Vulnerability in Common Function
Affects BSD and Wu-FTPd
August 5, 2003
In multiple posts to various security mailing lists today, BSD vendors described a vulnerability affecting a commonly-used function that ships with many distributions of BSD. The vulnerability also affects a popular Linux FTP server, Wu-FTPd. A local or remote attacker might exploit this vulnerability to either crash or compromise your server. There is no direct impact on WatchGuard products. BSD administrators and Linux administrators using wu-ftpd should patch or upgrade their systems to prevent exploitation of this flaw.
All distributions of BSD contain a function called realpath(). Applications can use the realpath() function to determine the real (or absolute) pathname of user-provided pathnames that contain the "/./" or "/../" characters. When inputting a pathname, you can use the "." character to refer to the current directory and the ".." characters to refer to one directory up. For instance, if you are in the /opt/junk/ directory, typing "../[Program_name]" will run a program in the /opt/ directory. In this case, realpath() would determine that the real path of "../[Program_name]" when run from the /opt/junk/ directory is actually "/opt/[Program_name]". Wu-ftpd ships with fb_realpath(), a similar function that does the same thing.
An off-by-one bug was found in the realpath() functions that ship with BSD and wu-ftpd. An off-by-one bug is a programming flaw similar to a buffer overflow, where the programmer assigns too little buffer space for anticipated input. However, in the case of an off-by-one bug, the buffer is specifically one byte too small. Because of this, specially crafted input can overwrite one byte of memory. Depending on the location of the memory being overwritten, an attacker may exploit such a flaw to crash an application or the entire system. In some cases, the attacker might be able to exploit an off-by-one bug to execute code.
This realpath() off-by-one vulnerability affects the following versions of BSD and wu-ftpd:
All versions of FreeBSD up to and including 4.8-RELEASE
NetBSD-1.5 up to and NetBSD-current
OpenBSD-3.2 up to and OpenBSD-current
Wu-ftpd 2.5.0 up to and including 2.6.2
On BSD systems, the scope of this vulnerability depends on the applications installed on the BSD server. Many BSD applications use the realpath() function, but not all of them can be exploited using this flaw. Whether or not a local or remote attacker can exploit this vulnerability depends on what distribution of BSD you use and what applications your server runs. That said, many applications are susceptible, so patching is highly recommended.
In the case of a wu-ftpd server on a Linux machine, the scope of this vulnerability is much more concrete. A remote attacker with the ability to log onto your FTP server, even anonymously, can exploit this flaw to gain full control of your system. Someone has already released exploit code for this flaw on a public mailing list, so we recommend you patch immediately.