| VID |
16052 |
| Severity |
40 |
| Port |
21 |
| Protocol |
TCP |
| Class |
FTP |
| Detailed Description |
The ftp daemon derived from 4.x BSD source contains a single byte buffer overflow vulnerability. There exists a one byte overflow in the replydirname() function. By writing a null byte beyond the boundaries of a local buffer, a remote attacker can overflow the buffer and give it a user-supplied return address to execute arbitrary code as root. The attacker can use this vulnerability to gain root privileges on the target system.
This vulnerability can be exploited on systems supporting anonymous ftp if a writable directory exists (such as an "incoming" directory). This is rarely in place by default.
* References:
http://archives.neohapsis.com/archives/bugtraq/2000-12/0265.html
http://www.geocrawler.com/lists/3/OpenBSD/254/75/4767480/
http://www.kb.cert.org/vuls/id/593299
* Platforms Affected:
NetBSD Any version
OpenBSD Any version
BSD ftpd 0.3.2 |
| Recommendation |
For OpenBSD 2.8:
Apply the patch, as listed in OpenBSD Security Advisory, December 18, 2000, http://www.openbsd.com/advisories/ftpd_replydirname.txt
For NetBSD Any version:
Upgrade to the latest version of NetBSD or apply the appropriate patch for your system, as listed in NetBSD Security Advisory 2000-018, http://archives.neohapsis.com/archives/netbsd/2000-q4/0271.html
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2001-0053 (CVE) |
| Related URL |
2124 (SecurityFocus) |
| Related URL |
5776 (ISS) |
|
