CVE-2001-0053
published 2001-02-12CVE-2001-0053: One-byte buffer overflow in replydirname function in BSD-based ftpd allows remote attackers to gain root privileges.
PriorityP352critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
17.93%
96.8th percentile
One-byte buffer overflow in replydirname function in BSD-based ftpd allows remote attackers to gain root privileges.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| david_madore | ftpd-bsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
OpenBSD ftpd 2.6/2.7 - Remote Overflow
exploitdb·2000-12-20
CVE-2001-0053 OpenBSD ftpd 2.6/2.7 - Remote Overflow
OpenBSD ftpd 2.6/2.7 - Remote Overflow
---
/*
h0h0h0 0-day k0d3z
Exploit by Scrippie, help by dvorak and jimjones
greets to sk8
Not fully developt exploit but it works most of the time ;)
Things to add:
- automatic writeable directory finding
- syn-scan option to do mass-scanning
- worm capabilities? (should be done seperatly using the -C option
11/13/2000
*/
#include
#include
#include
#include
#include
#include
void usage(char *program);
char *strcreat(char *, char *, int);
char *longToChar(unsigned long);
char *xrealloc(void *, size_t);
void xfree(char **ptr);
char *xmalloc(size_t);
int xconnect(char *host, u_short port);
void xsend(int fd, char *buf);
void xsendftpcmd(int fd, char *command, char *param);
void xrecieveall(int fd, char *buf, int size);
void xrecieve(int fd, char
Exploit-DB
BSD ftpd 0.3.2 - Single Byte Buffer Overflow
exploitdb·2000-12-18
CVE-2001-0053 BSD ftpd 0.3.2 - Single Byte Buffer Overflow
BSD ftpd 0.3.2 - Single Byte Buffer Overflow
---
source: https://www.securityfocus.com/bid/2124/info
The ftp daemon derived from 4.x BSD source contains a serious vulnerability that may compromise root access.
There exists a one byte overflow in the replydirname() function. The overflow condition is due to an off-by-one bug that allows an attacker to write a null byte beyond the boundaries of a local buffer and over the lowest byte of the saved base pointer.
As a result, the numerical value of the pointer decreases (and it thus points to a higher location (or lower address) on the stack than it should) and when the replydirname() function returns, the modified saved base pointer is stored in the base pointer register. When the calling function returns, the return address is read from
No writeups or analysis indexed.
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-018.txt.aschttp://archives.neohapsis.com/archives/bugtraq/2000-12/0275.htmlhttp://www.openbsd.org/advisories/ftpd_replydirname.txthttp://www.securityfocus.com/bid/2124https://exchange.xforce.ibmcloud.com/vulnerabilities/5776ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-018.txt.aschttp://archives.neohapsis.com/archives/bugtraq/2000-12/0275.htmlhttp://www.openbsd.org/advisories/ftpd_replydirname.txthttp://www.securityfocus.com/bid/2124https://exchange.xforce.ibmcloud.com/vulnerabilities/5776
2001-02-12
Published