Multiple BSD libc realpath() Off-by-one Overflow

2003-07-31T00:00:00
ID OSVDB:6602
Type osvdb
Reporter Janusz Niewiadomski(funkysh@isec.pl), Wojciech Purczynski(cliph@isec.pl)
Modified 2003-07-31T00:00:00

Description

Vulnerability Description

A local overflow exists in BSD-derived libc libraries. The realpath() function fails to validate user input resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Technical Description

wu-ftpd implements a function derived from the libc realpath(), called fb_realpath(). A vulnerability was discovered in this function, and an advisory for wu-ftpd was released on July 31, 2003. The discovery of the wu-ftpd bug in fb_realpath() caused the BSD's to take a look at their libc implementations of realpath(), and they found that the error still exists in their implementations, and affected any program which called realpath(). While this vulnerability exists in separate implementations for wu-ftpd and the BSD libc, both inherit the vulnerability from the 4.4BSD codebase.

Solution Description

Each vendor maintains its own implementation of realpath(), and each has released a patch or upgrade to address the issue. Please refer to the specific vendor advisory for more information.

Short Description

A local overflow exists in BSD-derived libc libraries. The realpath() function fails to validate user input resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

References:

Vendor Specific Solution URL: http://docs.info.apple.com/article.html?artnum=120239 Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1007380 Secunia Advisory ID:9535 Secunia Advisory ID:9446 Secunia Advisory ID:9423 Secunia Advisory ID:9447 Related OSVDB ID: 2133 Other Advisory URL: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt Nessus Plugin ID:11811 Nessus Plugin ID:12413 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-08/0042.html Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=106002488209129&w=2 ISS X-Force ID: 12785 Generic Exploit URL: http://www.securiteam.com/exploits/5LP0H15AUQ.html Generic Exploit URL: http://downloads.securityfocus.com/vulnerabilities/exploits/lukemftp.pl CVE-2003-0466 CERT VU: 743092 Bugtraq ID: 8315