Ftpd args core dump

ftp-args (201) The risk level is classified as HighHigh Risk

Description:

Some FTP daemons are vulnerable to a denial of service attack caused by a buffer overflow core dump. By sending a malicious command to the FTP daemon, an attacker can overflow the ftpd memory space (an FTP core dump) and crash the system. FTP core dumps cause the ftpd memory space to become populated with usernames, encrypted passwords, or other system information that could be useful to an attacker in performing an attack. For example, using password information gained by this vulnerability, a remote attacker could log into the system or gain root access.

Platforms Affected:

  • Compaq, Tru64
  • Data General, DG/UX
  • HP, HP-UX
  • IBM, AIX 4.3
  • IBM, AIX
  • Linux, Kernel
  • RedHat, Linux 6.2
  • RedHat, Linux 7
  • RedHat, Linux 7.1
  • RedHat, Linux 7.2
  • SCO, SCO Unix
  • SGI, IRIX
  • Sun, Solaris
  • Washington University, WU-FTPD 2.6.1
  • WindRiver, BSDOS

Remedy:

Upgrade to the latest version of FTP (2.6.2 or later), available from the WU-FTPD Web site. See References.

Consequences:

Denial of Service

References:

  • WU-FTPD Web site, Frequently Asked Questions about wu-ftpd, with answers at http://www.wu-ftpd.org/wu-ftpd-faq.html.
  • WU-FTPD Web site, WU-FTPD Development Group at http://www.wu-ftpd.org/.
  • BID-2601: Solaris FTP Core Dump Shadow Password Recovery Vulnerability
  • BID-3806: AFTPD Home Directory Change Core Dump Vulnerability
  • BID-4148: Squid Cache FTP Proxy URL Buffer Overflow Vulnerability
  • CVE-1999-0075: PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password.
  • CVE-1999-1293: mod_proxy in Apache 1.2.5 and earlier allows remote attackers to cause a denial of service via malformed FTP commands, which causes Apache to dump core.
  • CVE-2001-0421: FTP server in Solaris 8 and earlier allows local and remote attackers to cause a core dump in the root directory, possibly with world-readable permissions, by providing a valid username with an invalid password followed by a CWD ~ command, which could release sensitive information such as shadowed passwords, or fill the disk partition.
  • CVE-2002-0068: Squid 2.4 STABLE3 and earlier allows remote attackers to cause a denial of service (core dump) and possibly execute arbitrary code with an ftp:// URL with a larger number of special characters, which exceed the buffer when Squid URL-escapes the characters.
  • CVE-2002-0104: AFTPD 5.4.4 allows remote attackers to gain sensitive information via a CD (CWD) ~ (tilde) command, which causes a core dump.
  • OSVDB ID: 5378: Squid FTP URL Special Character Overflow
  • OSVDB ID: 5742: WU-FTPD QUOTE PASV Core Dump
  • RHSA-2002-029: New squid packages available

Reported:

Jul 01, 1997

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page