Vulnerabilities > CVE-2003-1327 - Remote Stack-based Buffer Overrun vulnerability in Wu-Ftpd SockPrintf()
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in the SockPrintf function in wu-ftpd 2.6.2 and earlier, when compiled with MAIL_ADMIN option enabled on a system that supports very long pathnames, might allow remote anonymous users to execute arbitrary code by uploading a file with a long pathname, which triggers the overflow when wu-ftpd constructs a notification message to the administrator. Successful exploitation requires that the option "MAIL_ADMIN" has been enabled (not default), that anonymous users have write permissions on a folder, and that the program has been compiled on a system where very long paths are permitted.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 | |
| Application | 1 |
Nessus
NASL family FTP NASL id WU_FTPD_MAIL_ADMIN.NASL description Th remote Wu-FTPD server fails to properly check bounds on a pathname when Wu-Ftpd is compiled with MAIL_ADMIN enabled resulting in a buffer overflow. With a specially crafted request, an attacker can possibly execute arbitrary code as the user Wu-Ftpd runs as (usually root) resulting in a loss of integrity, and/or availability. It should be noted that this vulnerability is not present within the default installation of Wu-Ftpd. The server must be configured using the last seen 2020-06-01 modified 2020-06-02 plugin id 14371 published 2004-08-25 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14371 title WU-FTPD MAIL_ADMIN Function Remote Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(14371); script_version("1.22"); script_cve_id("CVE-2003-1327"); script_bugtraq_id(8668); script_name(english:"WU-FTPD MAIL_ADMIN Function Remote Overflow"); script_set_attribute(attribute:"synopsis", value: "The remote FTP server is affected by a buffer overflow vulnerability." ); script_set_attribute(attribute:"description", value: "Th remote Wu-FTPD server fails to properly check bounds on a pathname when Wu-Ftpd is compiled with MAIL_ADMIN enabled resulting in a buffer overflow. With a specially crafted request, an attacker can possibly execute arbitrary code as the user Wu-Ftpd runs as (usually root) resulting in a loss of integrity, and/or availability. It should be noted that this vulnerability is not present within the default installation of Wu-Ftpd. The server must be configured using the 'MAIL_ADMIN' option to notify an administrator when a file has been uploaded. *** Nessus solely relied on the banner of the remote server *** to issue this warning, so it may be a false positive." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2003/Sep/336"); script_set_attribute(attribute:"solution", value: "Upgrade to Wu-FTPd 2.6.3 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/08/25"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/09/22"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Checks the banner of the remote wu-ftpd server"); script_category(ACT_GATHER_INFO); script_family(english:"FTP"); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_dependencie("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl"); script_require_keys("ftp/login", "ftp/wuftpd", "Settings/ParanoidReport"); script_require_ports("Services/ftp", 21); exit(0); } # # The script code starts here : # include("ftp_func.inc"); include("backport.inc"); include("global_settings.inc"); include("audit.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_ftp_port(default: 21); banner = get_backport_banner(banner:get_ftp_banner(port: port)); if (! banner) exit(1); if(egrep(pattern:".*(wu|wuftpd)-2\.6\.[012].*", string:banner)) security_hole(port);NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2003-259-03.NASL description Upgraded WU-FTPD packages are available for Slackware 9.0 and - -current. These fix a problem where an attacker could use a specially crafted filename in conjunction with WU-FTPD last seen 2020-06-01 modified 2020-06-02 plugin id 18726 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18726 title Slackware 9.0 / current : WU-FTPD Security Advisory (SSA:2003-259-03) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2003-259-03. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(18726); script_version("1.15"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2003-1327"); script_xref(name:"SSA", value:"2003-259-03"); script_name(english:"Slackware 9.0 / current : WU-FTPD Security Advisory (SSA:2003-259-03)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "Upgraded WU-FTPD packages are available for Slackware 9.0 and - -current. These fix a problem where an attacker could use a specially crafted filename in conjunction with WU-FTPD's conversion feature (mostly used to compress files, or produce tar archives) to execute arbitrary commands on the server. In addition, a MAIL_ADMIN which has been found to be insecure has been disabled. We do not recommend deploying WU-FTPD in situations where security is required." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2003&m=slackware-security.365971 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ea5b1806" ); script_set_attribute( attribute:"solution", value:"Update the affected wu-ftpd package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:wu-ftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/09/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/09/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"9.0", pkgname:"wu-ftpd", pkgver:"2.6.2", pkgarch:"i386", pkgnum:"3")) flag++; if (slackware_check(osver:"current", pkgname:"wu-ftpd", pkgver:"2.6.2", pkgarch:"i486", pkgnum:"3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://archives.neohapsis.com/archives/bugtraq/2003-09/0348.html
- http://secunia.com/advisories/9835
- http://securitytracker.com/id?1007775
- http://www.osvdb.org/2594
- http://www.securityfocus.com/bid/8668
- http://www.slackware.org/security/viewer.php?l=slackware-security&y=2003&m=slackware-security.365971
- https://exchange.xforce.ibmcloud.com/vulnerabilities/13269