wu-ftpd ABOR command allows attacker to gain privileges
| wuftpd-abor-gain-privileges (7169) |  High Risk |
Description:
Wu-ftpd version fails to drop privileges properly, which could allow an attacker to execute the ABOR (abort file transfer) command during a file transfer. This allows the attacker to gain root privileges to arbitrary files.
Platforms Affected:
- Washington University, WU-FTPD 2.4
Remedy:
Apply the patch for this vulnerabiliy included in the BugTraq Mailing List posting dated Jan 4 1997 10:30AM. See References.
Consequences:
Gain Access
References:
- BugTraq Mailing List, Sat, 4 Jan 1997 12:30:21 -0600, serious security bug in wu-ftpd v2.4 at http://archives.neohapsis.com/archives/bugtraq/1997_1/0007.html.
- BugTraq Mailing List, Sun, 5 Jan 1997 22:49:45 -0800, BoS: serious security bug in wu-ftpd v2.4 -- PATCH at http://archives.neohapsis.com/archives/bugtraq/1997_1/0014.html.
- CVE-1999-1326: wu-ftpd 2.4 FTP server does not properly drop privileges when an ABOR (abort file transfer) command is executed during a file transfer, which causes a signal to be handled incorrectly and allows local and possibly remote attackers to read arbitrary files.
Reported:
Jan 04, 1997
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net