Vulnerability Note VU#743092

realpath(3) function contains off-by-one buffer overflow

Original Release date: 31 Jul 2003 | Last revised: 15 Aug 2003

Overview

A function originally derived from 4.4BSD, realpath(3), contains a vulnerability that may permit a malicious user to gain root access to the server. This function was derived from the FreeBSD 3.x tree. Other applications and operating systems that use or were derived from this code base may be affected. This problem was originally reported to affect WU-FTPd. It has been discoved to affect various BSD implementations as well.

Description

Several BSD operating systems and WU-FTPd are vulnerable to an off-by-one buffer overflow vulnerability. The vulnerable code is in the realpath(3) function and exploitation may be made through the use of several commands. Details of the vulnerability related to WU-FTPd can be found in the security advisory released by isec.pl. According to their advisory:

    Linux 2.2.x and some early 2.4.x kernel versions defines PATH_MAX to be
    4095 characters, thus only wu-ftpd binaries compiled on 2.0.x or later 2.4.x
    kernels are affected.


Upon further investigation, it has been determined that the vulnerable WU-FTPd function was derived from code in the FreeBSD 3.x tree. This code appears to have come from 4.4BSD. Therefore, other applications and operating systems that use or were derived from this code base may be affected. This problem was originally reported to affect WU-FTPd. It has been discoved to affect various BSD implementations as well.

Impact

A malicious user may be able to exploit this vulnerability to gain elevated privileges on the vulnerable server. Malicious users may be authenticated to the server, or may be an anonymous user with write access to the server.

Solution

Please check the Systems Affected section for patches and upgrades to resolve this issue.

To help mitigate a remote attacker from exploiting this issue, and as a general practice, do not permit anonymous user to have write access to the server.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Affected-15 Aug 2003
ConectivaAffected-01 Aug 2003
DebianAffected-01 Aug 2003
FreeBSDAffected-04 Aug 2003
Hewlett-Packard CompanyAffected-15 Aug 2003
ImmunixAffected-15 Aug 2003
MandrakeSoftAffected-31 Jul 2003
NetBSDAffected-04 Aug 2003
OpenBSDAffected-04 Aug 2003
Red Hat Inc.Affected-01 Aug 2003
Sun Microsystems Inc.Affected-04 Aug 2003
SuSE Inc.Affected-01 Aug 2003
TurboLinuxAffected-04 Aug 2003
Wind River Systems Inc.Affected-15 Aug 2003
WU-FTPD Development GroupAffected-15 Aug 2003
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Janusz Niewiadomski and Wojciech Purczynski for reporting this vulnerability.

This document was written by Jason A Rafail and Jeffrey S Havrilla.

Other Information

  • CVE IDs: CAN-2003-0466
  • Date Public: 31 Jul 2003
  • Date First Published: 31 Jul 2003
  • Date Last Updated: 15 Aug 2003
  • Severity Metric: 6.75
  • Document Revision: 16

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.