| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.6 | $0-$5k | 0.00 |
A vulnerability, which was classified as very critical, has been found in FreeBSD, OpenBSD and MacOS X (Operating System) (affected version unknown). Affected by this issue is the function realpath. The manipulation with an unknown input leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Impacted is confidentiality, integrity, and availability. CVE summarizes:
Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.
The weakness was presented 08/04/2003 by Janusz Niewiadomski and Wojciech Purczynski with iSEC Security Research (Website). The advisory is available at ftp.freebsd.org. This vulnerability is handled as CVE-2003-0466 since 06/26/2003. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details as well as a public exploit are known. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 03/08/2021).
After immediately, there has been an exploit disclosed. The exploit is available at securiteam.com. It is declared as proof-of-concept. As 0-day the estimated underground price was around $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 16907 (HP-UX PHNE_29462 : s700_800 11.22 ftpd(1M) and ftp(1) patch), which helps to determine the existence of the flaw in a target environment. It is assigned to the family HP-UX Local Security Checks and running in the context r.
Upgrading eliminates this vulnerability. A possible mitigation has been published even before and not after the disclosure of the vulnerability. Attack attempts may be identified with Snort ID 2392. In this case the pattern RETR is used for detection. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 2314.
The vulnerability is also documented in the databases at X-Force (12785), Tenable (16907) and Exploit-DB (74). securiteam.com is providing further details. See 217, 298 and 82042 for similar entries.
Product
Type
Name
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 6.6
VulDB Base Score: 7.3
VulDB Temp Score: 6.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Memory corruptionCWE: CWE-119
ATT&CK: Unknown
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 16907
Nessus Name: HP-UX PHNE_29462 : s700_800 11.22 ftpd(1M) and ftp(1) patch
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Nessus Port: 🔍
OpenVAS ID: 53646
OpenVAS Name: Debian Security Advisory DSA 357-1 (wu-ftpd)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Exploit Delay Time: 🔍
Snort ID: 2392
Snort Message: FTP RETR overflow attempt
Snort Class: 🔍
Snort Pattern: 🔍
Suricata ID: 2102391
Suricata Class: 🔍
Suricata Message: 🔍
TippingPoint: 🔍
McAfee IPS: 🔍
McAfee IPS Version: 🔍
SourceFire IPS: 🔍
ISS Proventia IPS: 🔍
Timeline
06/26/2003 🔍07/31/2003 🔍
07/31/2003 🔍
08/04/2003 🔍
08/04/2003 🔍
08/04/2003 🔍
08/05/2003 🔍
08/13/2003 🔍
08/14/2003 🔍
08/27/2003 🔍
02/16/2005 🔍
03/08/2021 🔍
Sources
Product: freebsd.orgAdvisory: ftp.freebsd.org
Researcher: Janusz Niewiadomski, Wojciech Purczynski
Organization: iSEC Security Research
Status: Confirmed
CVE: CVE-2003-0466 (🔍)
OVAL: 🔍
X-Force: 12785 - libc realpath(3) function off-by-one buffer overflow, High Risk
SecurityTracker: 1007380 - (FreeBSD Issues Fix) 'libc' Off-by-One Overflow in realpath() May Let Remote Users Execute Arbitrary Code
Vulnerability Center: 1678 - BSD Off-by-One Error in realpath(3) Function Allows Arbitrary Code Execution, High
SecuriTeam: securiteam.com
SecurityFocus: 8315
Secunia: 9535 - Mac OS X "fb_realpath()" Buffer Overflow Vulnerability, Highly Critical
OSVDB: 2133 - WU-FTPD fb_realpath() Function Off-by-one Error
scip Labs: https://www.scip.ch/en/?labs.20180712
Misc.: 🔍
See also: 🔍
Entry
Created: 08/05/2003 12:06Updated: 03/08/2021 15:47
Changes: 08/05/2003 12:06 (106), 12/13/2016 20:21 (5), 03/08/2021 15:47 (3)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.