The HP-UX FTP daemon (ftpd) contains a buffer overflow that may allow an unauthenticated, remote attacker to execute arbitrary code.
The HP-UX FTP daemon (ftpd) is vulnerable to a buffer overflow when the FTP daemon is configured to log debugging information. Debug logging is enabled if the -v flag is present next to the ftpd entry in the inetd.conf (/etc/inetd.conf) configuration file. If an unauthenticated remote attacker supplies the FTP daemon with a specially crafted command, they may be able to trigger a stack-based buffer overflow.
Please note that the debug logging option is disabled by default.
If an unauthenticated, remote attacker supplies the FTP daemon with a specially crafted command, that attacker may be able to execute arbitrary code with the privileges of the FTP daemon, typically root.
Disable Debug Logging
This vulnerability was reported by iDEFENSE Security.
This document was written by Jeff Gennari.
|Date First Published:||2005-02-25|
|Date Last Updated:||2005-02-25 16:50 UTC|