Description
FTP servers such as OpenBSD ftpd, NetBSD ftpd, ProFTPd and Opieftpd do not properly cleanse untrusted format strings that are used in the setproctitle function (sometimes called by set_proc_title), which allows remote attackers to cause a denial of service or execute arbitrary commands.
Affected products
- OpenBSD / ftpd5.51 β 5.51
- OpenBSD / ftpd5.60 β 5.60
- washington_university / wu-ftpd2.4.2_beta1 β 2.4.2_beta1
- washington_university / wu-ftpd2.4.2_beta18 β 2.4.2_beta18
- washington_university / wu-ftpd2.4.2_beta18_vr4 β 2.4.2_beta18_vr4
- washington_university / wu-ftpd2.4.2_beta18_vr5 β 2.4.2_beta18_vr5
- washington_university / wu-ftpd2.4.2_beta18_vr6 β 2.4.2_beta18_vr6
- washington_university / wu-ftpd2.4.2_beta18_vr7 β 2.4.2_beta18_vr7
- washington_university / wu-ftpd2.4.2_beta18_vr8 β 2.4.2_beta18_vr8
- washington_university / wu-ftpd2.4.2_beta18_vr9 β 2.4.2_beta18_vr9
- washington_university / wu-ftpd2.4.2_beta18_vr10 β 2.4.2_beta18_vr10
- washington_university / wu-ftpd2.4.2_beta18_vr11 β 2.4.2_beta18_vr11
- washington_university / wu-ftpd2.4.2_beta18_vr12 β 2.4.2_beta18_vr12
- washington_university / wu-ftpd2.4.2_beta18_vr13 β 2.4.2_beta18_vr13
- washington_university / wu-ftpd2.4.2_beta18_vr14 β 2.4.2_beta18_vr14
- washington_university / wu-ftpd2.4.2_beta18_vr15 β 2.4.2_beta18_vr15
- washington_university / wu-ftpd2.4.2_vr16 β 2.4.2_vr16
- washington_university / wu-ftpd2.4.2_vr17 β 2.4.2_vr17
- washington_university / wu-ftpd2.5 β 2.5
- washington_university / wu-ftpd2.6 β 2.6
References
- MISChttp://www.securityfocus.com/bid/1425
- MISChttp://archives.neohapsis.com/archives/bugtraq/2000-07/0121.html
- MISChttp://www.securityfocus.com/bid/1438
- MISChttp://archives.neohapsis.com/archives/bugtraq/2000-07/0061.html
- VENDOR_ADVISORYftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-009.txt.asc
- MISChttp://archives.neohapsis.com/archives/bugtraq/2000-07/0031.html
- VENDOR_ADVISORYhttp://www.cert.org/advisories/CA-2000-13.html