|
|
Multiple Vendor Wu-Ftpd Buffer Overflow Vulnerability
There is a buffer overflow vulnerability present in versions of wu-ftpd 2.5 and below (and its derivatives). It is similar to the previous wu-ftpd bug, being related to path and path translation. The static array mapped_path is copied into a local buffer on the stack without bounds checking, allowing overflowing of the buffer and the execution of arbitrary code (as root). Systems running the vulnerable versions of wu-ftpd allowing anonymous access with writeable directories (ie. incoming) are especially vulnerable. The consequence is a possible remote root compromise through anonymous ftp (if enabled), or an almost guaranteed remote root compromise through a known user account/password. The code in question defines the function 'getcwd' to be 'mapped_path_cwd'. The mapped_path_cwd does not perform bounsd checking. When an FTP client sensd a CWD command the 'pwd' function is called which in turn calls 'getcwd' passing it a buffer in the stack of length MAXPATHLEN + 1. |
|
Privacy Statement |