL family FTP NASL id WUFTPD_LS_DOS.NASL description The version of WU-FTPD on the remote server uses a vulnerable version of /bin/ls. It does not filter arguments to /bin/ls, which could lead to a DoS. It is possible to consume all available memory on the machine by sending : ls last seen 2020-06-01 modified 2020-06-02 plugin id 11912 published 2003-10-29 reporter This script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/11912 title WU-FTPD fileutils/coreutils ls -w Argument Memory Consumption DoS code # # (C) Tenable Network Security, Inc. # # HD Moore suggested fixes and the safe_checks code. # It is released under the General Public License (GPLv2). # # Credit: Georgi Guninski discovered this attack # include("compat.inc"); if (description) { script_id(11912); script_version("1.24"); script_cvs_date("Date: 2019/02/26 4:50:08"); script_cve_id("CVE-2003-0853", "CVE-2003-0854"); script_bugtraq_id(8875); # commenting these out instead of removing # these xrefs get flaged as invalid by validate plugin # preventing build from completing # script_xref(name:"CONECTIVA", value:"CLA-2003:768"); # script_xref(name:"zone-h", value:"3299"); script_xref(name:"Secunia", value:"10059"); script_name(english:"WU-FTPD fileutils/coreutils ls -w Argument Memory Consumption DoS"); script_summary(english:"send 'ls -w 1000000 -C' to the remote FTP server."); script_set_attribute(attribute:"synopsis", value: "The remote FTP server is affected by a denial of service vulnerability." ); script_set_attribute(attribute:"description", value: "The version of WU-FTPD on the remote server uses a vulnerable version of /bin/ls. It does not filter arguments to /bin/ls, which could lead to a DoS. It is possible to consume all available memory on the machine by sending : ls '-w 1000000 -C'" ); script_set_attribute(attribute:"see_also", value:"http://www.guninski.com/binls.html" ); script_set_attribute(attribute:"solution", value: "Contact your vendor for a fix." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2003-0853"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/10/29"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/05/16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_MIXED_ATTACK); script_family(english: "FTP"); script_copyright(english:"This script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl"); script_require_ports("Services/ftp", 21); exit(0); } include("audit.inc"); include("global_settings.inc"); include("ftp_func.inc"); port = get_ftp_port(default: 21); banner = get_ftp_banner(port:port); if ( !banner ) audit(AUDIT_NO_BANNER, port); if ( !egrep(pattern:"(wu|wuftpd)-[0-9]\.", string:banner) ) audit(AUDIT_NOT_LISTEN, 'WU-FTPD', port); user = get_kb_item("ftp/login"); pass = get_kb_item("ftp/password"); if (! user) { if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY); user = "anonymous"; } if (! pass) { if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY); pass = "[email protected]"; } soc = ftp_open_and_authenticate( user:user, pass:pass, port:port ); if (!soc) exit(0); port2 = ftp_pasv(socket:soc); if (!port2) { ftp_close(socket: soc); exit(1, "PASV command failed on port "+port+"."); } soc2 = open_sock_tcp(port2, transport: ENCAPS_IP); if (!soc2 || safe_checks()) { send(socket: soc, data: 'LIST -ABCDEFGHIJKLMNOPQRSTUV\r\n'); r1 = ftp_recv_line(socket:soc); if (egrep(string: r1, pattern: "invalid option|usage:", icase: 1)) security_hole(port); if(soc2)close(soc2); ftp_close(socket: soc); exit(0); } start_denial(); send(socket:soc, data: 'LIST "-W 1000000 -C"\r\n'); r1 = ftp_recv_line(socket:soc); ftp_recv_listing(socket: soc2); r2 = ftp_recv_line(socket:soc); close(soc2); ftp_close(socket: soc); alive = end_denial(); if (! alive) { security_hole(port); exit(0); } if (egrep(string: r2, pattern: "exhausted|failed", icase: 1)) { security_hole(port); exit(0); } soc = ftp_open_and_authenticate( user:user, pass:pass, port:port ); if ( !soc ) { security_hole(port); } if (soc) ftp_close(socket: soc);
Redhat
| advisories |
|
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000768
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000771
- http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/012548.html
- http://secunia.com/advisories/10126
- http://secunia.com/advisories/17069
- http://support.avaya.com/elmodocs2/security/ASA-2005-213.pdf
- http://www.debian.org/security/2005/dsa-705
- http://www.guninski.com/binls.html
- http://www.mandriva.com/security/advisories?name=MDKSA-2003:106
- http://www.redhat.com/support/errata/RHSA-2003-309.html
- http://www.redhat.com/support/errata/RHSA-2003-310.html
- http://www.securityfocus.com/advisories/6014
- http://www.turbolinux.com/security/TLSA-2003-60.txt
- https://www.exploit-db.com/exploits/115