Vulnerabilities > CVE-2004-0148

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
sgi
washington-university
nessus

Summary

wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.

Nessus

  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHNE_30983.NASL
    descriptions700_800 11.23 ftpd(1M) patch : The remote HP-UX host is affected by multiple vulnerabilities : - A potential vulnerability has been identified with HP-UX running wu-ftpd with the restricted gid option enabled where the vulnerability could be exploited by a local user to gain unauthorized access to files. (HPSBUX01059 SSRT4704) - A potential vulnerability has been identified with HP-UX running ftpd where the vulnerability could be exploited to allow a remote authorized user unauthorized access to files. (HPSBUX01119 SSRT4694)
    last seen2020-06-01
    modified2020-06-02
    plugin id17422
    published2005-03-18
    reporterThis script is Copyright (C) 2005-2013 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17422
    titleHP-UX PHNE_30983 : s700_800 11.23 ftpd(1M) patch
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and patch checks in this plugin were 
    # extracted from HP patch PHNE_30983. The text itself is
    # copyright (C) Hewlett-Packard Development Company, L.P.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(17422);
      script_version("$Revision: 1.20 $");
      script_cvs_date("$Date: 2013/04/20 00:36:49 $");
    
      script_cve_id("CVE-2004-0148", "CVE-2005-0547");
      script_xref(name:"HP", value:"emr_na-c00572225");
      script_xref(name:"HP", value:"emr_na-c01035678");
      script_xref(name:"HP", value:"HPSBUX01059");
      script_xref(name:"HP", value:"HPSBUX01119");
      script_xref(name:"HP", value:"SSRT4694");
      script_xref(name:"HP", value:"SSRT4704");
    
      script_name(english:"HP-UX PHNE_30983 : s700_800 11.23 ftpd(1M) patch");
      script_summary(english:"Checks for the patch in the swlist output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote HP-UX host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "s700_800 11.23 ftpd(1M) patch : 
    
    The remote HP-UX host is affected by multiple vulnerabilities :
    
      - A potential vulnerability has been identified with HP-UX
        running wu-ftpd with the restricted gid option enabled
        where the vulnerability could be exploited by a local
        user to gain unauthorized access to files. (HPSBUX01059
        SSRT4704)
    
      - A potential vulnerability has been identified with HP-UX
        running ftpd where the vulnerability could be exploited
        to allow a remote authorized user unauthorized access to
        files. (HPSBUX01119 SSRT4694)"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00572225
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?2fb36360"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01035678
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?9d4b2076"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install patch PHNE_30983 or subsequent."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/06/25");
      script_set_attribute(attribute:"patch_modification_date", value:"2006/01/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/03/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.");
      script_family(english:"HP-UX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("hpux.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
    if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    if (!hpux_check_ctx(ctx:"11.23"))
    {
      exit(0, "The host is not affected since PHNE_30983 applies to a different OS release.");
    }
    
    patches = make_list("PHNE_30983", "PHNE_31732", "PHNE_32286", "PHNE_33414", "PHNE_34306", "PHNE_34698", "PHNE_36065", "PHNE_36193", "PHNE_38578", "PHNE_38916", "PHNE_40380", "PHNE_41248", "PHNE_41581", "PHNE_42661");
    foreach patch (patches)
    {
      if (hpux_installed(app:patch))
      {
        exit(0, "The host is not affected because patch "+patch+" is installed.");
      }
    }
    
    
    flag = 0;
    if (hpux_check_patch(app:"InternetSrvcs.INETSVCS2-RUN", version:"B.11.23")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-096.NASL
    descriptionAn updated wu-ftpd package that fixes two security issues is now available. The wu-ftpd package contains the Washington University FTP (File Transfer Protocol) server daemon. FTP is a method of transferring files between machines. Glenn Stewart discovered a flaw in wu-ftpd. When configured with
    last seen2020-06-01
    modified2020-06-02
    plugin id12475
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12475
    titleRHEL 2.1 : wu-ftpd (RHSA-2004:096)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2004:096. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12475);
      script_version ("1.27");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2003-1329", "CVE-2004-0148", "CVE-2004-0185");
      script_xref(name:"RHSA", value:"2004:096");
    
      script_name(english:"RHEL 2.1 : wu-ftpd (RHSA-2004:096)");
      script_summary(english:"Checks the rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An updated wu-ftpd package that fixes two security issues is now
    available.
    
    The wu-ftpd package contains the Washington University FTP (File
    Transfer Protocol) server daemon. FTP is a method of transferring
    files between machines.
    
    Glenn Stewart discovered a flaw in wu-ftpd. When configured with
    'restricted-gid home', an authorized user could use this flaw to
    circumvent the configured home directory restriction by using chmod.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2004-0148 to this issue.
    
    Michael Hendrickx found a flaw in the S/Key login handling. On servers
    using S/Key authentication, a remote attacker could overflow a buffer
    and potentially execute arbitrary code.
    
    Users of wu-ftpd are advised to upgrade to this updated package, which
    contains backported security patches and is not vulnerable to these
    issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-1329"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0148"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0185"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.securiteam.com/unixfocus/6X00Q1P8KC.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2004:096"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected wu-ftpd package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:wu-ftpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2003/12/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2004/03/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2004:096";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"wu-ftpd-2.6.1-22")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wu-ftpd");
      }
    }
    
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHNE_29462.NASL
    descriptions700_800 11.22 ftpd(1M) and ftp(1) patch : The remote HP-UX host is affected by multiple vulnerabilities : - A potential vulnerability has been identified with HP-UX running ftpd where the vulnerability could be exploited to allow a remote authorized user unauthorized access to files. (HPSBUX01119 SSRT4694) - A potential security vulnerability has been identified with HP-UX running ftp where the vulnerability could be exploited remotely to allow unauthorized access. (HPSBUX01050 SSRT3456) - The wu-ftpd program is potentially vulnerable to a buffer overflow. (HPSBUX00277 SSRT3606) - A potential security vulnerability has been identified with HP-UX running ftpd, where a buffer overflow in ftpd could be remotely exploited to allow an unauthorized user to gain privileged access. (HPSBUX01118 SSRT4883) - A potential vulnerability has been identified with HP-UX running wu-ftpd with the restricted gid option enabled where the vulnerability could be exploited by a local user to gain unauthorized access to files. (HPSBUX01059 SSRT4704)
    last seen2020-06-01
    modified2020-06-02
    plugin id16907
    published2005-02-16
    reporterThis script is Copyright (C) 2005-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16907
    titleHP-UX PHNE_29462 : s700_800 11.22 ftpd(1M) and ftp(1) patch
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and patch checks in this plugin were 
    # extracted from HP patch PHNE_29462. The text itself is
    # copyright (C) Hewlett-Packard Development Company, L.P.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16907);
      script_version("$Revision: 1.12 $");
      script_cvs_date("$Date: 2016/01/14 15:20:32 $");
    
      script_cve_id("CVE-2003-0466", "CVE-2004-0148", "CVE-2004-1332", "CVE-2005-0547");
      script_xref(name:"HP", value:"emr_na-c00572225");
      script_xref(name:"HP", value:"emr_na-c00951272");
      script_xref(name:"HP", value:"emr_na-c00951289");
      script_xref(name:"HP", value:"emr_na-c01035676");
      script_xref(name:"HP", value:"emr_na-c01035678");
      script_xref(name:"HP", value:"HPSBUX00277");
      script_xref(name:"HP", value:"HPSBUX01050");
      script_xref(name:"HP", value:"HPSBUX01059");
      script_xref(name:"HP", value:"HPSBUX01118");
      script_xref(name:"HP", value:"HPSBUX01119");
      script_xref(name:"HP", value:"SSRT3456");
      script_xref(name:"HP", value:"SSRT3606");
      script_xref(name:"HP", value:"SSRT4694");
      script_xref(name:"HP", value:"SSRT4704");
      script_xref(name:"HP", value:"SSRT4883");
    
      script_name(english:"HP-UX PHNE_29462 : s700_800 11.22 ftpd(1M) and ftp(1) patch");
      script_summary(english:"Checks for the patch in the swlist output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote HP-UX host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "s700_800 11.22 ftpd(1M) and ftp(1) patch : 
    
    The remote HP-UX host is affected by multiple vulnerabilities :
    
      - A potential vulnerability has been identified with HP-UX
        running ftpd where the vulnerability could be exploited
        to allow a remote authorized user unauthorized access to
        files. (HPSBUX01119 SSRT4694)
    
      - A potential security vulnerability has been identified
        with HP-UX running ftp where the vulnerability could be
        exploited remotely to allow unauthorized access.
        (HPSBUX01050 SSRT3456)
    
      - The wu-ftpd program is potentially vulnerable to a
        buffer overflow. (HPSBUX00277 SSRT3606)
    
      - A potential security vulnerability has been identified
        with HP-UX running ftpd, where a buffer overflow in ftpd
        could be remotely exploited to allow an unauthorized
        user to gain privileged access. (HPSBUX01118 SSRT4883)
    
      - A potential vulnerability has been identified with HP-UX
        running wu-ftpd with the restricted gid option enabled
        where the vulnerability could be exploited by a local
        user to gain unauthorized access to files. (HPSBUX01059
        SSRT4704)"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00951272
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6ca73dfe"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00951289
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?353e3f75"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00572225
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?2fb36360"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01035676
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0e3b95fe"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01035678
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?9d4b2076"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install patch PHNE_29462 or subsequent."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/06/03");
      script_set_attribute(attribute:"patch_modification_date", value:"2006/01/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2016 Tenable Network Security, Inc.");
      script_family(english:"HP-UX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("hpux.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
    if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    if (!hpux_check_ctx(ctx:"11.22"))
    {
      exit(0, "The host is not affected since PHNE_29462 applies to a different OS release.");
    }
    
    patches = make_list("PHNE_29462");
    foreach patch (patches)
    {
      if (hpux_installed(app:patch))
      {
        exit(0, "The host is not affected because patch "+patch+" is installed.");
      }
    }
    
    
    flag = 0;
    if (hpux_check_patch(app:"InternetSrvcs.INETSVCS2-RUN", version:"B.11.22")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHNE_31732.NASL
    descriptions700_800 11.23 ftpd(1M) and ftp(1) patch : A potential vulnerability has been identified with HP-UX running wu-ftpd with the restricted gid option enabled where the vulnerability could be exploited by a local user to gain unauthorized access to files.
    last seen2020-06-01
    modified2020-06-02
    plugin id26128
    published2007-09-25
    reporterThis script is Copyright (C) 2007-2013 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/26128
    titleHP-UX PHNE_31732 : HP-UX Running wu-ftpd Local Unauthorized Access (HPSBUX01059 SSRT4704 rev.4)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and patch checks in this plugin were 
    # extracted from HP patch PHNE_31732. The text itself is
    # copyright (C) Hewlett-Packard Development Company, L.P.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(26128);
      script_version("$Revision: 1.16 $");
      script_cvs_date("$Date: 2013/04/20 00:36:49 $");
    
      script_cve_id("CVE-2004-0148");
      script_xref(name:"HP", value:"emr_na-c00572225");
      script_xref(name:"HP", value:"HPSBUX01059");
      script_xref(name:"HP", value:"SSRT4704");
    
      script_name(english:"HP-UX PHNE_31732 : HP-UX Running wu-ftpd Local Unauthorized Access (HPSBUX01059 SSRT4704 rev.4)");
      script_summary(english:"Checks for the patch in the swlist output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote HP-UX host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "s700_800 11.23 ftpd(1M) and ftp(1) patch : 
    
    A potential vulnerability has been identified with HP-UX running
    wu-ftpd with the restricted gid option enabled where the vulnerability
    could be exploited by a local user to gain unauthorized access to
    files."
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00572225
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?2fb36360"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install patch PHNE_31732 or subsequent."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/09/22");
      script_set_attribute(attribute:"patch_modification_date", value:"2006/01/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/09/25");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2013 Tenable Network Security, Inc.");
      script_family(english:"HP-UX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("hpux.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
    if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    if (!hpux_check_ctx(ctx:"11.23"))
    {
      exit(0, "The host is not affected since PHNE_31732 applies to a different OS release.");
    }
    
    patches = make_list("PHNE_31732", "PHNE_32286", "PHNE_33414", "PHNE_34306", "PHNE_34698", "PHNE_36065", "PHNE_36193", "PHNE_38578", "PHNE_38916", "PHNE_40380", "PHNE_41248", "PHNE_41581", "PHNE_42661");
    foreach patch (patches)
    {
      if (hpux_installed(app:patch))
      {
        exit(0, "The host is not affected because patch "+patch+" is installed.");
      }
    }
    
    
    flag = 0;
    if (hpux_check_patch(app:"InternetSrvcs.INETSVCS2-RUN", version:"B.11.23")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_WUFTPD_262_3.NASL
    descriptionThe following package needs to be updated: wu-ftpd+ipv6
    last seen2016-09-26
    modified2011-10-03
    plugin id12622
    published2004-07-06
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=12622
    titleFreeBSD : wu-ftpd ftpaccess `restricted-uid'/`restricted-gid' directive may be bypassed (201)
    code
    #%NASL_MIN_LEVEL 999999
    
    # @DEPRECATED@
    #
    # This script has been deprecated by freebsd_pkg_3b7c7f6c710211d8873f0020ed76ef5a.nasl.
    #
    # Disabled on 2011/10/02.
    #
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # This script contains information extracted from VuXML :
    #
    # Copyright 2003-2006 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #   copyright notice, this list of conditions and the following
    #   disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #   published online in any format, converted to PDF, PostScript,
    #   RTF and other formats) must reproduce the above copyright
    #   notice, this list of conditions and the following disclaimer
    #   in the documentation and/or other materials provided with the
    #   distribution.
    #
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    #
    #
    
    include('compat.inc');
    
    if ( description )
    {
     script_id(12622);
     script_version("1.13");
     script_bugtraq_id(9832);
     script_cve_id("CVE-2004-0148");
    
     script_name(english:"FreeBSD : wu-ftpd ftpaccess `restricted-uid'/`restricted-gid' directive may be bypassed (201)");
    
    script_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update');
    script_set_attribute(attribute:'description', value:'The following package needs to be updated: wu-ftpd+ipv6');
     script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
     script_set_attribute(attribute:"exploit_available", value:"true");
    script_set_attribute(attribute:'solution', value: 'Update the package on the remote host');
    script_set_attribute(attribute: 'see_also', value: 'http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120508
    http://gaim.sourceforge.net/security/?id=20
    http://rhn.redhat.com/errata/RHSA-2004-181.html
    http://www.kde.org/info/security/advisory-20050721-1.txt
    http://www.mozilla.org/security/announce/2008/mfsa2008-60.html
    http://www.mozilla.org/security/announce/2008/mfsa2008-61.html
    http://www.mozilla.org/security/announce/2008/mfsa2008-62.html
    http://www.mozilla.org/security/announce/2008/mfsa2008-63.html
    http://www.mozilla.org/security/announce/2008/mfsa2008-64.html
    http://www.samba.org/samba/whatsnew/samba-3.0.5.html');
    script_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/3b7c7f6c-7102-11d8-873f-0020ed76ef5a.html');
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/06");
     script_cvs_date("Date: 2018/07/20  0:18:52");
     script_end_attributes();
     script_summary(english:"Check for wu-ftpd+ipv6");
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
     family["english"] = "FreeBSD Local Security Checks";
     script_family(english:family["english"]);
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/FreeBSD/pkg_info");
     exit(0);
    }
    
    # Deprecated.
    exit(0, "This plugin has been deprecated. Refer to plugin #37480 (freebsd_pkg_3b7c7f6c710211d8873f0020ed76ef5a.nasl) instead.");
    
    global_var cvss_score;
    cvss_score=7;
    include('freebsd_package.inc');
    
    
    pkg_test(pkg:"wu-ftpd<=2.6.2_3");
    
    pkg_test(pkg:"wu-ftpd+ipv6<=2.6.2_5");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-457.NASL
    descriptionTwo vulnerabilities were discovered in wu-ftpd : - CAN-2004-0148 Glenn Stewart discovered that users could bypass the directory access restrictions imposed by the restricted-gid option by changing the permissions on their home directory. On a subsequent login, when access to the user
    last seen2020-06-01
    modified2020-06-02
    plugin id15294
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15294
    titleDebian DSA-457-1 : wu-ftpd - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-457. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15294);
      script_version("1.22");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2004-0148", "CVE-2004-0185");
      script_bugtraq_id(9832);
      script_xref(name:"DSA", value:"457");
    
      script_name(english:"Debian DSA-457-1 : wu-ftpd - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Two vulnerabilities were discovered in wu-ftpd :
    
      - CAN-2004-0148
        Glenn Stewart discovered that users could bypass the
        directory access restrictions imposed by the
        restricted-gid option by changing the permissions on
        their home directory. On a subsequent login, when access
        to the user's home directory was denied, wu-ftpd would
        fall back to the root directory.
    
      - CAN-2004-0185
    
        A buffer overflow existed in wu-ftpd's code which deals
        with S/key authentication."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2004/dsa-457"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "For the stable distribution (woody) these problems have been fixed in
    version 2.6.2-3woody4.
    
    We recommend that you update your wu-ftpd package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wu-ftpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/03/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2000/06/07");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"wu-ftpd", reference:"2.6.2-3woody4")) flag++;
    if (deb_check(release:"3.0", prefix:"wu-ftpd-academ", reference:"2.6.2-3woody4")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFTP
    NASL idWU_FTPD_RESTRICTED_GID_BYPASS.NASL
    descriptionThe remote host is running wu-ftpd 2.6.2 or older. There is a bug in this version which may allow an attacker to bypass the
    last seen2020-06-01
    modified2020-06-02
    plugin id12098
    published2004-03-14
    reporterCopyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/12098
    titleWU-FTPD restricted-gid Directory Access Restriction Bypass
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_3B7C7F6C710211D8873F0020ED76EF5A.NASL
    descriptionGlenn Stewart reports a bug in wu-ftpd
    last seen2020-06-01
    modified2020-06-02
    plugin id37480
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/37480
    titleFreeBSD : wu-ftpd ftpaccess `restricted-uid'/`restricted-gid' directive may be bypassed (3b7c7f6c-7102-11d8-873f-0020ed76ef5a)

Oval

  • accepted2006-03-09T12:19:00.000-04:00
    classvulnerability
    contributors
    nameRobert L. Hollis
    organizationThreatGuard, Inc.
    descriptionwu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.
    familyunix
    idoval:org.mitre.oval:def:1147
    statusaccepted
    submitted2006-01-30T07:20:00.000-04:00
    titleHP-UX wuftpd Privilege Escalation Vulnerability (B.11.11)
    version35
  • accepted2010-09-20T04:00:15.821-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameTodd Dolinsky
      organizationOpsware, Inc.
    • nameJonathan Baker
      organizationThe MITRE Corporation
    descriptionwu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.
    familyunix
    idoval:org.mitre.oval:def:1636
    statusaccepted
    submitted2006-01-30T07:20:00.000-04:00
    titleHP-UX wuftpd Privilege Escalation Vulnerability (B.11.22)
    version39
  • accepted2006-03-09T12:19:00.000-04:00
    classvulnerability
    contributors
    nameRobert L. Hollis
    organizationThreatGuard, Inc.
    descriptionwu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.
    familyunix
    idoval:org.mitre.oval:def:1637
    statusaccepted
    submitted2006-01-30T07:20:00.000-04:00
    titleHP-UX wuftpd Privilege Escalation Vulnerability (B.11.00)
    version35
  • accepted2010-09-20T04:00:34.087-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameMatthew Wojcik
      organizationThe MITRE Corporation
    • nameTodd Dolinsky
      organizationOpsware, Inc.
    • nameJonathan Baker
      organizationThe MITRE Corporation
    descriptionwu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.
    familyunix
    idoval:org.mitre.oval:def:648
    statusaccepted
    submitted2006-01-30T07:20:00.000-04:00
    titleHP-UX wuftpd Privilege Escalation Vulnerability (B.11.23)
    version40

Redhat

advisories
rhsa
idRHSA-2004:096