SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#743092

realpath(3) function contains off-by-one buffer overflow

Overview

A function originally derived from 4.4BSD, realpath(3), contains a vulnerability that may permit a malicious user to gain root access to the server. This function was derived from the FreeBSD 3.x tree. Other applications and operating systems that use or were derived from this code base may be affected. This problem was originally reported to affect WU-FTPd. It has been discoved to affect various BSD implementations as well.

I. Description

Several BSD operating systems and WU-FTPd are vulnerable to an off-by-one buffer overflow vulnerability. The vulnerable code is in the realpath(3) function and exploitation may be made through the use of several commands. Details of the vulnerability related to WU-FTPd can be found in the security advisory released by isec.pl. According to their advisory:

    Linux 2.2.x and some early 2.4.x kernel versions defines PATH_MAX to be
    4095 characters, thus only wu-ftpd binaries compiled on 2.0.x or later 2.4.x
    kernels are affected.


Upon further investigation, it has been determined that the vulnerable WU-FTPd function was derived from code in the FreeBSD 3.x tree. This code appears to have come from 4.4BSD. Therefore, other applications and operating systems that use or were derived from this code base may be affected. This problem was originally reported to affect WU-FTPd. It has been discoved to affect various BSD implementations as well.

II. Impact

A malicious user may be able to exploit this vulnerability to gain elevated privileges on the vulnerable server. Malicious users may be authenticated to the server, or may be an anonymous user with write access to the server.

III. Solution

Please check the Systems Affected section for patches and upgrades to resolve this issue.

To help mitigate a remote attacker from exploiting this issue, and as a general practice, do not permit anonymous user to have write access to the server.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Vulnerable15-Aug-2003
ConectivaVulnerable1-Aug-2003
Cray Inc.Not Vulnerable4-Aug-2003
DebianVulnerable1-Aug-2003
FreeBSDVulnerable4-Aug-2003
Hewlett-Packard CompanyVulnerable15-Aug-2003
IBMNot Vulnerable15-Aug-2003
ImmunixVulnerable15-Aug-2003
Ingrian NetworksNot Vulnerable15-Aug-2003
MandrakeSoftVulnerable31-Jul-2003
NetBSDVulnerable4-Aug-2003
OpenBSDVulnerable4-Aug-2003
Openwall GNU/*/LinuxNot Vulnerable31-Jul-2003
Red Hat Inc.Vulnerable1-Aug-2003
SGINot Vulnerable1-Aug-2003
Sun Microsystems Inc.Vulnerable4-Aug-2003
SuSE Inc.Vulnerable1-Aug-2003
TurboLinuxVulnerable4-Aug-2003
Wind River Systems Inc.Vulnerable15-Aug-2003
WU-FTPD Development GroupVulnerable15-Aug-2003

References


http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
http://www.wuftpd.org/
http://www.secunia.com/advisories/9406/

Credit

Thanks to Janusz Niewiadomski and Wojciech Purczynski for reporting this vulnerability.

This document was written by Jason A Rafail and Jeffrey S Havrilla.

Other Information

Date Public:2003-07-31
Date First Published:2003-07-31
Date Last Updated:2003-08-15
CERT Advisory: 
CVE-ID(s):CAN-2003-0466
NVD-ID(s):CAN-2003-0466
US-CERT Technical Alerts: 
Metric:6.75
Document Revision:16

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader