libc realpath(3) function off-by-one buffer overflow

libc-realpath-offbyone-bo (12785)

High Risk

Description:

The libc development library is vulnerable to a buffer overflow, caused by an off-by-one error in the realpath(3) function. A remote or local attacker could issue a specially-crafted FTP command to overflow a buffer and cause a denial of service or execute arbitrary code on the system with root privileges.

Consequences:

Gain Privileges

Remedy:

For Red Hat Linux:
Upgrade to the latest wu-ftpd package, as listed below. Refer to RHSA-2003:245-15 for more information. See References.

Red Hat 7.1 and iSeries and pSeries: 2.6.2-11.71.1 or later
Red Hat 7.2: 2.6.2-11.72.1 or later
Red Hat 7.3: 2.6.2-11.73.1 or later
Red Hat 8.0: 2.6.2-12 or later

For Red Hat Linux containing the wu-ftpd package:
Upgrade to the latest wu-ftpd package, as listed below. Refer to RHSA-2003:246-12 for more information. See References.

Red Hat Enterprise Linux AS (v. 2.1), ES (v.2.1), WS (v.2.1): 2.6.1-21 or later

For Mandrake Linux 8.2:
Upgrade to the latest version of wu-ftpd (2.6.2-1-1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2003:080 : wu-ftpd. See References.

For Debian GNU/Linux 3.0 (stable):
Upgrade to the latest version of wu-ftpd (2.6.2-3woody1 or later), as listed in DSA-357-1. See References.

For SuSe Linux:
Upgrade to the latest wu-ftpd package, as listed below. Refer to SuSE Linux Security Announcement SuSE-SA:2003:032 for more information. See References.

SuSE Linux 7.3 (Intel): 2.6.0-403 or later
SuSE Linux 7.3 (Sparc): 2.6.0-260 or later
SuSE Linux 7.3 (PPC): 2.6.0-328 or later

For FreeBSD:
Upgrade to the latest version of FreeBSD (4.8-STABLE or the latest security branch dated later than 2003-08-03), as listed in FreeBSD Security Advisory FreeBSD-03:08.realpath. See References.

For OpenBSD 3.3 and earlier:
Apply the appropriate patch for your system, as listed in OpenBSD 015: SECURITY FIX: August 4, 2003. See References.

For NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3, 1.6 and 1.6.1:
Upgrade to the latest version of the NetBSD (NetBSD-current or the latest NetBSD 1.6 branch (dated August 5, 2003 or later), as listed in NetBSD Security Advisory 2003-011. See References.

For Turbolinux:
Upgrade to the latest wu-ftpd package (2.6.2-1 or later), as listed in Turbolinux Security Advisory TLSA-2003-46. See References.

For Immunix 7+:
Upgrade to the latest version of wu-ftpd (2.6.1-6_imnx_8 or later), as listed in Immunix Secured OS Security Advisory IMNX-2003-7+-019-01. See References.

For Mac OS X:
Apply Security Update 2003-08-14, as directed in Apple Security Update 120238. See References.

For HP-UX 11.00, 11.11, and 11.22:
Follow the recommended procedure, as listed in Hewlett-Packard Company Security Bulletin HPSBUX0309-277. See References.

For Caldera OpenServer 5.0.5, 5.0.6, and 5.0.7:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory CSSA-2003-SCO.20. See References.

For Caldera OpenLinux Server and Workstation 3.1.1:
Upgrade to the latest version of wu-ftpd (2.6.1-14 or later), as listed in SCO Security Advisory CSSA-2003-024.0. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

• AppleCare Knowledge Base Document 120238: Security Update 2003-08-14 v.1.0 (Server):Information and Download.
• AppleCare Knowledge Base Document 61798: Security Update 2003-08-14. (Mac OS X 10.2.8: fb_realpath(): Fixes CAN-2003-0466 which is an off-by-one error in the fb_realpath() function that may allow attackers to execute arbitrary code.)
• BugTraq Mailing List, Mon Aug 04 2003 - 12:33:43 CDT : Off-by-one Buffer Overflow Vulnerability in BSD libc realpath(3).
• BugTraq Mailing List, Thu Jul 31 2003 - 11:16:03 CDT : wu-ftpd fb_realpath() off-by-one bug.
• CIAC Information Bulletin N-132: Wu-ftpd Buffer Overflow Vulnerability.
• FreeBSD Security Advisory FreeBSD-SA-03:08: Single byte buffer overflow in realpath(3).
• NetBSD Security Advisory 2003-011: off-by-one error in realpath(3).
• OpenBSD 015: SECURITY FIX: August 4, 2003: off-by-one error in realpath(3).
• SCO Security Advisory CSSA-2003-024.0: OpenLinux: wu-ftpd fb_realpath() off-by-one bug.
• SCO Security Advisory CSSA-2003-SCO.2: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : wu-ftpd fb_realpath() off-by-one bug.
• SecuriTeam Mailing List, Security Holes & Exploits 14 Aug 2003: Off-by-One Error in realpath() (Exploit).
• Sun Alert ID: 56121: Security Vulnerability in the Solaris 9 in.ftpd(1M) Server May Allow Unauthorized "root" Access.
• Sun Alert ID: 56220: Sun Linux 5.0 Security Vulnerability in "wu-ftpd" May Allow Unauthorized Root Access.
• WU-FTPD Web site: WU-FTPD Development Group.
• BID-8315: Multiple Vendor C Library realpath() Off-By-One Buffer Overflow Vulnerability
• CVE-2003-0466: Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.
• DSA-357: wu-ftpd -- remote root exploit
• MDKSA-2003:080: Updated wu-ftpd packages fix remote root vulnerability
• OSVDB ID: 6602: Multiple BSD libc realpath() Off-by-one Overflow
• RHSA-2003-245: Updated wu-ftpd packages fix remote vulnerability.
• RHSA-2003-246: wu-ftpd security update
• SA9423: FreeBSD "realpath()" Buffer Overflow Vulnerability
• SA9446: NetBSD "realpath()" Buffer Overflow Vulnerability
• SA9447: OpenBSD "realpath()" Buffer Overflow Vulnerability
• SA9535: Mac OS X "fb_realpath()" Buffer Overflow Vulnerability
• SECTRACK ID: 1007380: (FreeBSD Issues Fix) libc Off-by-One Overflow in realpath() May Let Remote Users Execute Arbitrary Code
• SUSE-SA:2003:032: wuftpd: remote buffer overflow

Platforms Affected:

• Debian Debian Linux 3.0
• FreeBSD FreeBSD 4.0
• FreeBSD FreeBSD 4.1
• FreeBSD FreeBSD 4.1.1
• FreeBSD FreeBSD 4.2
• FreeBSD FreeBSD 4.3
• FreeBSD FreeBSD 4.4
• FreeBSD FreeBSD 4.5
• FreeBSD FreeBSD 4.6
• FreeBSD FreeBSD 4.6.1
• FreeBSD FreeBSD 4.6.2
• FreeBSD FreeBSD 4.7
• HP HP-UX 11.00
• HP HP-UX 11.11
• HP HP-UX 11.22
• Immunix Immunix OS 7+-beta
• MandrakeSoft Mandrake Linux 8.2 PPC
• MandrakeSoft Mandrake Linux 8.2
• NetBSD NetBSD 1.5
• NetBSD NetBSD 1.5.1
• NetBSD NetBSD 1.5.2
• NetBSD NetBSD 1.5.3
• NetBSD NetBSD 1.6
• NetBSD NetBSD 1.6.1
• Novell SuSE Linux Enterprise Server 7.0
• OpenBSD OpenBSD 3.3 and prior
• RedHat Enterprise Linux 2.1 AS
• RedHat Enterprise Linux 2.1 ES
• RedHat Enterprise Linux 2.1 WS
• RedHat Linux 7
• RedHat Linux 7.1
• RedHat Linux 7.1 for iSeries
• RedHat Linux 7.1 for pSeries
• RedHat Linux 7.2
• RedHat Linux 7.3
• RedHat Linux 8.0
• RedHat Linux Advanced Workstation 2.1 Itanium
• SCO Caldera OpenLinux Server 3.1.1
• SCO Caldera OpenLinux Workstation 3.1.1
• SCO Caldera OpenServer 5.0.5
• SCO Caldera OpenServer 5.0.6
• SCO Caldera OpenServer 5.0.7
• Sun Linux 5.0
• Sun Solaris 9
• SuSE Linux Enterprise Server 8
• SUSE SuSE Linux 7.2
• SUSE SuSE Linux 7.3
• SuSE SuSE Linux Connectivity Server
• SuSE SuSE Linux Office Server
• Turbolinux Turbolinux Advanced Server 6
• Turbolinux Turbolinux Server 6.1
• Turbolinux Turbolinux Workstation 6.0
• Washington University WU-FTPD 2.5
• Washington University WU-FTPD 2.6.0
• Washington University WU-FTPD 2.6.1
• Washington University WU-FTPD 2.6.2

Reported:

Jul 31, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page