CVE-2000-0573
published 2000-07-07CVE-2000-0573: The lreply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary…
PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
96.29%
99.9th percentile
The lreply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary commands via the SITE EXEC command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | hp-ux | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring FTP traffic on port 21 for SITE EXEC or SITE INDEX commands containing printf format specifiers (e.g., %n, %d, %x, %s, %.Nd) in the command argument. ↗
- →Alert on FTP banner responses matching 'Version wu-2.4', 'Version wu-2.5', or 'Version wu-2.6.0' as these indicate a potentially vulnerable wu-ftpd instance. ↗
- →Detect anonymous FTP login followed immediately by SITE EXEC or SITE INDEX commands with format specifier payloads, as anonymous access is exploitable. ↗
- →Look for the byte sequence 0xff 0xff in FTP command streams as a telnet/FTP escape doubling artifact produced by exploit tools when embedding shellcode addresses containing 0xff bytes. ↗
- →Monitor for FTP SITE EXEC commands whose argument length approaches or exceeds 256 bytes, as the exploitable format string space is bounded by the payload space of 256 bytes. ↗
- ·RedHat 5.2, 6.0, and 6.1 wu-ftpd builds use a built-in stripped-down vsprintf that lacks %n support, making them not exploitable via this format string technique despite being vulnerable versions. ↗
- ·The exploit payload bad characters include null byte, tab, newline, carriage return, space, percent sign, and forward slash — these bytes cannot appear in the format string payload and must be avoided or encoded. ↗
- ·The Metasploit module prepends a chroot-break by default ('PrependChrootBreak' => true), meaning the shellcode delivered will attempt to escape a chroot jail before executing commands. ↗
- ·Exploitation success is target-specific: different OS/wu-ftpd version combinations require different stack offsets, writable addresses, and flow hook addresses; automatic target detection relies on parsing the FTP banner. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7g9x-54rv-3848: The lreply function in wu-ftpd 2
ghsa_unreviewed·2022-05-03
CVE-2000-0573 [HIGH] GHSA-7g9x-54rv-3848: The lreply function in wu-ftpd 2
The lreply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary commands via the SITE EXEC command.
Red Hat
security flaw
vendor_redhat·2000-06-23·CVSS 10.0
CVE-2000-0573 [CRITICAL] security flaw
security flaw
The lreply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary commands via the SITE EXEC command.
Statement: This issue was fixed in the following products:
- Red Hat Linux 5.2 - RHSA-2000:039 (2000-06-23)
- Red Hat Linux 6.2 - RHSA-2000:039 (2000-06-23)
No detection rules found.
Exploit-DB
WU-FTPD - Site EXEC/INDEX Format String (Metasploit)
exploitdb·2010-11-30
CVE-2000-0573 WU-FTPD - Site EXEC/INDEX Format String (Metasploit)
WU-FTPD - Site EXEC/INDEX Format String (Metasploit)
---
##
# $Id: wuftpd_site_exec_format.rb 11166 2010-11-30 00:16:53Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'wu-ftpd SITE EXEC/INDEX Format String Vulnerability',
'Description' => %q{
This module exploits a format string vulnerability in versions of the
Washington University FTP server older than 2.6.1. By executing
specially crafted SITE EXEC or SITE INDEX commands containing format
specifiers, an attacker can corrupt memory and execute arbitrary code.
},
'Author' => [ 'jd
Exploit-DB
BeroFTPD 1.3.4(1) (Linux x86) - Remote Code Execution
exploitdb·2001-05-08
CVE-2000-0573 BeroFTPD 1.3.4(1) (Linux x86) - Remote Code Execution
BeroFTPD 1.3.4(1) (Linux x86) - Remote Code Execution
---
/*
* BeroFTPD 1.3.4(1) Linux x86 remote root exploit
* by qitest1 - 5/05/2001
*
* BeroFTPD is an ftpd derived from wuftpd sources. This code
* exploits the format bug of the site exec cmd, well known to be
* present in wuftpd-2.6.0 and derived daemons. BeroFTPD 1.3.4(1)
* is the current version at the moment.
*
* JUST SAMPLE CODE. For different platforms you have to try with
* different offsets for different retaddrs. You see.. =)
*
* Greets: Nail, Norby, Berserker.
* 69 rulez.. ;P
*/
#include
#include
#include
#include
#include
#include
#include
#include
struct targ
{
int def;
char *descr;
unsigned long int enbuf;
int dawlen;
};
struct targ target[]=
{
{0, "RedHat 6.2 with BeroFTPD 1.3.4(1) from tar.gz", 0xded, 6},
{1, "Slackw
Exploit-DB
WU-FTPD 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (3)
exploitdb·2001-05-04
CVE-2000-0573 WU-FTPD 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (3)
WU-FTPD 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (3)
---
source: https://www.securityfocus.com/bid/1387/info
Washington University ftp daemon (wu-ftpd) is a very popular unix ftp server shipped with many distributions of Linux and other UNIX operating systems. Wu-ftpd is vulnerable to a very serious remote attack in the SITE EXEC implementation. Because of user input going directly into a format string for a *printf function, it is possible to overwrite important data, such as a return address, on the stack. When this is accomplished, the function can jump into shellcode pointed to by the overwritten eip and execute arbitrary commands as root. While exploited in a manner similar to a buffer overflow, it is actually an input validation problem. Anonymous ftp is exploitab
Exploit-DB
WU-FTPD 2.6.0 - Remote Format Strings
exploitdb·2001-01-03
CVE-2000-0573 WU-FTPD 2.6.0 - Remote Format Strings
WU-FTPD 2.6.0 - Remote Format Strings
---
/*
**
** 12:40 11/10/00: Tool for either attack or defense
** within an information warfare setting. Rather, it
** is a small program demonstrating proof of concept.
** Default values for solaris 2.8 and inetd.
**
** If you are not the intended recipient, or a person
** responsible for delivering it to the intended
** recipient, you are not authorised to and must not
** disclose, copy, distribute, or retain this message
** or any part of it. Such unauthorised use may be
** unlawful.If you have received this transmission in
** error,please email us immediately at [email protected]
** so that we can arrange for its return.
**
** kalou
**
** Usage:
**
** 0xfdc (4060) bytes after the ret position, you have:
**
** -HOSTNAME: anonymous/EGGSHELL
**
** This
Exploit-DB
WU-FTPD 2.6.0 - Remote Command Execution
exploitdb·2000-11-21
CVE-2000-0573 WU-FTPD 2.6.0 - Remote Command Execution
WU-FTPD 2.6.0 - Remote Command Execution
---
/*
* (c) 2000 venglin / b0f
* http://b0f.freebsd.lublin.pl
*
* WUFTPD 2.6.0 REMOTE ROOT EXPLOIT (22/06/2000, updated: 05/08/2000)
*
* Idea and preliminary version of exploit by tf8
*
* Greetz: Lam3rZ, TESO, ADM, lcamtuf, karpio.
* Dedicated to ksm.
*
* **PRIVATE**DO*NOT*DISTRIBUTE**
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define repln if (getreply(0) ";
char recvbuf[BUFSIZ], sendbuf[BUFSIZ];
FILE *cin, *cout;
char linuxcode[]= /* Lam3rZ chroot() code */
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb"
"\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31"
"\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\x01\xb0\x27\xcd"
"\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31\xdb"
"
Exploit-DB
WU-FTPD 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (2)
exploitdb·2000-09-26
CVE-2000-0573 WU-FTPD 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (2)
WU-FTPD 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (2)
---
// source: https://www.securityfocus.com/bid/1387/info
Washington University ftp daemon (wu-ftpd) is a very popular unix ftp server shipped with many distributions of Linux and other UNIX operating systems. Wu-ftpd is vulnerable to a very serious remote attack in the SITE EXEC implementation. Because of user input going directly into a format string for a *printf function, it is possible to overwrite important data, such as a return address, on the stack. When this is accomplished, the function can jump into shellcode pointed to by the overwritten eip and execute arbitrary commands as root. While exploited in a manner similar to a buffer overflow, it is actually an input validation problem. Anonymous ftp is exploi
Exploit-DB
WU-FTPD 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (1)
exploitdb·1999-10-15
CVE-2000-0573 WU-FTPD 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (1)
WU-FTPD 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (1)
---
// source: https://www.securityfocus.com/bid/1387/info
Washington University ftp daemon (wu-ftpd) is a very popular unix ftp server shipped with many distributions of Linux and other UNIX operating systems. Wu-ftpd is vulnerable to a very serious remote attack in the SITE EXEC implementation. Because of user input going directly into a format string for a *printf function, it is possible to overwrite important data, such as a return address, on the stack. When this is accomplished, the function can jump into shellcode pointed to by the overwritten eip and execute arbitrary commands as root. While exploited in a manner similar to a buffer overflow, it is actually an input validation problem. Anonymous ftp is exploi
Metasploit
WU-FTPD SITE EXEC/INDEX Format String Vulnerability
metasploit
WU-FTPD SITE EXEC/INDEX Format String Vulnerability
WU-FTPD SITE EXEC/INDEX Format String Vulnerability
This module exploits a format string vulnerability in versions of the Washington University FTP server older than 2.6.1. By executing specially crafted SITE EXEC or SITE INDEX commands containing format specifiers, an attacker can corrupt memory and execute arbitrary code.
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:29.wu-ftpd.asc.v1.1ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2000-009.txt.aschttp://archives.neohapsis.com/archives/bugtraq/2000-06/0244.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-07/0017.htmlhttp://marc.info/?l=bugtraq&m=96171893218000&w=2http://marc.info/?l=bugtraq&m=96179429114160&w=2http://marc.info/?l=bugtraq&m=96299933720862&w=2http://www.calderasystems.com/support/security/advisories/CSSA-2000-020.0.txthttp://www.cert.org/advisories/CA-2000-13.htmlhttp://www.redhat.com/support/errata/RHSA-2000-039.htmlhttp://www.securityfocus.com/bid/1387http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000623091822.3321.qmail%40fiver.freemessage.comhttps://exchange.xforce.ibmcloud.com/vulnerabilities/4773ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:29.wu-ftpd.asc.v1.1ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2000-009.txt.aschttp://archives.neohapsis.com/archives/bugtraq/2000-06/0244.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-07/0017.htmlhttp://marc.info/?l=bugtraq&m=96171893218000&w=2http://marc.info/?l=bugtraq&m=96179429114160&w=2http://marc.info/?l=bugtraq&m=96299933720862&w=2http://www.calderasystems.com/support/security/advisories/CSSA-2000-020.0.txthttp://www.cert.org/advisories/CA-2000-13.htmlhttp://www.redhat.com/support/errata/RHSA-2000-039.htmlhttp://www.securityfocus.com/bid/1387http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000623091822.3321.qmail%40fiver.freemessage.comhttps://exchange.xforce.ibmcloud.com/vulnerabilities/4773
2000-07-07
Published