Results 1 to 3 of 3
  1. #1
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001

    BSD & Wu-FTPd 'realpath()' Vulnerability

    Guys, I received this notification from Watchguard Livesecurity this morning regarding a vulnerability in BSD and Wu-FTPd - both using the common 'realpath()' function.. Just wanted to give you guys the heads up in case you weren't aware..

    Vulnerability in Common Function
    Affects BSD and Wu-FTPd
    Severity: Medium
    August 5, 2003

    In multiple posts to various security mailing lists today, BSD vendors described a vulnerability affecting a commonly-used function that ships with many distributions of BSD. The vulnerability also affects a popular Linux FTP server, Wu-FTPd. A local or remote attacker might exploit this vulnerability to either crash or compromise your server. There is no direct impact on WatchGuard products. BSD administrators and Linux administrators using wu-ftpd should patch or upgrade their systems to prevent exploitation of this flaw.

    All distributions of BSD contain a function called realpath(). Applications can use the realpath() function to determine the real (or absolute) pathname of user-provided pathnames that contain the "/./" or "/../" characters. When inputting a pathname, you can use the "." character to refer to the current directory and the ".." characters to refer to one directory up. For instance, if you are in the /opt/junk/ directory, typing "../[Program_name]" will run a program in the /opt/ directory. In this case, realpath() would determine that the real path of "../[Program_name]" when run from the /opt/junk/ directory is actually "/opt/[Program_name]". Wu-ftpd ships with fb_realpath(), a similar function that does the same thing.

    An off-by-one bug was found in the realpath() functions that ship with BSD and wu-ftpd. An off-by-one bug is a programming flaw similar to a buffer overflow, where the programmer assigns too little buffer space for anticipated input. However, in the case of an off-by-one bug, the buffer is specifically one byte too small. Because of this, specially crafted input can overwrite one byte of memory. Depending on the location of the memory being overwritten, an attacker may exploit such a flaw to crash an application or the entire system. In some cases, the attacker might be able to exploit an off-by-one bug to execute code.

    This realpath() off-by-one vulnerability affects the following versions of BSD and wu-ftpd:

    All versions of FreeBSD up to and including 4.8-RELEASE
    NetBSD-1.5 up to and NetBSD-current
    OpenBSD-3.2 up to and OpenBSD-current
    Wu-ftpd 2.5.0 up to and including 2.6.2
    On BSD systems, the scope of this vulnerability depends on the applications installed on the BSD server. Many BSD applications use the realpath() function, but not all of them can be exploited using this flaw. Whether or not a local or remote attacker can exploit this vulnerability depends on what distribution of BSD you use and what applications your server runs. That said, many applications are susceptible, so patching is highly recommended.

    In the case of a wu-ftpd server on a Linux machine, the scope of this vulnerability is much more concrete. A remote attacker with the ability to log onto your FTP server, even anonymously, can exploit this flaw to gain full control of your system. Someone has already released exploit code for this flaw on a public mailing list, so we recommend you patch immediately.

    More information and patches available here:
    FreeBSD: http://www.secunia.com/advisories/9423/
    NetBSD: http://www.secunia.com/advisories/9446/
    OpenBSD: http://www.secunia.com/advisories/9447/
    Wu-FTPd: http://www.secunia.com/advisories/9406/

  2. #2
    Hi mom!
    Join Date
    Aug 2001
    This bug does not only affect Wu-ftpd, but all programs that use realpath. The list is quite extensive (for FreeBSD-ports, for example, look at this).
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  3. #3
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    You are correct, Guus. I believe that Wu-FTPd was named specifically because it could be running on systems other than BSD...

    That's a pretty big list from the link you gave - although they mention not all of those applications may be vulnerable, it's still a risk...
    - Maverick

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts