Vulnerabilities > CVE-2004-0185 - Unspecified vulnerability in Washington University Wu-Ftpd 2.6.2
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN washington-university
nessus
Summary
Buffer overflow in the skey_challenge function in ftpd.c for wu-ftp daemon (wu-ftpd) 2.6.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a s/key (SKEY) request with a long name.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-096.NASL description An updated wu-ftpd package that fixes two security issues is now available. The wu-ftpd package contains the Washington University FTP (File Transfer Protocol) server daemon. FTP is a method of transferring files between machines. Glenn Stewart discovered a flaw in wu-ftpd. When configured with last seen 2020-06-01 modified 2020-06-02 plugin id 12475 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12475 title RHEL 2.1 : wu-ftpd (RHSA-2004:096) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2004:096. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12475); script_version ("1.27"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2003-1329", "CVE-2004-0148", "CVE-2004-0185"); script_xref(name:"RHSA", value:"2004:096"); script_name(english:"RHEL 2.1 : wu-ftpd (RHSA-2004:096)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "An updated wu-ftpd package that fixes two security issues is now available. The wu-ftpd package contains the Washington University FTP (File Transfer Protocol) server daemon. FTP is a method of transferring files between machines. Glenn Stewart discovered a flaw in wu-ftpd. When configured with 'restricted-gid home', an authorized user could use this flaw to circumvent the configured home directory restriction by using chmod. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0148 to this issue. Michael Hendrickx found a flaw in the S/Key login handling. On servers using S/Key authentication, a remote attacker could overflow a buffer and potentially execute arbitrary code. Users of wu-ftpd are advised to upgrade to this updated package, which contains backported security patches and is not vulnerable to these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-1329" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0148" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0185" ); script_set_attribute( attribute:"see_also", value:"http://www.securiteam.com/unixfocus/6X00Q1P8KC.html" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2004:096" ); script_set_attribute( attribute:"solution", value:"Update the affected wu-ftpd package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:wu-ftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/12/31"); script_set_attribute(attribute:"patch_publication_date", value:"2004/03/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2004:096"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"wu-ftpd-2.6.1-22")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wu-ftpd"); } }
NASL family FTP NASL id WU_FTPD_SKEY_REMOTE_BUFF.NASL description This version of WU-FTPD contains a remote overflow if s/key support is enabled. The skey_challenge function fails to perform bounds checking on the name variable resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity and/or availability. It appears that this vulnerability may be exploited prior to authentication. It is reported that S/Key support is not enabled by default, though some operating system distributions which ship WU-FTPD may have it enabled. *** Nessus solely relied on the banner of the remote server *** to issue this warning, so it may be a false positive. last seen 2020-06-01 modified 2020-06-02 plugin id 14372 published 2004-08-25 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14372 title WU-FTPD S/KEY Authentication ftpd.c skey_challenge Function Remote Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(14372); script_version("1.20"); script_cve_id("CVE-2004-0185"); script_bugtraq_id(8893); script_xref(name:"DSA", value:"DSA-457-1"); script_xref(name:"RHSA", value:"2004:096-09"); script_name(english:"WU-FTPD S/KEY Authentication ftpd.c skey_challenge Function Remote Overflow"); script_set_attribute(attribute:"synopsis", value: "The remote FTP server seems to be vulnerable to a remote buffer overflow." ); script_set_attribute(attribute:"description", value: "This version of WU-FTPD contains a remote overflow if s/key support is enabled. The skey_challenge function fails to perform bounds checking on the name variable resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity and/or availability. It appears that this vulnerability may be exploited prior to authentication. It is reported that S/Key support is not enabled by default, though some operating system distributions which ship WU-FTPD may have it enabled. *** Nessus solely relied on the banner of the remote server *** to issue this warning, so it may be a false positive." ); script_set_attribute(attribute:"see_also", value:"http://www.securiteam.com/unixfocus/6X00Q1P8KC.html" ); script_set_attribute(attribute:"solution", value: "Upgrade to WU-FTPD 2.6.3 when available or disable SKEY or apply the patches available at http://www.wu-ftpd.org" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/08/25"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/06/07"); script_cvs_date("Date: 2018/08/07 16:46:50"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Checks the banner of the remote wu-ftpd server"); script_category(ACT_GATHER_INFO); script_family(english:"FTP"); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_dependencie("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl"); script_require_keys("ftp/login", "ftp/wuftpd", "Settings/ParanoidReport"); script_require_ports("Services/ftp", 21); exit(0); } # # The script code starts here : # include("ftp_func.inc"); include("backport.inc"); include("global_settings.inc"); include("audit.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_ftp_port(default: 21); banner = get_backport_banner(banner:get_ftp_banner(port: port)); if (! banner ) exit(0); if(egrep(pattern:".*(wu|wuftpd)-(2\.(5\.|6\.[012])).*", string:banner)) security_hole(port);
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-457.NASL description Two vulnerabilities were discovered in wu-ftpd : - CAN-2004-0148 Glenn Stewart discovered that users could bypass the directory access restrictions imposed by the restricted-gid option by changing the permissions on their home directory. On a subsequent login, when access to the user last seen 2020-06-01 modified 2020-06-02 plugin id 15294 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15294 title Debian DSA-457-1 : wu-ftpd - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-457. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15294); script_version("1.22"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2004-0148", "CVE-2004-0185"); script_bugtraq_id(9832); script_xref(name:"DSA", value:"457"); script_name(english:"Debian DSA-457-1 : wu-ftpd - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Two vulnerabilities were discovered in wu-ftpd : - CAN-2004-0148 Glenn Stewart discovered that users could bypass the directory access restrictions imposed by the restricted-gid option by changing the permissions on their home directory. On a subsequent login, when access to the user's home directory was denied, wu-ftpd would fall back to the root directory. - CAN-2004-0185 A buffer overflow existed in wu-ftpd's code which deals with S/key authentication." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2004/dsa-457" ); script_set_attribute( attribute:"solution", value: "For the stable distribution (woody) these problems have been fixed in version 2.6.2-3woody4. We recommend that you update your wu-ftpd package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wu-ftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2004/03/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2000/06/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"wu-ftpd", reference:"2.6.2-3woody4")) flag++; if (deb_check(release:"3.0", prefix:"wu-ftpd-academ", reference:"2.6.2-3woody4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Redhat
advisories |
|
References
- http://www.securiteam.com/unixfocus/6X00Q1P8KC.html
- ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.2/skeychallenge.patch
- http://www.debian.org/security/2004/dsa-457
- http://www.redhat.com/support/errata/RHSA-2004-096.html
- http://unixpunx.org/txt/exploits_archive/packetstorm/0310-advisories/wuftpd-skey.txt
- http://www.securityfocus.com/bid/8893
- https://exchange.xforce.ibmcloud.com/vulnerabilities/13518