ID CVE-2004-0148 Type cve Reporter NVD Modified 2018-05-02T21:29:24
Description
wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.
{"nessus": [{"lastseen": "2019-01-16T20:07:29", "bulletinFamily": "scanner", "description": "s700_800 11.23 ftpd(1M) and ftp(1) patch : \n\nA potential vulnerability has been identified with HP-UX running\nwu-ftpd with the restricted gid option enabled where the vulnerability\ncould be exploited by a local user to gain unauthorized access to\nfiles.", "modified": "2013-04-20T00:00:00", "published": "2007-09-25T00:00:00", "id": "HPUX_PHNE_31732.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=26128", "title": "HP-UX PHNE_31732 : HP-UX Running wu-ftpd Local Unauthorized Access (HPSBUX01059 SSRT4704 rev.4)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHNE_31732. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(26128);\n script_version(\"$Revision: 1.16 $\");\n script_cvs_date(\"$Date: 2013/04/20 00:36:49 $\");\n\n script_cve_id(\"CVE-2004-0148\");\n script_xref(name:\"HP\", value:\"emr_na-c00572225\");\n script_xref(name:\"HP\", value:\"HPSBUX01059\");\n script_xref(name:\"HP\", value:\"SSRT4704\");\n\n script_name(english:\"HP-UX PHNE_31732 : HP-UX Running wu-ftpd Local Unauthorized Access (HPSBUX01059 SSRT4704 rev.4)\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.23 ftpd(1M) and ftp(1) patch : \n\nA potential vulnerability has been identified with HP-UX running\nwu-ftpd with the restricted gid option enabled where the vulnerability\ncould be exploited by a local user to gain unauthorized access to\nfiles.\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00572225\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2fb36360\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHNE_31732 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/09/22\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2006/01/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/09/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2013 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.23\"))\n{\n exit(0, \"The host is not affected since PHNE_31732 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHNE_31732\", \"PHNE_32286\", \"PHNE_33414\", \"PHNE_34306\", \"PHNE_34698\", \"PHNE_36065\", \"PHNE_36193\", \"PHNE_38578\", \"PHNE_38916\", \"PHNE_40380\", \"PHNE_41248\", \"PHNE_41581\", \"PHNE_42661\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"InternetSrvcs.INETSVCS2-RUN\", version:\"B.11.23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:24:42", "bulletinFamily": "scanner", "description": "The following package needs to be updated: wu-ftpd+ipv6", "modified": "2011-10-03T00:00:00", "published": "2004-07-06T00:00:00", "id": "FREEBSD_WUFTPD_262_3.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12622", "type": "nessus", "title": "FreeBSD : wu-ftpd ftpaccess `restricted-uid'/`restricted-gid' directive may be bypassed (201)", "sourceData": "# @DEPRECATED@\n#\n# This script has been deprecated by freebsd_pkg_3b7c7f6c710211d8873f0020ed76ef5a.nasl.\n#\n# Disabled on 2011/10/02.\n#\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# This script contains information extracted from VuXML :\n#\n# Copyright 2003-2006 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n#\n#\n\ninclude('compat.inc');\n\nif ( description )\n{\n script_id(12622);\n script_version(\"$Revision: 1.12 $\");\n script_bugtraq_id(9832);\n script_cve_id(\"CVE-2004-0148\");\n\n script_name(english:\"FreeBSD : wu-ftpd ftpaccess `restricted-uid'/`restricted-gid' directive may be bypassed (201)\");\n\nscript_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update');\nscript_set_attribute(attribute:'description', value:'The following package needs to be updated: wu-ftpd+ipv6');\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\nscript_set_attribute(attribute:'solution', value: 'Update the package on the remote host');\nscript_set_attribute(attribute: 'see_also', value: 'http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120508\nhttp://gaim.sourceforge.net/security/?id=20\nhttp://rhn.redhat.com/errata/RHSA-2004-181.html\nhttp://www.kde.org/info/security/advisory-20050721-1.txt\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-60.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-61.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-62.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-63.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-64.html\nhttp://www.samba.org/samba/whatsnew/samba-3.0.5.html');\nscript_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/3b7c7f6c-7102-11d8-873f-0020ed76ef5a.html');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/06\");\n script_cvs_date(\"$Date: 2011/10/03 00:48:25 $\");\n script_end_attributes();\n script_summary(english:\"Check for wu-ftpd+ipv6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2010 Tenable Network Security, Inc.\");\n family[\"english\"] = \"FreeBSD Local Security Checks\";\n script_family(english:family[\"english\"]);\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/FreeBSD/pkg_info\");\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"This plugin has been deprecated. Refer to plugin #37480 (freebsd_pkg_3b7c7f6c710211d8873f0020ed76ef5a.nasl) instead.\");\n\nglobal_var cvss_score;\ncvss_score=7;\ninclude('freebsd_package.inc');\n\n\npkg_test(pkg:\"wu-ftpd<=2.6.2_3\");\n\npkg_test(pkg:\"wu-ftpd+ipv6<=2.6.2_5\");\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:05:23", "bulletinFamily": "scanner", "description": "The remote host is running wu-ftpd 2.6.2 or older.\n\nThere is a bug in this version which may allow an attacker to bypass the\n'restricted-gid' feature and gain unauthorized access to otherwise restricted\ndirectories.\n\n*** Nessus solely relied on the banner of the remote FTP server, so this might\n*** be a false positive.", "modified": "2018-08-07T00:00:00", "published": "2004-03-14T00:00:00", "id": "WU_FTPD_RESTRICTED_GID_BYPASS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12098", "title": "WU-FTPD restricted-gid Directory Access Restriction Bypass", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(12098);\n script_cve_id(\"CVE-2004-0148\");\n script_bugtraq_id(9832);\n script_xref(name:\"RHSA\", value:\"2003:307-01\");\n script_xref(name:\"Secunia\", value:\"20168\");\n script_xref(name:\"Secunia\", value:\"11055\");\n script_version(\"1.20\");\n\n script_name(english:\"WU-FTPD restricted-gid Directory Access Restriction Bypass\");\n script_summary(english:\"Checks the remote Wu-ftpd version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FTP server has an access restriction bypass vulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running wu-ftpd 2.6.2 or older.\n\nThere is a bug in this version which may allow an attacker to bypass the\n'restricted-gid' feature and gain unauthorized access to otherwise restricted\ndirectories.\n\n*** Nessus solely relied on the banner of the remote FTP server, so this might\n*** be a false positive.\" );\n # https://web.archive.org/web/20060307170008/http://archives.neohapsis.com/archives/vendor/2004-q1/0073.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f341b41b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade to the latest version of the software.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/03/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/03/09\");\n script_cvs_date(\"Date: 2018/08/07 16:46:50\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english: \"FTP\");\n\n script_copyright(english: \"Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_dependencie(\"ftpserver_detect_type_nd_version.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/ftp\", 21);\n exit(0);\n}\n\n\n#\n\ninclude(\"ftp_func.inc\");\ninclude(\"backport.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"audit.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_ftp_port(default: 21);\n\nbanner = get_backport_banner(banner:get_ftp_banner(port:port));\nif ( ! banner ) exit(1, \"Could not authenticate on the FTP server on port \"+port+\".\");\n\nif(egrep(pattern:\"^220.*(wu|wuftpd)-((1\\..*)|2\\.([0-5]\\..*|6\\.[0-2]))\", string:banner, icase:TRUE))\n security_hole(port);\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:09:10", "bulletinFamily": "scanner", "description": "Glenn Stewart reports a bug in wu-ftpd's ftpaccess\n`restricted-uid'/`restricted-gid' directives :\n\nUsers can get around the restriction to their home directory by\nissuing a simple chmod command on their home directory. On the next\nftp log in, the user will have '/' as their root directory.\n\nMatt Zimmerman discovered that the cause of the bug was a missing\ncheck for a restricted user within a code path that is executed only\nwhen a certain error is encountered.", "modified": "2018-11-10T00:00:00", "published": "2009-04-23T00:00:00", "id": "FREEBSD_PKG_3B7C7F6C710211D8873F0020ED76EF5A.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=37480", "title": "FreeBSD : wu-ftpd ftpaccess `restricted-uid'/`restricted-gid' directive may be bypassed (3b7c7f6c-7102-11d8-873f-0020ed76ef5a)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(37480);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/11/10 11:49:39\");\n\n script_cve_id(\"CVE-2004-0148\");\n script_bugtraq_id(9832);\n\n script_name(english:\"FreeBSD : wu-ftpd ftpaccess `restricted-uid'/`restricted-gid' directive may be bypassed (3b7c7f6c-7102-11d8-873f-0020ed76ef5a)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Glenn Stewart reports a bug in wu-ftpd's ftpaccess\n`restricted-uid'/`restricted-gid' directives :\n\nUsers can get around the restriction to their home directory by\nissuing a simple chmod command on their home directory. On the next\nftp log in, the user will have '/' as their root directory.\n\nMatt Zimmerman discovered that the cause of the bug was a missing\ncheck for a restricted user within a code path that is executed only\nwhen a certain error is encountered.\"\n );\n # https://vuxml.freebsd.org/freebsd/3b7c7f6c-7102-11d8-873f-0020ed76ef5a.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7bbeced9\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:wu-ftpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:wu-ftpd+ipv6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/02/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"wu-ftpd<=2.6.2_3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"wu-ftpd+ipv6<=2.6.2_5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:05:59", "bulletinFamily": "scanner", "description": "s700_800 11.23 ftpd(1M) patch : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential vulnerability has been identified with HP-UX\n running wu-ftpd with the restricted gid option enabled\n where the vulnerability could be exploited by a local\n user to gain unauthorized access to files. (HPSBUX01059\n SSRT4704)\n\n - A potential vulnerability has been identified with HP-UX\n running ftpd where the vulnerability could be exploited\n to allow a remote authorized user unauthorized access to\n files. (HPSBUX01119 SSRT4694)", "modified": "2013-04-20T00:00:00", "published": "2005-03-18T00:00:00", "id": "HPUX_PHNE_30983.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=17422", "title": "HP-UX PHNE_30983 : s700_800 11.23 ftpd(1M) patch", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHNE_30983. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(17422);\n script_version(\"$Revision: 1.20 $\");\n script_cvs_date(\"$Date: 2013/04/20 00:36:49 $\");\n\n script_cve_id(\"CVE-2004-0148\", \"CVE-2005-0547\");\n script_xref(name:\"HP\", value:\"emr_na-c00572225\");\n script_xref(name:\"HP\", value:\"emr_na-c01035678\");\n script_xref(name:\"HP\", value:\"HPSBUX01059\");\n script_xref(name:\"HP\", value:\"HPSBUX01119\");\n script_xref(name:\"HP\", value:\"SSRT4694\");\n script_xref(name:\"HP\", value:\"SSRT4704\");\n\n script_name(english:\"HP-UX PHNE_30983 : s700_800 11.23 ftpd(1M) patch\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.23 ftpd(1M) patch : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential vulnerability has been identified with HP-UX\n running wu-ftpd with the restricted gid option enabled\n where the vulnerability could be exploited by a local\n user to gain unauthorized access to files. (HPSBUX01059\n SSRT4704)\n\n - A potential vulnerability has been identified with HP-UX\n running ftpd where the vulnerability could be exploited\n to allow a remote authorized user unauthorized access to\n files. (HPSBUX01119 SSRT4694)\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00572225\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2fb36360\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01035678\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9d4b2076\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHNE_30983 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/06/25\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2006/01/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/03/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.23\"))\n{\n exit(0, \"The host is not affected since PHNE_30983 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHNE_30983\", \"PHNE_31732\", \"PHNE_32286\", \"PHNE_33414\", \"PHNE_34306\", \"PHNE_34698\", \"PHNE_36065\", \"PHNE_36193\", \"PHNE_38578\", \"PHNE_38916\", \"PHNE_40380\", \"PHNE_41248\", \"PHNE_41581\", \"PHNE_42661\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"InternetSrvcs.INETSVCS2-RUN\", version:\"B.11.23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:05:44", "bulletinFamily": "scanner", "description": "Two vulnerabilities were discovered in wu-ftpd :\n\n - CAN-2004-0148\n Glenn Stewart discovered that users could bypass the\n directory access restrictions imposed by the\n restricted-gid option by changing the permissions on\n their home directory. On a subsequent login, when access\n to the user's home directory was denied, wu-ftpd would\n fall back to the root directory.\n\n - CAN-2004-0185\n\n A buffer overflow existed in wu-ftpd's code which deals\n with S/key authentication.", "modified": "2018-07-20T00:00:00", "published": "2004-09-29T00:00:00", "id": "DEBIAN_DSA-457.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=15294", "title": "Debian DSA-457-1 : wu-ftpd - several vulnerabilities", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-457. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(15294);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/07/20 2:17:11\");\n\n script_cve_id(\"CVE-2004-0148\", \"CVE-2004-0185\");\n script_bugtraq_id(9832);\n script_xref(name:\"DSA\", value:\"457\");\n\n script_name(english:\"Debian DSA-457-1 : wu-ftpd - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two vulnerabilities were discovered in wu-ftpd :\n\n - CAN-2004-0148\n Glenn Stewart discovered that users could bypass the\n directory access restrictions imposed by the\n restricted-gid option by changing the permissions on\n their home directory. On a subsequent login, when access\n to the user's home directory was denied, wu-ftpd would\n fall back to the root directory.\n\n - CAN-2004-0185\n\n A buffer overflow existed in wu-ftpd's code which deals\n with S/key authentication.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2004/dsa-457\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"For the stable distribution (woody) these problems have been fixed in\nversion 2.6.2-3woody4.\n\nWe recommend that you update your wu-ftpd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:wu-ftpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2000/06/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"wu-ftpd\", reference:\"2.6.2-3woody4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"wu-ftpd-academ\", reference:\"2.6.2-3woody4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:05:26", "bulletinFamily": "scanner", "description": "An updated wu-ftpd package that fixes two security issues is now\navailable.\n\nThe wu-ftpd package contains the Washington University FTP (File\nTransfer Protocol) server daemon. FTP is a method of transferring\nfiles between machines.\n\nGlenn Stewart discovered a flaw in wu-ftpd. When configured with\n'restricted-gid home', an authorized user could use this flaw to\ncircumvent the configured home directory restriction by using chmod.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0148 to this issue.\n\nMichael Hendrickx found a flaw in the S/Key login handling. On servers\nusing S/Key authentication, a remote attacker could overflow a buffer\nand potentially execute arbitrary code.\n\nUsers of wu-ftpd are advised to upgrade to this updated package, which\ncontains backported security patches and is not vulnerable to these\nissues.", "modified": "2018-11-15T00:00:00", "published": "2004-07-06T00:00:00", "id": "REDHAT-RHSA-2004-096.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12475", "title": "RHEL 2.1 : wu-ftpd (RHSA-2004:096)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2004:096. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(12475);\n script_version (\"1.24\");\n script_cvs_date(\"Date: 2018/11/15 11:40:29\");\n\n script_cve_id(\"CVE-2003-1329\", \"CVE-2004-0148\", \"CVE-2004-0185\");\n script_xref(name:\"RHSA\", value:\"2004:096\");\n\n script_name(english:\"RHEL 2.1 : wu-ftpd (RHSA-2004:096)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An updated wu-ftpd package that fixes two security issues is now\navailable.\n\nThe wu-ftpd package contains the Washington University FTP (File\nTransfer Protocol) server daemon. FTP is a method of transferring\nfiles between machines.\n\nGlenn Stewart discovered a flaw in wu-ftpd. When configured with\n'restricted-gid home', an authorized user could use this flaw to\ncircumvent the configured home directory restriction by using chmod.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0148 to this issue.\n\nMichael Hendrickx found a flaw in the S/Key login handling. On servers\nusing S/Key authentication, a remote attacker could overflow a buffer\nand potentially execute arbitrary code.\n\nUsers of wu-ftpd are advised to upgrade to this updated package, which\ncontains backported security patches and is not vulnerable to these\nissues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2003-1329\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0148\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0185\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.securiteam.com/unixfocus/6X00Q1P8KC.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2004:096\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wu-ftpd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:wu-ftpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^2\\.1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2004:096\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"wu-ftpd-2.6.1-22\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wu-ftpd\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:05:56", "bulletinFamily": "scanner", "description": "s700_800 11.22 ftpd(1M) and ftp(1) patch : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential vulnerability has been identified with HP-UX\n running ftpd where the vulnerability could be exploited\n to allow a remote authorized user unauthorized access to\n files. (HPSBUX01119 SSRT4694)\n\n - A potential security vulnerability has been identified\n with HP-UX running ftp where the vulnerability could be\n exploited remotely to allow unauthorized access.\n (HPSBUX01050 SSRT3456)\n\n - The wu-ftpd program is potentially vulnerable to a\n buffer overflow. (HPSBUX00277 SSRT3606)\n\n - A potential security vulnerability has been identified\n with HP-UX running ftpd, where a buffer overflow in ftpd\n could be remotely exploited to allow an unauthorized\n user to gain privileged access. (HPSBUX01118 SSRT4883)\n\n - A potential vulnerability has been identified with HP-UX\n running wu-ftpd with the restricted gid option enabled\n where the vulnerability could be exploited by a local\n user to gain unauthorized access to files. (HPSBUX01059\n SSRT4704)", "modified": "2016-01-14T00:00:00", "published": "2005-02-16T00:00:00", "id": "HPUX_PHNE_29462.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=16907", "title": "HP-UX PHNE_29462 : s700_800 11.22 ftpd(1M) and ftp(1) patch", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHNE_29462. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(16907);\n script_version(\"$Revision: 1.12 $\");\n script_cvs_date(\"$Date: 2016/01/14 15:20:32 $\");\n\n script_cve_id(\"CVE-2003-0466\", \"CVE-2004-0148\", \"CVE-2004-1332\", \"CVE-2005-0547\");\n script_xref(name:\"HP\", value:\"emr_na-c00572225\");\n script_xref(name:\"HP\", value:\"emr_na-c00951272\");\n script_xref(name:\"HP\", value:\"emr_na-c00951289\");\n script_xref(name:\"HP\", value:\"emr_na-c01035676\");\n script_xref(name:\"HP\", value:\"emr_na-c01035678\");\n script_xref(name:\"HP\", value:\"HPSBUX00277\");\n script_xref(name:\"HP\", value:\"HPSBUX01050\");\n script_xref(name:\"HP\", value:\"HPSBUX01059\");\n script_xref(name:\"HP\", value:\"HPSBUX01118\");\n script_xref(name:\"HP\", value:\"HPSBUX01119\");\n script_xref(name:\"HP\", value:\"SSRT3456\");\n script_xref(name:\"HP\", value:\"SSRT3606\");\n script_xref(name:\"HP\", value:\"SSRT4694\");\n script_xref(name:\"HP\", value:\"SSRT4704\");\n script_xref(name:\"HP\", value:\"SSRT4883\");\n\n script_name(english:\"HP-UX PHNE_29462 : s700_800 11.22 ftpd(1M) and ftp(1) patch\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.22 ftpd(1M) and ftp(1) patch : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential vulnerability has been identified with HP-UX\n running ftpd where the vulnerability could be exploited\n to allow a remote authorized user unauthorized access to\n files. (HPSBUX01119 SSRT4694)\n\n - A potential security vulnerability has been identified\n with HP-UX running ftp where the vulnerability could be\n exploited remotely to allow unauthorized access.\n (HPSBUX01050 SSRT3456)\n\n - The wu-ftpd program is potentially vulnerable to a\n buffer overflow. (HPSBUX00277 SSRT3606)\n\n - A potential security vulnerability has been identified\n with HP-UX running ftpd, where a buffer overflow in ftpd\n could be remotely exploited to allow an unauthorized\n user to gain privileged access. (HPSBUX01118 SSRT4883)\n\n - A potential vulnerability has been identified with HP-UX\n running wu-ftpd with the restricted gid option enabled\n where the vulnerability could be exploited by a local\n user to gain unauthorized access to files. (HPSBUX01059\n SSRT4704)\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00951272\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6ca73dfe\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00951289\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?353e3f75\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00572225\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2fb36360\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01035676\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0e3b95fe\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01035678\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9d4b2076\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHNE_29462 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/06/03\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2006/01/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/02/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2016 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.22\"))\n{\n exit(0, \"The host is not affected since PHNE_29462 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHNE_29462\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"InternetSrvcs.INETSVCS2-RUN\", version:\"B.11.22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-02T21:10:17", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-10-04T00:00:00", "published": "2008-09-04T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=52493", "id": "OPENVAS:52493", "title": "FreeBSD Ports: wu-ftpd", "type": "openvas", "sourceData": "#\n#VID 3b7c7f6c-7102-11d8-873f-0020ed76ef5a\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n wu-ftpd\n wu-ftpd+ipv6\n\nCVE-2004-0148\nwu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled,\nallows local users to bypass access restrictions by changing the\npermissions to prevent access to their home directory, which causes\nwu-ftpd to use the root directory instead.\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\";\nif(description)\n{\n script_id(52493);\n script_version(\"$Revision: 4203 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-10-04 07:30:30 +0200 (Tue, 04 Oct 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2004-0148\");\n script_bugtraq_id(9832);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"FreeBSD Ports: wu-ftpd\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"wu-ftpd\");\nif(!isnull(bver) && revcomp(a:bver, b:\"2.6.2_3\")<=0) {\n txt += 'Package wu-ftpd version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"wu-ftpd+ipv6\");\nif(!isnull(bver) && revcomp(a:bver, b:\"2.6.2_5\")<=0) {\n txt += 'Package wu-ftpd+ipv6 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:45", "bulletinFamily": "scanner", "description": "The remote host is missing an update to wu-ftpd\nannounced via advisory DSA 457-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53155", "id": "OPENVAS:53155", "title": "Debian Security Advisory DSA 457-1 (wu-ftpd)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_457_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 457-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Two vulnerabilities were discovered in wu-ftpd:\n\nCVE-2004-0148 - Glenn Stewart discovered that users could bypass the\ndirectory access restrictions imposed by the restricted-gid option by\nchanging the permissions on their home directory. On a subsequent\nlogin, when access to the user's home directory was denied, wu-ftpd\nwould fall back to the root directory.\n\nCVE-2004-0185 - A buffer overflow existed in wu-ftpd's code which\ndeals with S/key authentication.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 2.6.2-3woody4.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 2.6.2-17.1.\n\nWe recommend that you update your wu-ftpd package.\";\ntag_summary = \"The remote host is missing an update to wu-ftpd\nannounced via advisory DSA 457-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20457-1\";\n\nif(description)\n{\n script_id(53155);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:41:51 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2004-0148\", \"CVE-2004-0185\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 457-1 (wu-ftpd)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"wu-ftpd-academ\", ver:\"2.6.2-3woody4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"wu-ftpd\", ver:\"2.6.2-3woody4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:58", "bulletinFamily": "software", "description": "## Vulnerability Description\nWU-FTPD contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the restricted-gid feature is used. A malicious user can change the permissions on their home directory to deny themselves access. A subsequent connection by that user will exploit the flaw, and put them into the home directory of the root user, which will disclose files that an ordinary user would not have access to resulting in a loss of confidentiality.\n## Technical Description\nThe following is the patch that Red Hat has applied. It should work for all platforms:\n\n--- wu-ftpd/src/ftpd.c.escape 2001-05-17 20:36:44.000000000 +0200\n+++ wu-ftpd/src/ftpd.c 2004-03-01 11:56:17.541416616 +0100\n@@ -3365,7 +3365,7 @@\n }\n #endif /* ALT_HOMEDIR */\n #else /* DISABLE_STRICT_HOMEDIR is defined */\n- if (chdir(\"/\") < 0) {\n+ if (restricted_user || chdir(\"/\") < 0) {\n #ifdef VERBOSE_ERROR_LOGING\n syslog(LOG_NOTICE, \"FTP LOGIN FAILED (cannot chdir) for %s, %s\", \n remoteident, pw->pw_name);\n## Solution Description\nUpgrade to version 2.6.2-13 (Available on some Linux distributions) or higher, as it has been reported to fix this vulnerability. In addition, WU-FTPD Development Group has released a patch for some older versions of the main distribution.\n## Short Description\nWU-FTPD contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the restricted-gid feature is used. A malicious user can change the permissions on their home directory to deny themselves access. A subsequent connection by that user will exploit the flaw, and put them into the home directory of the root user, which will disclose files that an ordinary user would not have access to resulting in a loss of confidentiality.\n## References:\nVendor URL: http://www.wuftpd.org/\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/search/document.do?assetkey=1-26-102356-1)\nSecurity Tracker: 1009349\n[Secunia Advisory ID:11055](https://secuniaresearch.flexerasoftware.com/advisories/11055/)\n[Secunia Advisory ID:11350](https://secuniaresearch.flexerasoftware.com/advisories/11350/)\n[Secunia Advisory ID:12086](https://secuniaresearch.flexerasoftware.com/advisories/12086/)\n[Secunia Advisory ID:14013](https://secuniaresearch.flexerasoftware.com/advisories/14013/)\n[Secunia Advisory ID:20168](https://secuniaresearch.flexerasoftware.com/advisories/20168/)\nRedHat RHSA: RHSA-2004:096\nOther Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20040303-01-U.asc\nOther Advisory URL: http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01012\nOther Advisory URL: http://www.debian.org/security/2004/dsa-457\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.6/SCOSA-2005.6.txt\nOther Advisory URL: http://www.turbolinux.com/security/2004/TLSA-2004-8.txt\n[Nessus Plugin ID:12098](https://vulners.com/search?query=pluginID:12098)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-07/0173.html\nKeyword: BugIDs: 5012436\nISS X-Force ID: 15423\n[CVE-2004-0148](https://vulners.com/cve/CVE-2004-0148)\nCIAC Advisory: o-095\nBugtraq ID: 9832\n", "modified": "2004-03-09T04:10:11", "published": "2004-03-09T04:10:11", "href": "https://vulners.com/osvdb/OSVDB:4160", "id": "OSVDB:4160", "type": "osvdb", "title": "WU-FTPD restricted-gid Directory Access Restriction Bypass", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2018-08-31T01:16:14", "bulletinFamily": "unix", "description": "\nGlenn Stewart reports a bug in wu-ftpd's ftpaccess\n\t `restricted-uid'/`restricted-gid' directives:\n\nUsers can get around the restriction to their home\n\t directory by issuing a simple chmod command on their home\n\t directory. On the next ftp log in, the user will have '/'\n\t as their root directory.\n\nMatt Zimmerman discovered that the cause of the bug was a\n\t missing check for a restricted user within a code path that\n\t is executed only when a certain error is encountered.\n", "modified": "2004-03-29T00:00:00", "published": "2004-02-17T00:00:00", "id": "3B7C7F6C-7102-11D8-873F-0020ED76EF5A", "href": "https://vuxml.freebsd.org/freebsd/3b7c7f6c-7102-11d8-873f-0020ed76ef5a.html", "title": "wu-ftpd ftpaccess `restricted-uid'/`restricted-gid' directive may be bypassed", "type": "freebsd", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2018-10-16T22:14:54", "bulletinFamily": "unix", "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 457-1 security@debian.org\nhttp://www.debian.org/security/ Matt Zimmerman\nMarch 8th, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : wu-ftpd\nVulnerability : several\nProblem-Type : remote\nDebian-specific: no\nCVE Ids : CAN-2004-0148 CAN-2004-0185\n\nTwo vulnerabilities were discovered in wu-ftpd:\n\n CAN-2004-0148 - Glenn Stewart discovered that users could bypass the\n directory access restrictions imposed by the restricted-gid option by\n changing the permissions on their home directory. On a subsequent\n login, when access to the user's home directory was denied, wu-ftpd\n would fall back to the root directory.\n\n CAN-2004-0185 - A buffer overflow existed in wu-ftpd's code which\n deals with S/key authentication.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 2.6.2-3woody4.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 2.6.2-17.1.\n\nWe recommend that you update your wu-ftpd package.\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4.dsc\n Size/MD5 checksum: 607 ced69dc6017f9afd9ea2e993e5570084\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4.diff.gz\n Size/MD5 checksum: 100777 399c02a6d064f2aef676fba75db3964a\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2.orig.tar.gz\n Size/MD5 checksum: 354784 b3c271f02aadf663b8811d1bff9da3f6\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd-academ_2.6.2-3woody4_all.deb\n Size/MD5 checksum: 3482 ef0f9788eecfa4290bbcea8e259b48e2\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_alpha.deb\n Size/MD5 checksum: 291786 5d9f21b554fc210956d2e46e7e817bc8\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_arm.deb\n Size/MD5 checksum: 265480 0820e29ec495c37629c79018bab2d267\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_i386.deb\n Size/MD5 checksum: 257234 be096867b80cd54f46e3ce5615886537\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_ia64.deb\n Size/MD5 checksum: 321396 9042bd62637c9a38469681de0711e39a\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_hppa.deb\n Size/MD5 checksum: 276170 61272ad0cb9bd68cfbe55c1ec68109b1\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_m68k.deb\n Size/MD5 checksum: 249496 54ac511d90b1082fed2528e412ddd913\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_mips.deb\n Size/MD5 checksum: 273044 07acbf48ee5b459af762f48df3c8cf81\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_mipsel.deb\n Size/MD5 checksum: 273172 ca3dd63e1f9340605cdd1bc71bf70698\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_powerpc.deb\n Size/MD5 checksum: 268476 6a8df56549ab599125d5bc627ac0d51d\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_s390.deb\n Size/MD5 checksum: 263268 aa81a92d47b93214ccbedba1e1871e4e\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_sparc.deb\n Size/MD5 checksum: 270514 9f6ddd158ba0cc9bd778ba8dfc3d75db\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "modified": "2004-03-09T00:00:00", "published": "2004-03-09T00:00:00", "id": "DEBIAN:DSA-457-1:64D7E", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00054.html", "title": "[SECURITY] [DSA 457-1] New wu-ftpd packages fix multiple vulnerabilities", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2018-12-11T17:42:33", "bulletinFamily": "unix", "description": "The wu-ftpd package contains the Washington University FTP (File Transfer\nProtocol) server daemon. FTP is a method of transferring files between\nmachines.\n\nGlenn Stewart discovered a flaw in wu-ftpd. When configured with\n\"restricted-gid home\", an authorized user could use this flaw to\ncircumvent the configured home directory restriction by using chmod. The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2004-0148 to this issue.\n\nMichael Hendrickx found a flaw in the S/Key login handling. On servers\nusing S/Key authentication, a remote attacker could overflow a buffer and\npotentially execute arbitrary code. \n\nUsers of wu-ftpd are advised to upgrade to this updated package, which\ncontains backported security patches and is not vulnerable to these issues.", "modified": "2018-03-14T19:27:49", "published": "2004-03-08T05:00:00", "id": "RHSA-2004:096", "href": "https://access.redhat.com/errata/RHSA-2004:096", "type": "redhat", "title": "(RHSA-2004:096) wu-ftpd security update", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:09", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- --------------------------------------------------------------------------\r\nDebian Security Advisory DSA 457-1 security@debian.org\r\nhttp://www.debian.org/security/ Matt Zimmerman\r\nMarch 8th, 2004 http://www.debian.org/security/faq\r\n- --------------------------------------------------------------------------\r\n\r\nPackage : wu-ftpd\r\nVulnerability : several\r\nProblem-Type : remote\r\nDebian-specific: no\r\nCVE Ids : CAN-2004-0148 CAN-2004-0185\r\n\r\nTwo vulnerabilities were discovered in wu-ftpd:\r\n\r\n CAN-2004-0148 - Glenn Stewart discovered that users could bypass the\r\n directory access restrictions imposed by the restricted-gid option by\r\n changing the permissions on their home directory. On a subsequent\r\n login, when access to the user's home directory was denied, wu-ftpd\r\n would fall back to the root directory.\r\n\r\n CAN-2004-0185 - A buffer overflow existed in wu-ftpd's code which\r\n deals with S/key authentication.\r\n\r\nFor the stable distribution (woody) these problems have been fixed in\r\nversion 2.6.2-3woody4.\r\n\r\nFor the unstable distribution (sid) these problems have been fixed in\r\nversion 2.6.2-17.1.\r\n\r\nWe recommend that you update your wu-ftpd package.\r\n\r\nUpgrade Instructions\r\n- --------------------\r\n\r\nwget url\r\n will fetch the file for you\r\ndpkg -i file.deb\r\n will install the referenced file.\r\n\r\nIf you are using the apt-get package manager, use the line for\r\nsources.list as given below:\r\n\r\napt-get update\r\n will update the internal database\r\napt-get upgrade\r\n will install corrected packages\r\n\r\nYou may use an automated update by adding the resources from the\r\nfooter to the proper configuration.\r\n\r\nDebian GNU/Linux 3.0 alias woody\r\n- --------------------------------\r\n\r\n Source archives:\r\n\r\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4.dsc\r\n Size/MD5 checksum: 607 ced69dc6017f9afd9ea2e993e5570084\r\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4.diff.gz\r\n Size/MD5 checksum: 100777 399c02a6d064f2aef676fba75db3964a\r\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2.orig.tar.gz\r\n Size/MD5 checksum: 354784 b3c271f02aadf663b8811d1bff9da3f6\r\n\r\n Architecture independent components:\r\n\r\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd-academ_2.6.2-3woody4_all.deb\r\n Size/MD5 checksum: 3482 ef0f9788eecfa4290bbcea8e259b48e2\r\n\r\n Alpha architecture:\r\n\r\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_alpha.deb\r\n Size/MD5 checksum: 291786 5d9f21b554fc210956d2e46e7e817bc8\r\n\r\n ARM architecture:\r\n\r\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_arm.deb\r\n Size/MD5 checksum: 265480 0820e29ec495c37629c79018bab2d267\r\n\r\n Intel IA-32 architecture:\r\n\r\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_i386.deb\r\n Size/MD5 checksum: 257234 be096867b80cd54f46e3ce5615886537\r\n\r\n Intel IA-64 architecture:\r\n\r\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_ia64.deb\r\n Size/MD5 checksum: 321396 9042bd62637c9a38469681de0711e39a\r\n\r\n HP Precision architecture:\r\n\r\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_hppa.deb\r\n Size/MD5 checksum: 276170 61272ad0cb9bd68cfbe55c1ec68109b1\r\n\r\n Motorola 680x0 architecture:\r\n\r\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_m68k.deb\r\n Size/MD5 checksum: 249496 54ac511d90b1082fed2528e412ddd913\r\n\r\n Big endian MIPS architecture:\r\n\r\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_mips.deb\r\n Size/MD5 checksum: 273044 07acbf48ee5b459af762f48df3c8cf81\r\n\r\n Little endian MIPS architecture:\r\n\r\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_mipsel.deb\r\n Size/MD5 checksum: 273172 ca3dd63e1f9340605cdd1bc71bf70698\r\n\r\n PowerPC architecture:\r\n\r\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_powerpc.deb\r\n Size/MD5 checksum: 268476 6a8df56549ab599125d5bc627ac0d51d\r\n\r\n IBM S/390 architecture:\r\n\r\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_s390.deb\r\n Size/MD5 checksum: 263268 aa81a92d47b93214ccbedba1e1871e4e\r\n\r\n Sun Sparc architecture:\r\n\r\n http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4_sparc.deb\r\n Size/MD5 checksum: 270514 9f6ddd158ba0cc9bd778ba8dfc3d75db\r\n\r\n These files will probably be moved into the stable distribution on\r\n its next revision.\r\n\r\n- ---------------------------------------------------------------------------------\r\nFor apt-get: deb http://security.debian.org/ stable/updates main\r\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\r\nMailing list: debian-security-announce@lists.debian.org\r\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.4 (GNU/Linux)\r\n\r\niD8DBQFATWQRArxCt0PiXR4RAsMHAKCIqUrX9uxwoX2C/1xmxiWyurP52gCg3d7i\r\n5BjpLPPGD5I0l1c04qeV0jI=\r\n=axsq\r\n-----END PGP SIGNATURE-----\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.netsys.com/full-disclosure-charter.html", "modified": "2004-03-09T00:00:00", "published": "2004-03-09T00:00:00", "id": "SECURITYVULNS:DOC:5868", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5868", "title": "[Full-Disclosure] [SECURITY] [DSA 457-1] New wu-ftpd packages fix multiple vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}