cbcvebase.
CVE-2001-0550
published 2001-11-30

CVE-2001-0550: wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a "~{" argument to commands such as CWD, which is not properly handled by the glob…

PriorityP270high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
74.76%
99.4th percentile
wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a "~{" argument to commands such as CWD, which is not properly handled by the glob function (ftpglob).

Affected

6 ranges
VendorProductVersion rangeFixed in
david_madoreftpd-bsd
david_madoreftpd-bsd
washington_universitywu-ftpd
washington_universitywu-ftpd
washington_universitywu-ftpd
washington_universitywu-ftpd

Detection & IOCsextracted from sources · hover to see the quote

commandls ~{
commandCWD ~{
commandunset HISTFILE;id;uname -a;
versionwu-2.6.1-18
process/usr/sbin/wu.ftpd
  • Detect FTP commands (CWD, LS, etc.) containing the glob pattern '~{' in the argument, which triggers the ftpglob heap corruption vulnerability.
  • Monitor for abrupt FTP session termination (421 Service not available) immediately following a glob-pattern command, which is a symptom of the heap corruption crash.
  • Inspect FTP banner strings matching 'Version wu-2.6.1' or 'Version wu-2.6.0' to identify vulnerable server instances targeted by the exploit.
  • The exploit uses default credentials 'ftp'/'mozilla@' for anonymous login before sending the malicious glob argument; alert on this specific password string in FTP authentication.
  • Look for SIGSEGV/heap corruption in wu-ftpd process (free of address 0x61616161 = 'aaaa') as a post-exploitation indicator of the glob heap overflow.
  • ·The exploit (7350wurm) targets specific distribution/version combinations with hardcoded return addresses (retloc) and cbuf offsets; exploitation success is highly dependent on the exact binary build matching one of the listed targets.
  • ·RedHat 6.0 with wu-ftpd-2.4.2vr17-3 is explicitly noted as NOT exploitable via this method because the glob code does not handle the {.,.,.,.} pattern.
  • ·CVE-2001-0935 (SUSE glob.c audit findings) is a separate, distinct vulnerability from CVE-2001-0550 and does not affect wu-ftpd 2.6.1 or later / Red Hat Enterprise Linux 2.1.
  • ·The chroot-break shellcode component has a known TODO for Linux 2.4.x kernels (>= 2.4.13) where chroot behaviour changed, meaning the chroot escape may not work on those kernels.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.