Vulnerability Note VU#743092
realpath(3) function contains off-by-one buffer overflow
Overview
A function originally derived from 4.4BSD, realpath(3), contains a vulnerability that may permit a malicious user to gain root access to the server. This function was derived from the FreeBSD 3.x tree. Other applications and operating systems that use or were derived from this code base may be affected. This problem was originally reported to affect WU-FTPd. It has been discoved to affect various BSD implementations as well.
Description
Several BSD operating systems and WU-FTPd are vulnerable to an off-by-one buffer overflow vulnerability. The vulnerable code is in the realpath(3) function and exploitation may be made through the use of several commands. Details of the vulnerability related to WU-FTPd can be found in the security advisory released by isec.pl. According to their advisory: Linux 2.2.x and some early 2.4.x kernel versions defines PATH_MAX to be Upon further investigation, it has been determined that the vulnerable WU-FTPd function was derived from code in the FreeBSD 3.x tree. This code appears to have come from 4.4BSD. Therefore, other applications and operating systems that use or were derived from this code base may be affected. This problem was originally reported to affect WU-FTPd. It has been discoved to affect various BSD implementations as well. |
Impact
A malicious user may be able to exploit this vulnerability to gain elevated privileges on the vulnerable server. Malicious users may be authenticated to the server, or may be an anonymous user with write access to the server. |
Solution
Please check the Systems Affected section for patches and upgrades to resolve this issue. |
To help mitigate a remote attacker from exploiting this issue, and as a general practice, do not permit anonymous user to have write access to the server. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Apple Computer Inc. | Affected | - | 15 Aug 2003 |
| Conectiva | Affected | - | 01 Aug 2003 |
| Debian | Affected | - | 01 Aug 2003 |
| FreeBSD | Affected | - | 04 Aug 2003 |
| Hewlett-Packard Company | Affected | - | 15 Aug 2003 |
| Immunix | Affected | - | 15 Aug 2003 |
| MandrakeSoft | Affected | - | 31 Jul 2003 |
| NetBSD | Affected | - | 04 Aug 2003 |
| OpenBSD | Affected | - | 04 Aug 2003 |
| Red Hat Inc. | Affected | - | 01 Aug 2003 |
| Sun Microsystems Inc. | Affected | - | 04 Aug 2003 |
| SuSE Inc. | Affected | - | 01 Aug 2003 |
| TurboLinux | Affected | - | 04 Aug 2003 |
| Wind River Systems Inc. | Affected | - | 15 Aug 2003 |
| WU-FTPD Development Group | Affected | - | 15 Aug 2003 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
- http://www.wuftpd.org/
- http://www.secunia.com/advisories/9406/
Credit
Thanks to Janusz Niewiadomski and Wojciech Purczynski for reporting this vulnerability.
This document was written by Jason A Rafail and Jeffrey S Havrilla.
Other Information
- CVE IDs: CAN-2003-0466
- Date Public: 31 Jul 2003
- Date First Published: 31 Jul 2003
- Date Last Updated: 15 Aug 2003
- Severity Metric: 6.75
- Document Revision: 16
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.