WU-FTPD S/KEY Authentication ftpd.c skey_challenge Function Remote Overflow

2000-06-07T06:40:26
ID OSVDB:2715
Type osvdb
Reporter Michael Hendrickx(michael@scanit.be), Michal Zalewski(lcamtuf@coredump.cx)
Modified 2000-06-07T06:40:26

Description

Vulnerability Description

A remote overflow exists in WU-FTPD if S/KEY support is enabled. The skey_challenge function in ftpd.c fails to perform bounds checking on the name variable resulting in a buffer overflow. With a specially crafted request, a remote attacker can execute arbitrary code.

Solution Description

Upgrade to version 2.6.2-13 (Available on some Linux distributions) or higher, as it has been reported to fix this vulnerability. In addition, WU-FTPD Development Group has released a patch for some older versions of the main distribution.

Short Description

A remote overflow exists in WU-FTPD if S/KEY support is enabled. The skey_challenge function in ftpd.c fails to perform bounds checking on the name variable resulting in a buffer overflow. With a specially crafted request, a remote attacker can execute arbitrary code.

References:

Vendor Specific Solution URL: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.2/skeychallenge.patch Secunia Advisory ID:11350 Secunia Advisory ID:10077 RedHat RHSA: RHSA-2004:096 Other Advisory URL: http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01012 Other Advisory URL: http://www.debian.org/security/2004/dsa-457 Other Advisory URL: http://www.fedoralegacy.org/updates/RH7.3/2004-07-19-FLSA_2004_1553__Updated_sysklogd_resolves_memory_buffer_bug.html Other Advisory URL: http://packetstormsecurity.org/0310-advisories/wuftpd-skey.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-06/0040.html ISS X-Force ID: 13518 CVE-2004-0185 CIAC Advisory: o-119 Bugtraq ID: 8893