WU-FTPD site_exec() Function Remote Format String

2000-06-22T00:00:00
ID OSVDB:11805
Type osvdb
Reporter tf8(tf8@zolo.freelsd.net), Lamagra Argamal(lamagra@hackermail.net)
Modified 2000-06-22T00:00:00

Description

Vulnerability Description

WU-FTPD contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is triggered due to a format string error in the site_exec() function. By sending a specially crafted argument to the SITE EXEC command, a remote attacker could potentially execute arbitrary code.

Solution Description

Upgrade to version 2.6.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

WU-FTPD contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is triggered due to a format string error in the site_exec() function. By sending a specially crafted argument to the SITE EXEC command, a remote attacker could potentially execute arbitrary code.

References:

Vendor URL: http://www.wu-ftpd.org/ Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Snort Signature ID: 1971 Nessus Plugin ID:10452 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-06/0225.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-07/0093.html ISS X-Force ID: 4773 Generic Exploit URL: http://www.securityfocus.com/archive/1/66367 CVE-2000-0573 CIAC Advisory: k-054 CERT VU: 29823 CERT: CA-2000-13 Bugtraq ID: 1387