A function originally derived from 4.4BSD, realpath(3), contains a vulnerability that may permit a malicious user to gain root access to the server. This function was derived from the FreeBSD 3.x tree. Other applications and operating systems that use or were derived from this code base may be affected. This problem was originally reported to affect WU-FTPd. It has been discoved to affect various BSD implementations as well.
Several BSD operating systems and WU-FTPd are vulnerable to an off-by-one buffer overflow vulnerability. The vulnerable code is in the realpath(3) function and exploitation may be made through the use of several commands. Details of the vulnerability related to WU-FTPd can be found in the security advisory released by isec.pl. According to their advisory:
Linux 2.2.x and some early 2.4.x kernel versions defines PATH_MAX to be
A malicious user may be able to exploit this vulnerability to gain elevated privileges on the vulnerable server. Malicious users may be authenticated to the server, or may be an anonymous user with write access to the server.
Please check the Systems Affected section for patches and upgrades to resolve this issue.
To help mitigate a remote attacker from exploiting this issue, and as a general practice, do not permit anonymous user to have write access to the server.
Apple Computer Inc. Affected
Hewlett-Packard Company Affected
Red Hat Inc. Affected
SuSE Inc. Affected
Sun Microsystems Inc. Affected
WU-FTPD Development Group Affected
Wind River Systems Inc. Affected
Cray Inc. Not Affected
IBM Not Affected
Ingrian Networks Not Affected
Openwall GNU/*/Linux Not Affected
SGI Not Affected
Thanks to Janusz Niewiadomski and Wojciech Purczynski for reporting this vulnerability.
This document was written by Jason A Rafail and Jeffrey S Havrilla.
|Date First Published:||2003-07-31|
|Date Last Updated:||2003-08-15 17:34 UTC|