GEN:SID | 1:339 |
Message | FTP EXPLOIT OpenBSD x86 ftpd |
Summary | |
Impact | Severe; This is a remote exploit that could result in a root compromise.
|
Detailed Information | There is an off-by-one error in the replydirname() function in the BSD FTP deamon which is also present in many derivitave works. This vulnerability allows an attacker to overflow the buffer by one byte, overwriting the first byte of the return pointer on the stack.
|
Affected Systems | BSD ftpd 0.3.2 + Progeny Debian 1.0 David A. Holland linux-ftpd 0.17 + Progeny Debian 1.0 David Madore ftpd-BSD 0.2.3 - Caldera OpenLinux 2.2 - Caldera OpenLinux 2.3 - Caldera OpenLinux 2.4 - Debian Linux 2.0 - Debian Linux 2.1 - Debian Linux 2.2 - Debian Linux 2.3 - MandrakeSoft Linux Mandrake 6.0 - MandrakeSoft Linux Mandrake 6.1 - MandrakeSoft Linux Mandrake 7.0 - MandrakeSoft Linux Mandrake 7.1 - MandrakeSoft Linux Mandrake 7.2 - RedHat Linux 5.0 - RedHat Linux 6.0 x - RedHat Linux 7.0 - Slackware Linux 4.0 - Slackware Linux 7.0 - Slackware Linux 7.1 NetBSD NetBSD 1.4 NetBSD NetBSD 1.4.1 NetBSD NetBSD 1.4.2 NetBSD NetBSD 1.5 OpenBSD 2.4 OpenBSD 2.5 OpenBSD 2.6 OpenBSD 2.7 OpenBSD 2.8 Note: OpenBSD ships with the FTP daemon turned off, so this is not on by default.
|
Attack Scenarios | The attacker could log into a vulnerable OpenBSD anonymous FTP server, calculate the buffer size, fill the buffer and over write the lowest byte on the base pointer with a null byte. This would result in the attacker controling that space on the stack, with full access to control the host at will.
|
Ease of Attack | Simple; there are script versions of this exploit in the wild.
|
Corrective Action | Update your machine to the latest version of OpenBSD. If you are running OpenBSD 2.8, use the following patch: http://www.securityfocus.com/data/vulnerabilities/patches/005_ftpd.patch
|
Additional References | Arachnids http://www.whitehats.com/info/IDS446
Bugtraq http://www.securityfocus.com/bid/2124
CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0053
OpenBSD http://www.openbsd.org/errata28.html#ftpd
|
Rule References | arachnids: 446
bugtraq: 2124
cve: 2001-0053
|