Vulnerabilities > CVE-2005-0256 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Washington University Wu-Ftpd 2.6.1/2.6.2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The wu_fnmatch function in wu_fnmatch.c in wu-ftpd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir command.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
| description | wu-ftpd. CVE-2005-0256. Dos exploit for linux platform |
| id | EDB-ID:842 |
| last seen | 2016-01-31 |
| modified | 2005-02-25 |
| published | 2005-02-25 |
| reporter | str0ke |
| source | https://www.exploit-db.com/download/842/ |
| title | wu-ftpd <= 2.6.2 - File Globbing Denial of Service Exploit |
Nessus
NASL family FTP NASL id WU_FTPD_GLOB2.NASL description The version of WU-FTPD running on the remote host exhausts all available resources on the server when it repeatedly receives the following command : LIST *****[...]*.* This issue has been confirmed in WU-FTPD 2.6.2 and earlier. last seen 2020-06-01 modified 2020-06-02 plugin id 17602 published 2005-03-23 reporter Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17602 title WU-FTPD wu_fnmatch() Function File Globbing Remote DoS code # # (C) Tenable Network Security, Inc. # # References: # https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=207 # include("compat.inc"); if (description) { script_id(17602); script_version("1.19"); script_cvs_date("Date: 2018/08/15 16:35:43"); script_cve_id("CVE-2005-0256"); script_name(english:"WU-FTPD wu_fnmatch() Function File Globbing Remote DoS"); script_summary(english:"Sends 'LIST *****[...]*.*' to the FTP server"); script_set_attribute( attribute:"synopsis", value:"The remote FTP server has a denial of service vulnerability." ); script_set_attribute(attribute:"description", value: "The version of WU-FTPD running on the remote host exhausts all available resources on the server when it repeatedly receives the following command : LIST *****[...]*.* This issue has been confirmed in WU-FTPD 2.6.2 and earlier."); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bad5e32a"); script_set_attribute( attribute:"solution", value:"Apply the latest vendor patches." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_cwe_id(119); script_set_attribute(attribute:"plugin_publication_date", value:"2005/03/23"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/02/25"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_DENIAL); script_family(english: "FTP"); script_copyright(english: "Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencie("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl"); script_require_ports("Services/ftp", 21); exit(0); } include("audit.inc"); include('global_settings.inc'); include("ftp_func.inc"); port = get_ftp_port(default: 21); banner = get_ftp_banner(port: port); if (safe_checks()) { if (egrep(string:banner, pattern:" FTP .*Version (wu|wuftpd)-2\.6\.(1|2|2\(1\)) ")) security_hole(port); exit(0); } # Uncomment next line if there are too many false positive # if (report_paranoia <= 0 && banner && "wu" >!< banner) exit(0); if (!banner || ("Version wu-" >!< banner && "Version wuftpd-" >!< banner)) exit (0); login = get_kb_item("ftp/login"); password = get_kb_item("ftp/password"); if (supplied_logins_only && (isnull(login) || isnull(password))) audit(AUDIT_SUPPLIED_LOGINS_ONLY); if (! login) login = "anonymous"; if (! password) password = "[email protected]"; for (i = 0; i < 2; i ++) { soc = open_sock_tcp(port); if (! soc || ! ftp_authenticate(socket:soc, user:login, pass:password)) exit(0); pasv = ftp_pasv(socket: soc); if (! pasv) exit(1); soc2 = open_sock_tcp(pasv); if (! soc2) exit(1); # Above 194 *, the server answers "sorry input line too long" if (i) send(socket: soc, data: 'LIST ***********************************************************************************************************************************************************************************************.*\r\n'); else send(socket: soc, data: 'LIST *.*\r\n'); t1 = unixtime(); b = ftp_recv_line(socket:soc); repeat data = recv(socket: soc2, length: 1024); until (! data); t[i] = unixtime() - t1; #b = ftp_recv_line(socket:soc); close(soc); soc = NULL; close(soc2); } if (t[0] == 0) t[0] = 1; if (t[1] > 3 * t[0]) security_hole(port);NASL family Debian Local Security Checks NASL id DEBIAN_DSA-705.NASL description Several denial of service conditions have been discovered in wu-ftpd, the popular FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-0256 Adam Zabrocki discovered a denial of service condition in wu-ftpd that could be exploited by a remote user and cause the server to slow down by resource exhaustion. - CAN-2003-0854 Georgi Guninski discovered that /bin/ls may be called from within wu-ftpd in a way that will result in large memory consumption and hence slow down the server. last seen 2020-06-01 modified 2020-06-02 plugin id 18010 published 2005-04-11 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18010 title Debian DSA-705-1 : wu-ftpd - missing input sanitising code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-705. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(18010); script_version("1.21"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2003-0854", "CVE-2005-0256"); script_xref(name:"DSA", value:"705"); script_name(english:"Debian DSA-705-1 : wu-ftpd - missing input sanitising"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several denial of service conditions have been discovered in wu-ftpd, the popular FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-0256 Adam Zabrocki discovered a denial of service condition in wu-ftpd that could be exploited by a remote user and cause the server to slow down by resource exhaustion. - CAN-2003-0854 Georgi Guninski discovered that /bin/ls may be called from within wu-ftpd in a way that will result in large memory consumption and hence slow down the server." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-705" ); script_set_attribute( attribute:"solution", value: "Upgrade the wu-ftpd package. For the stable distribution (woody) these problems have been fixed in version 2.6.2-3woody5." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wu-ftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2005/04/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/11"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/05/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"wu-ftpd", reference:"2.6.2-3woody5")) flag++; if (deb_check(release:"3.0", prefix:"wu-ftpd-academ", reference:"2.6.2-3woody5")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_120086.NASL description SunOS 5.10_x86: patch usr/sbin/in.ftpd. Date this patch was last updated by Sun : Apr/16/07 last seen 2018-09-01 modified 2018-08-13 plugin id 19216 published 2005-07-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=19216 title Solaris 10 (x86) : 120086-02 code #%NASL_MIN_LEVEL 80502 # @DEPRECATED@ # # This script has been deprecated as the associated patch is not # currently a recommended security fix. # # Disabled on 2011/09/17. # # (C) Tenable Network Security, Inc. # # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(19216); script_version("1.29"); script_name(english: "Solaris 10 (x86) : 120086-02"); script_cve_id("CVE-2005-0256"); script_set_attribute(attribute: "synopsis", value: "The remote host is missing Sun Security Patch number 120086-02"); script_set_attribute(attribute: "description", value: 'SunOS 5.10_x86: patch usr/sbin/in.ftpd. Date this patch was last updated by Sun : Apr/16/07'); script_set_attribute(attribute: "solution", value: "You should install this patch for your system to be up-to-date."); script_set_attribute(attribute: "see_also", value: "https://getupdates.oracle.com/readme/120086-02"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_cwe_id(119); script_set_attribute(attribute:"plugin_publication_date", value: "2005/07/17"); script_cvs_date("Date: 2019/10/25 13:36:22"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/02/25"); script_end_attributes(); script_summary(english: "Check for patch 120086-02"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); family["english"] = "Solaris Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/Solaris/showrev"); exit(0); } # Deprecated. exit(0, "The associated patch is not currently a recommended security fix.");NASL family HP-UX Local Security Checks NASL id HPUX_PHNE_34306.NASL description s700_800 11.23 ftpd(1M) and ftp(1) patch : A potential vulnerability has been identified with HP-UX running wu-ftpd where the vulnerability could be exploited by an authorized remote user to create a Denial of Service (DoS). last seen 2020-06-01 modified 2020-06-02 plugin id 21550 published 2006-05-13 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21550 title HP-UX PHNE_34306 : HP-UX Running wu-ftpd Remote Denial of Service (DoS) (HPSBUX02110 SSRT061110 rev.1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and patch checks in this plugin were # extracted from HP patch PHNE_34306. The text itself is # copyright (C) Hewlett-Packard Development Company, L.P. # include("compat.inc"); if (description) { script_id(21550); script_version("1.20"); script_cvs_date("Date: 2018/08/10 18:07:07"); script_cve_id("CVE-2005-0256"); script_xref(name:"HP", value:"emr_na-c00637342"); script_xref(name:"HP", value:"HPSBUX02110"); script_xref(name:"HP", value:"SSRT061110"); script_name(english:"HP-UX PHNE_34306 : HP-UX Running wu-ftpd Remote Denial of Service (DoS) (HPSBUX02110 SSRT061110 rev.1)"); script_summary(english:"Checks for the patch in the swlist output"); script_set_attribute( attribute:"synopsis", value:"The remote HP-UX host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "s700_800 11.23 ftpd(1M) and ftp(1) patch : A potential vulnerability has been identified with HP-UX running wu-ftpd where the vulnerability could be exploited by an authorized remote user to create a Denial of Service (DoS)." ); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00637342 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2ce3bd6f" ); script_set_attribute( attribute:"solution", value:"Install patch PHNE_34306 or subsequent." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/04/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/13"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/02/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_family(english:"HP-UX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("hpux.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX"); if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING); if (!hpux_check_ctx(ctx:"11.23")) { exit(0, "The host is not affected since PHNE_34306 applies to a different OS release."); } patches = make_list("PHNE_34306", "PHNE_34698", "PHNE_36065", "PHNE_36193", "PHNE_38578", "PHNE_38916", "PHNE_40380", "PHNE_41248", "PHNE_41581", "PHNE_42661"); foreach patch (patches) { if (hpux_installed(app:patch)) { exit(0, "The host is not affected because patch "+patch+" is installed."); } } flag = 0; if (hpux_check_patch(app:"InternetSrvcs.INET-ENG-A-MAN", version:"B.11.23")) flag++; if (hpux_check_patch(app:"InternetSrvcs.INETSVCS2-RUN", version:"B.11.23")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:hpux_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_EF410571A54111D9A7880001020EED82.NASL description An iDEFENSE Security Advisory reports : Remote exploitation of an input validation vulnerability in version 2.6.2 of WU-FPTD could allow for a denial of service of the system by resource exhaustion. The vulnerability specifically exists in the wu_fnmatch() function in wu_fnmatch.c. When a pattern containing a last seen 2020-06-01 modified 2020-06-02 plugin id 19162 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19162 title FreeBSD : wu-ftpd -- remote globbing DoS vulnerability (ef410571-a541-11d9-a788-0001020eed82) NASL family HP-UX Local Security Checks NASL id HPUX_PHNE_34544.NASL description s700_800 11.11 ftpd(1M) and ftp(1) patch : A potential vulnerability has been identified with HP-UX running wu-ftpd where the vulnerability could be exploited by an authorized remote user to create a Denial of Service (DoS). last seen 2020-06-01 modified 2020-06-02 plugin id 21552 published 2006-05-13 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21552 title HP-UX PHNE_34544 : HP-UX Running wu-ftpd Remote Denial of Service (DoS) (HPSBUX02110 SSRT061110 rev.1) NASL family HP-UX Local Security Checks NASL id HPUX_PHNE_34543.NASL description s700_800 11.00 ftpd(1M) and ftp(1) patch : A potential vulnerability has been identified with HP-UX running wu-ftpd where the vulnerability could be exploited by an authorized remote user to create a Denial of Service (DoS). last seen 2020-06-01 modified 2020-06-02 plugin id 21551 published 2006-05-13 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21551 title HP-UX PHNE_34543 : HP-UX Running wu-ftpd Remote Denial of Service (DoS) (HPSBUX02110 SSRT061110 rev.1) NASL family Solaris Local Security Checks NASL id SOLARIS10_120085.NASL description SunOS 5.10: in.ftpd patch. Date this patch was last updated by Sun : Apr/16/07 last seen 2018-09-01 modified 2018-08-13 plugin id 19215 published 2005-07-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=19215 title Solaris 10 (sparc) : 120085-02
Oval
accepted 2007-10-02T08:08:08.109-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Todd Dolinsky organization Opsware, Inc.
description rsion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir command. family unix id oval:org.mitre.oval:def:1265 status accepted submitted 2006-04-06T06:39:00.000-04:00 title WU-FTPD "glob-*" Remote DoS Vulnerability (B.11.23) version 36 accepted 2007-10-02T08:08:08.517-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Todd Dolinsky organization Opsware, Inc.
description The wu_fnmatch function in wu_fnmatch.c in wu-ftpd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir command. family unix id oval:org.mitre.oval:def:1333 status accepted submitted 2006-04-06T06:39:00.000-04:00 title WU-FTPD "glob-*" Remote DoS Vulnerability (B.11.00) version 38 accepted 2007-10-02T08:08:11.109-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Todd Dolinsky organization Opsware, Inc.
description The wu_fnmatch function in wu_fnmatch.c in wu-ftpd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir command. family unix id oval:org.mitre.oval:def:1762 status accepted submitted 2006-04-06T06:39:00.000-04:00 title WU-FTPD "glob-*" Remote DoS Vulnerability (B.11.11) version 38
Statements
| contributor | Mark J Cox |
| lastmodified | 2006-10-23 |
| organization | Red Hat |
| statement | Not vulnerable. Red Hat Enterprise Linux 2.1 shipped with wu-ftpd, however we were unable to reproduce this issue. Additionally, a code analysis showed that attempts to exploit this issue would be caught in the versions we shipped. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=149720 |
References
- ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.63/SCOSA-2005.63.txt
- http://itrc.hp.com/service/cki/docDisplay.do?docId=c00637342
- http://secunia.com/advisories/14411
- http://secunia.com/advisories/18210
- http://secunia.com/advisories/19561
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-101699-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-57795-1
- http://www.debian.org/security/2005/dsa-705
- http://www.idefense.com/application/poi/display?id=207&type=vulnerabilities
- http://www.osvdb.org/14203
- http://www.vupen.com/english/advisories/2005/0588
- http://www.vupen.com/english/advisories/2006/1271
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1265
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1333
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1762