Wu-Ftpd S/Key Remote Buffer Overrun漏洞

漏洞信息详情

Wu-Ftpd S/Key Remote Buffer Overrun漏洞

• CNNVD编号：CNNVD-200403-064
• 危害等级： 超危
  
  
• CVE编号：
  CVE-2004-0185
  
• 漏洞类型：
  
  
  缓冲区溢出
  
• 发布时间：
  
  2004-03-15
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2005-05-13
  
• 厂        商：
  
  washington_university
• 漏洞来源：
  This issue was rec…

wu-ftp daemon (wu-ftpd) 2.6.2版本的ftpd.c中skey_challenge函数存在缓冲区溢出漏洞。远程攻击者借助一个有超长名称的s/key (SKEY）请求导致服务拒绝并且可能执行任意代码。

Hewlett-Packard has released an advisory (HPSBTU01012) and an early release patch to address this issue. Customers are advised to apply this patch if they are affected by this vulnerability. Further information regarding obtaining and applying an appropriate patch can be found in the referenced advisory.
Debian has released an advisory DSA 457-1 to address this issue. Please see the referenced advisory for more information.
RedHat has released an advisory RHSA-2004:096-09 to address this issue in Red Hat Enterprise Linux. Please see the advisory in web references for more information.
The vendor has released a patch to address this issue in Wu-FTPD 2.6.2. The official patch can be obtained from the following location:
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.2/skeychallenge.patch
Washington University wu-ftpd 2.6.2

• Debian wu-ftpd-academ_2.6.2-3woody4_all.debDebian GNU/Linux 3.0 (woody)
  
  http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd-academ_
  2.6.2-3woody4_all.deb
• Debian wu-ftpd_2.6.2-3woody4_alpha.debDebian GNU/Linux 3.0 (woody)
  
  http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3
  woody4_alpha.deb
• Debian wu-ftpd_2.6.2-3woody4_arm.debDebian GNU/Linux 3.0 (woody)
  
  http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3
  woody4_arm.deb
• Debian wu-ftpd_2.6.2-3woody4_hppa.debDebian GNU/Linux 3.0 (woody)
  
  http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3
  woody4_hppa.deb
• Debian wu-ftpd_2.6.2-3woody4_i386.debDebian GNU/Linux 3.0 (woody)
  
  http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3
  woody4_i386.deb
• Debian wu-ftpd_2.6.2-3woody4_ia64.debDebian GNU/Linux 3.0 (woody)
  
  http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3
  woody4_ia64.deb
• Debian wu-ftpd_2.6.2-3woody4_m68k.debDebian GNU/Linux 3.0 (woody)
  
  http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3
  woody4_m68k.deb
• Debian wu-ftpd_2.6.2-3woody4_mips.debDebian GNU/Linux 3.0 (woody)
  
  http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3
  woody4_mips.deb
• Debian wu-ftpd_2.6.2-3woody4_mipsel.debDebian GNU/Linux 3.0 (woody)
  
  http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3
  woody4_mipsel.deb
• Debian wu-ftpd_2.6.2-3woody4_powerpc.debDebian GNU/Linux 3.0 (woody)
  
  http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3
  woody4_powerpc.deb
• Debian wu-ftpd_2.6.2-3woody4_s390.debDebian GNU/Linux 3.0 (woody)
  
  http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3
  woody4_s390.deb
• Debian wu-ftpd_2.6.2-3woody4_sparc.debDebian GNU/Linux 3.0 (woody)
  
  http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3
  woody4_sparc.deb

Compaq Tru64 5.1 a PK6(BL24)

• HP T64V51AB-IX622-WUFTPD262-SSRT4704-SSRT4705.tar
  
  http://itrc.hp.com

Compaq Tru64 5.1 b PK3(BL24)

• HP T64V51AB-IX622-WUFTPD262-SSRT4704-SSRT4705.tar
  
  http://itrc.hp.com

来源: www.securiteam.com
链接:http://www.securiteam.com/unixfocus/6X00Q1P8KC.html

来源: REDHAT
名称: RHSA-2004:096
链接:http://www.redhat.com/support/errata/RHSA-2004-096.html

来源: DEBIAN
名称: DSA-457
链接:http://www.debian.org/security/2004/dsa-457

来源: ftp.wu-ftpd.org
链接:ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.2/skeychallenge.patch

来源: XF
名称: wuftpd-skey-bo(13518)
链接:http://xforce.iss.net/xforce/xfdb/13518

来源: unixpunx.org
链接:http://unixpunx.org/txt/exploits_archive/packetstorm/0310-advisories/wuftpd-skey.txt

来源: BID
名称: 8893
链接:http://www.securityfocus.com/bid/8893