多个供应商ftpd setproctitle()格式字符串漏洞

漏洞信息详情

多个供应商ftpd setproctitle()格式字符串漏洞

• CNNVD编号：CNNVD-200007-014
• 危害等级： 中危
  
  
• CVE编号：
  CVE-2000-0574
  
• 漏洞类型：
  
  
  格式化字符串
  
• 发布时间：
  
  2000-07-07
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2006-09-20
  
• 厂        商：
  
  openbsd
• 漏洞来源：
  This vulnerability…

例如OpenBSD ftpd,NetBSD ftpd,ProFTPd和Opieftpd的FTP服务器不能正确净化在setproctitle函数（有时被称作set_proc_title）中被使用的不可信格式字符串，远程攻击者可以导致服务拒绝或者执行任意命令。

OpenBSD ftpd:
A patch is available at
http://www.openbsd.org/errata.html#ftpd
ProFTPD:
Upgrade to ProFTPD 1.2.0 when it is available.
Manual patch:
Replace the call to setproctitle() in the set_proc_title() with a properly used format string.
Replace:
setproctitle(statbuf);
with
setproctitle(“%s”, statbuf);
wu-ftpd – upgrade to version 2.6.1:
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz.asc
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z.asc
SuSE Linux – updates are available.
http://suse.de/de/support/security/suse_security_announce_571.txt
Debian:
This problem has been corrected in netstd 3.07-7slink.4 for Debian 2.1 (slink) and in ftpd 0.11-8potato.1 for Debian 2.2 (potato). We recommend upgrading your ftpd immediately.
Fixed in: Debian 2.1 (slink):
Source:
http://security.debian.org/dists/slink/updates/source/netstd_3.07-7slink.4.diff.gz
http://security.debian.org/dists/slink/updates/source/netstd_3.07-7slink.4.dsc
http://security.debian.org/dists/slink/updates/source/netstd_3.07.orig.tar.gz
alpha:
http://security.debian.org/dists/slink/updates/binary-alpha/netstd_3.07-7slink.4_alpha.deb
i386:
http://security.debian.org/dists/slink/updates/binary-i386/netstd_3.07-7slink.4_i386.deb
m68k:
http://security.debian.org/dists/slink/updates/binary-m68k/netstd_3.07-7slink.4_m68k.deb
sparc:
http://security.debian.org/dists/slink/updates/binary-sparc/netstd_3.07-7slink.4_sparc.deb
Debian 2.2 (potato):
Source:
http://security.debian.org/dists/potato/updates/main/source/linux-ftpd_0.11-8potato.1.diff.gz
http://security.debian.org/dists/potato/updates/main/source/linux-ftpd_0.11-8potato.1.dsc
http://security.debian.org/dists/potato/updates/main/source/linux-ftpd_0.11.orig.tar.gz
arm:
http://security.debian.org/dists/potato/updates/main/binary-arm/ftpd_0.11-8potato.1_arm.deb
i386:
http://security.debian.org/dists/potato/updates/main/binary-i386/ftpd_0.11-8potato.1_i386.deb
sparc:
http://security.debian.org/dists/potato/updates/main/binary-sparc/ftpd_0.11-8potato.1_sparc.deb
ProFTPD Project ProFTPD 1.2 pre4

• FreeBSD ports-3 proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/ftp/pro
  ftpd-1.2.0rc2.tgz
• FreeBSD ports-4 alpha protftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/ftp/pr
  oftpd-1.2.0rc2.tgz
• FreeBSD ports-4 i386 proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/pro
  ftpd-1.2.0rc2.tgz
• FreeBSD ports-5 alpha proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/ftp/p
  roftpd-1.2.0rc2.tgz
• FreeBSD ports-5 i386 proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/pr
  oftpd-1.2.0rc2.tgz

ProFTPD Project ProFTPD 1.2 pre5

• FreeBSD ports-3 proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/ftp/pro
  ftpd-1.2.0rc2.tgz
• FreeBSD ports-4 alpha protftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/ftp/pr
  oftpd-1.2.0rc2.tgz
• FreeBSD ports-4 i386 proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/pro
  ftpd-1.2.0rc2.tgz
• FreeBSD ports-5 alpha proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/ftp/p
  roftpd-1.2.0rc2.tgz
• FreeBSD ports-5 i386 proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/pr
  oftpd-1.2.0rc2.tgz

ProFTPD Project ProFTPD 1.2 pre8

• FreeBSD ports-3 proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/ftp/pro
  ftpd-1.2.0rc2.tgz
• FreeBSD ports-4 alpha protftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/ftp/pr
  oftpd-1.2.0rc2.tgz
• FreeBSD ports-4 i386 proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/pro
  ftpd-1.2.0rc2.tgz
• FreeBSD ports-5 alpha proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/ftp/p
  roftpd-1.2.0rc2.tgz
• FreeBSD ports-5 i386 proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/pr
  oftpd-1.2.0rc2.tgz

ProFTPD Project ProFTPD 1.2 pre6

• FreeBSD ports-3 proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/ftp/pro
  ftpd-1.2.0rc2.tgz
• FreeBSD ports-4 alpha protftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/ftp/pr
  oftpd-1.2.0rc2.tgz
• FreeBSD ports-4 i386 proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/pro
  ftpd-1.2.0rc2.tgz
• FreeBSD ports-5 alpha proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/ftp/p
  roftpd-1.2.0rc2.tgz
• FreeBSD ports-5 i386 proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/pr
  oftpd-1.2.0rc2.tgz

ProFTPD Project ProFTPD 1.2 pre1

• FreeBSD ports-3 proftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/ftp/pro
  ftpd-1.2.0rc2.tgz
• FreeBSD ports-4 alpha protftpd-1.2.0rc2.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-s