CVE-2001-0550
published 2001-11-30CVE-2001-0550: wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a "~{" argument to commands such as CWD, which is not properly handled by the glob…
PriorityP270high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
74.76%
99.4th percentile
wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a "~{" argument to commands such as CWD, which is not properly handled by the glob function (ftpglob).
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| david_madore | ftpd-bsd | — | — |
| david_madore | ftpd-bsd | — | — |
| washington_university | wu-ftpd | — | — |
| washington_university | wu-ftpd | — | — |
| washington_university | wu-ftpd | — | — |
| washington_university | wu-ftpd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect FTP commands (CWD, LS, etc.) containing the glob pattern '~{' in the argument, which triggers the ftpglob heap corruption vulnerability. ↗
- →Monitor for abrupt FTP session termination (421 Service not available) immediately following a glob-pattern command, which is a symptom of the heap corruption crash. ↗
- →Inspect FTP banner strings matching 'Version wu-2.6.1' or 'Version wu-2.6.0' to identify vulnerable server instances targeted by the exploit. ↗
- →The exploit uses default credentials 'ftp'/'mozilla@' for anonymous login before sending the malicious glob argument; alert on this specific password string in FTP authentication. ↗
- →Look for SIGSEGV/heap corruption in wu-ftpd process (free of address 0x61616161 = 'aaaa') as a post-exploitation indicator of the glob heap overflow. ↗
- ·The exploit (7350wurm) targets specific distribution/version combinations with hardcoded return addresses (retloc) and cbuf offsets; exploitation success is highly dependent on the exact binary build matching one of the listed targets. ↗
- ·RedHat 6.0 with wu-ftpd-2.4.2vr17-3 is explicitly noted as NOT exploitable via this method because the glob code does not handle the {.,.,.,.} pattern. ↗
- ·CVE-2001-0935 (SUSE glob.c audit findings) is a separate, distinct vulnerability from CVE-2001-0550 and does not affect wu-ftpd 2.6.1 or later / Red Hat Enterprise Linux 2.1. ↗
- ·The chroot-break shellcode component has a known TODO for Linux 2.4.x kernels (>= 2.4.13) where chroot behaviour changed, meaning the chroot escape may not work on those kernels. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
security flaw
vendor_redhat·2001-04-30·CVSS 7.5
CVE-2001-0550 [HIGH] security flaw
security flaw
wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a "~{" argument to commands such as CWD, which is not properly handled by the glob function (ftpglob).
Red Hat
CVE-2001-0935: Vulnerability in wu-ftpd 2
vendor_redhat·CVSS 7.5
CVE-2001-0935 [HIGH] CVE-2001-0935: Vulnerability in wu-ftpd 2
Vulnerability in wu-ftpd 2.6.0, and possibly earlier versions, which is unrelated to the ftpglob bug described in CVE-2001-0550.
Statement: CVE-2001-0935 refers to vulnerabilities found when SUSE did a code audit of the wu-ftpd glob.c file in wu-ftpd 2.6.0. They shared these details with the wu-ftpd upstream authors who clarified that some of the issues did not apply, and all were addressed by the version of glob.c in upstream wu-ftpd 2.6.1. Therefore we believe that the issues labelled as CVE-2001-0935 do not affect wu-ftpd 2.6.1 or later versions and therefore do not affect Red Hat Enterprise Linux 2.1.
GHSA
GHSA-fq5j-pgh2-4grh: wu-ftpd 2
ghsa_unreviewed·2022-04-30
CVE-2001-0550 [HIGH] GHSA-fq5j-pgh2-4grh: wu-ftpd 2
wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a "~{" argument to commands such as CWD, which is not properly handled by the glob function (ftpglob).
GHSA
GHSA-57jq-q4wv-65pc: Vulnerability in wu-ftpd 2
ghsa_unreviewed·2022-04-30·CVSS 7.5
CVE-2001-0935 [HIGH] GHSA-57jq-q4wv-65pc: Vulnerability in wu-ftpd 2
Vulnerability in wu-ftpd 2.6.0, and possibly earlier versions, which is unrelated to the ftpglob bug described in CVE-2001-0550.
VulnCheck
wu-ftpd 2.6.1 Arbitrary Command Execution
vulncheck·2001·CVSS 7.5
CVE-2001-0550 [HIGH] wu-ftpd 2.6.1 Arbitrary Command Execution
wu-ftpd 2.6.1 Arbitrary Command Execution
wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a "~{" argument to commands such as CWD, which is not properly handled by the glob function (ftpglob).
Affected: david_madore ftpd-bsd
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a9c54f79-d780-437b-a7f5-a74960e299d5&CommunityKey=8af7f28f-02f1-4107-8639-93a60b6546d4&tab=librarydocuments
No detection rules found.
Exploit-DB
WU-FTPD 2.6.1 - Remote Command Execution
exploitdb·2002-05-14
CVE-2001-0550 WU-FTPD 2.6.1 - Remote Command Execution
WU-FTPD 2.6.1 - Remote Command Execution
---
/* 7350wurm - x86/linux wu_ftpd remote root exploit
*
* TESO CONFIDENTIAL - SOURCE MATERIALS
*
* This is unpublished proprietary source code of TESO Security.
*
* The contents of these coded instructions, statements and computer
* programs may not be disclosed to third parties, copied or duplicated in
* any form, in whole or in part, without the prior written permission of
* TESO Security. This includes especially the Bugtraq mailing list, the
* www.hack.co.za website and any public exploit archive.
*
* The distribution restrictions cover the entire file, including this
* header notice. (This means, you are not allowed to reproduce the header).
*
* (C) COPYRIGHT TESO Security, 2001
* All Rights Reserved
*
* thanks to bnuts, tomas, dvorak, scri
Exploit-DB
WU-FTPD 2.6 - File Globbing Heap Corruption
exploitdb·2001-11-27
CVE-2001-0550 WU-FTPD 2.6 - File Globbing Heap Corruption
WU-FTPD 2.6 - File Globbing Heap Corruption
---
source: https://www.securityfocus.com/bid/3581/info
Wu-Ftpd is an FTP server based on the BSD 'ftpd' that is maintained by Washington University.
Wu-Ftpd allows clients to organize files for FTP actions based on "file globbing" patterns. File globbing is also used by various shells. The implementation of file globbing included in Wu-Ftpd contains a heap-corruption vulnerability that may allow an attacker to execute arbitrary code on a server remotely.
This vulnerability was initially scheduled for public release on December 3, 2001. However, Red Hat has made details public as of November 27, 2001. As a result, we are forced to warn other users of the vulnerable product so that they may take appropriate actions.
ftp> open localhost
Conne
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000442http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-036-01http://marc.info/?l=bugtraq&m=100700363414799&w=2http://www.caldera.com/support/security/advisories/CSSA-2001-041.0.txthttp://www.cert.org/advisories/CA-2001-33.htmlhttp://www.debian.org/security/2001/dsa-087http://www.kb.cert.org/vuls/id/886083http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-090.php3http://www.novell.com/linux/security/advisories/2001_043_wuftpd_txt.htmlhttp://www.redhat.com/support/errata/RHSA-2001-157.htmlhttp://www.securityfocus.com/archive/82/180823http://www.securityfocus.com/bid/3581http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0107-162https://exchange.xforce.ibmcloud.com/vulnerabilities/7611http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000442http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-036-01http://marc.info/?l=bugtraq&m=100700363414799&w=2http://www.caldera.com/support/security/advisories/CSSA-2001-041.0.txthttp://www.cert.org/advisories/CA-2001-33.htmlhttp://www.debian.org/security/2001/dsa-087http://www.kb.cert.org/vuls/id/886083http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-090.php3http://www.novell.com/linux/security/advisories/2001_043_wuftpd_txt.htmlhttp://www.redhat.com/support/errata/RHSA-2001-157.htmlhttp://www.securityfocus.com/archive/82/180823http://www.securityfocus.com/bid/3581http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0107-162https://exchange.xforce.ibmcloud.com/vulnerabilities/7611
2001-11-30
Published
Exploited in the wild