cbcvebase.
CVE-2000-0573
published 2000-07-07

CVE-2000-0573: The lreply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary…

PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
96.29%
99.9th percentile
The lreply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary commands via the SITE EXEC command.

Affected

1 ranges
VendorProductVersion rangeFixed in
hphp-ux

Detection & IOCsextracted from sources · hover to see the quote

commandSITE EXEC <format_string>
commandSITE INDEX <format_string>
commandSITE EXEC aaaaaaaaaaaaaaaaaaaaaaaaaabbbb<format_specifiers>
commandSITE EXEC aaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb<format_specifiers>
commandsite exec <format_string>
  • Detect exploitation attempts by monitoring FTP traffic on port 21 for SITE EXEC or SITE INDEX commands containing printf format specifiers (e.g., %n, %d, %x, %s, %.Nd) in the command argument.
  • Alert on FTP banner responses matching 'Version wu-2.4', 'Version wu-2.5', or 'Version wu-2.6.0' as these indicate a potentially vulnerable wu-ftpd instance.
  • Detect anonymous FTP login followed immediately by SITE EXEC or SITE INDEX commands with format specifier payloads, as anonymous access is exploitable.
  • Look for the byte sequence 0xff 0xff in FTP command streams as a telnet/FTP escape doubling artifact produced by exploit tools when embedding shellcode addresses containing 0xff bytes.
  • Monitor for FTP SITE EXEC commands whose argument length approaches or exceeds 256 bytes, as the exploitable format string space is bounded by the payload space of 256 bytes.
  • ·RedHat 5.2, 6.0, and 6.1 wu-ftpd builds use a built-in stripped-down vsprintf that lacks %n support, making them not exploitable via this format string technique despite being vulnerable versions.
  • ·The exploit payload bad characters include null byte, tab, newline, carriage return, space, percent sign, and forward slash — these bytes cannot appear in the format string payload and must be avoided or encoded.
  • ·The Metasploit module prepends a chroot-break by default ('PrependChrootBreak' => true), meaning the shellcode delivered will attempt to escape a chroot jail before executing commands.
  • ·Exploitation success is target-specific: different OS/wu-ftpd version combinations require different stack offsets, writable addresses, and flow hook addresses; automatic target detection relies on parsing the FTP banner.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.