Synopsis: wu-ftpd fb_realpath() off-by-one bug Product: wu-ftpd Version: 2.5.0 <= 2.6.2 Vendor: http://www.wuftpd.org/ URL: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0466 Author: Wojciech Purczynski Janusz Niewiadomski Date: July 31, 2003 Issue: ====== Wu-ftpd FTP server contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability to gain root privileges on a vulnerable system. Details: ======== An off-by-one bug exists in fb_realpath() function. An overflow occurs when the length of a constructed path is equal to the MAXPATHLEN+1 characters while the size of the buffer is MAXPATHLEN characters only. The overflowed buffer lies on the stack. The bug results from misuse of rootd variable in the calculation of length of a concatenated string: ------8<------cut-here------8<------ /* * Join the two strings together, ensuring that the right thing * happens if the last component is empty, or the dirname is root. */ if (resolved[0] == '/' && resolved[1] == '\0') rootd = 1; else rootd = 0; if (*wbuf) { if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) { errno = ENAMETOOLONG; goto err1; } if (rootd == 0) (void) strcat(resolved, "/"); (void) strcat(resolved, wbuf); } ------8<------cut-here------8<------ Since the path is constructed from current working directory and a file name specified as an parameter to various FTP commands attacker needs to create deep directory structure. Following FTP commands may be used to cause buffer overflow: STOR RETR APPE DELE MKD RMD STOU RNTO This bug may be non-exploitable if size of the buffer is greater than MAXPATHLEN characters. This may occur for example if wu-ftpd is compiled with some versions of Linux kernel where PATH_MAX (and MAXPATHLEN accordingly) is defined to be exactly 4095 characters. In such cases, the buffer is padded with an extra byte because of variable alignment which is a result of code optimization. Linux 2.2.x and some early 2.4.x kernel versions defines PATH_MAX to be 4095 characters, thus only wu-ftpd binaries compiled on 2.0.x or later 2.4.x kernels are affected. Exploit: ======== We investigated and successfully exploited this vulnerability on x86 based Linux system running 2.4.19 kernel. We believe that exploitation of other little-endian systems is also possible. Impact: ======= Authenticated local user or anonymous FTP user with write-access could execute arbitrary code with root privileges. Vendor Status: ============== June 1, 2003 security@wu-ftpd.org has been notified June 9, 2003 Request for confirmation of receipt sent to security@wu-ftpd.org June 11, 2003 Response received from Kent Landfield July 3, 2003 Request for status update sent July 19, 2003 vendor-sec list notified July 31, 2003 Coordinated public disclosure The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0466 to this issue.