Vulnerability CVE-2003-0466


Published: 2003-08-27   Modified: 2012-02-12

Description:
Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.

Type:

CWE-Other

Vendor: SUN
Product: Solaris 
Version: 9.0;
Vendor: Freebsd
Product: Freebsd 
Version:
5.0
4.8
4.7
4.6.2
4.6
4.5
4.4
4.3
4.2
4.1.1
4.1
4.0
Vendor: Openbsd
Product: Openbsd 
Version:
3.3
3.2
3.1
3.0
2.9
2.8
2.7
2.6
2.5
2.4
2.3
2.2
2.1
2.0
Vendor: Redhat
Product: Wu ftpd 
Version:
2.6.2-8
2.6.2-5
2.6.1-18
2.6.1-16
Vendor: Washington university
Product: Wu-ftpd 
Version:
2.6.2
2.6.1
2.6.0
2.5.0
Vendor: Apple
Product: Mac os x server 
Version: 10.2.6;
Product: Mac os x 
Version: 10.2.6;
Vendor: Netbsd
Product: Netbsd 
Version:
1.6.1
1.6
1.5.3
1.5.2
1.5.1
1.5

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt.asc
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0065.html
http://download.immunix.org/ImmunixOS/7+/Updates/errata/IMNX-2003-7+-019-01
http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
http://marc.info/?l=bugtraq&m=105967301604815&w=2
http://marc.info/?l=bugtraq&m=106001410028809&w=2
http://marc.info/?l=bugtraq&m=106001702232325&w=2
http://marc.info/?l=bugtraq&m=106002488209129&w=2
http://securitytracker.com/id?1007380
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1001257.1-1
http://www.debian.org/security/2003/dsa-357
http://www.kb.cert.org/vuls/id/743092
http://www.mandriva.com/security/advisories?name=MDKSA-2003:080
http://www.novell.com/linux/security/advisories/2003_032_wuftpd.html
http://www.redhat.com/support/errata/RHSA-2003-245.html
http://www.redhat.com/support/errata/RHSA-2003-246.html
http://www.securityfocus.com/archive/1/424852/100/0/threaded
http://www.securityfocus.com/archive/1/425061/100/0/threaded
http://www.securityfocus.com/bid/8315
http://www.turbolinux.com/security/TLSA-2003-46.txt
https://exchange.xforce.ibmcloud.com/vulnerabilities/12785
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1970

Related CVE
CVE-2017-1000378
The NetBSD qsort() function is recursive, and not randomized, an attacker can construct a pathological input array of N elements that causes qsort() to deterministically recurse N/4 times. This allows attackers to consume arbitrary amounts of stack m...
CVE-2017-1000375
NetBSD maps the run-time link-editor ld.so directly below the stack region, even if ASLR is enabled, this allows attackers to more easily manipulate memory leading to arbitrary code execution. This affects NetBSD 7.1 and possibly earlier versions.
CVE-2017-1000374
A flaw exists in NetBSD's implementation of the stack guard page that allows attackers to bypass it resulting in arbitrary code execution using certain setuid binaries. This affects NetBSD 7.1 and possibly earlier versions.
CVE-2016-6253
mail.local in NetBSD versions 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows local users to change ownership of or append data to arbitrary files on the target system via a symlink attack on the user mailbox.
CVE-2015-8212
CGI handling flaw in bozohttpd in NetBSD 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows remote attackers to execute arbitrary code via crafted arguments, which are handled by a non-CGI aware program.
CVE-2015-5917
The glob implementation in tnftpd (formerly lukemftpd), as used in Apple OS X before 10.11, allows remote attackers to cause a denial of service (memory consumption and daemon outage) via a STAT command containing a crafted pattern, as demonstrated b...
CVE-2014-7250
The TCP stack in 4.3BSD Net/2, as used in FreeBSD 5.4, NetBSD possibly 2.0, and OpenBSD possibly 3.6, does not properly implement the session timer, which allows remote attackers to cause a denial of service (resource consumption) via crafted packets...
CVE-2014-8517
The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an H...

Copyright 2019, cxsecurity.com

 

Back to Top