wu-ftpd /bin SITE EXEC Misconfiguration Vulnerability

BID:2241

Info

wu-ftpd /bin SITE EXEC Misconfiguration Vulnerability

Bugtraq ID: 2241
Class: Configuration Error
CVE:
Remote: Yes
Local: Yes
Published: Nov 30 1995 12:00AM
Updated: Nov 30 1995 12:00AM
Credit: Revealed by Olaf Kirch <[email protected]> in a message dated May 31, 1995.
Vulnerable: Washington University wu-ftpd 2.4.1
Not Vulnerable: Washington University wu-ftpd 2.6 .0
+ Cobalt Qube 1.0
+ Debian Linux 2.2 sparc
 + Debian Linux 2.2 powerpc
 + Debian Linux 2.2 arm
 + Debian Linux 2.2 alpha
 + Debian Linux 2.2 68k
 + Debian Linux 2.2
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3 -STABLE
 - FreeBSD FreeBSD 4.3 -RELEASE
 - FreeBSD FreeBSD 4.3
+ HP HP-UX 11.11
+ HP HP-UX 11.0
+ Redhat Linux 6.2 sparc
 + Redhat Linux 6.2 i386
 + Redhat Linux 6.2 alpha
 + Redhat Linux 6.1 sparc
 + Redhat Linux 6.1 i386
 + Redhat Linux 6.1 alpha
 + Redhat Linux 6.0 sparc
 + Redhat Linux 6.0 alpha
 + Redhat Linux 6.0
+ Redhat Linux 5.2 sparc
 + Redhat Linux 5.2 i386
 + Redhat Linux 5.2 alpha
 + SuSE Linux 7.3 sparc
 + SuSE Linux 7.3 ppc
 + SuSE Linux 7.3 i386
 + SuSE Linux 7.2 i386
 + SuSE Linux 7.1 x86
 + SuSE Linux 7.1 sparc
 + SuSE Linux 7.1 ppc
 + SuSE Linux 7.1 alpha
 + SuSE Linux 7.0 sparc
 + SuSE Linux 7.0 ppc
 + SuSE Linux 7.0 i386
 + SuSE Linux 7.0 alpha
 + SuSE Linux 6.4 ppc
 + SuSE Linux 6.4 alpha
 + SuSE Linux 6.4
+ SuSE Linux 6.3 ppc
 + SuSE Linux 6.3 alpha
 + SuSE Linux 6.3
+ SuSE Linux 6.2
+ SuSE Linux 6.1 alpha
 + SuSE Linux 6.1
+ Turbolinux Turbolinux 4.0
+ Wirex Immunix OS 6.2
Washington University wu-ftpd 2.5 .0
+ Caldera OpenLinux 2.4
+ Caldera OpenLinux Desktop 2.3
+ Redhat Linux 6.0 sparc
 + Redhat Linux 6.0 alpha
 + Redhat Linux 6.0
+ SCO eDesktop 2.4
+ SCO eServer 2.3.1
+ SCO eServer 2.3
Washington University wu-ftpd 2.4.2 academ[BETA1-15]
+ Caldera OpenLinux Standard 1.2
Washington University wu-ftpd 2.4.2 academ[BETA-18]
+ Redhat Linux 5.2 i386
 Washington University wu-ftpd 2.4.2 (beta 18) VR4

Discussion

wu-ftpd /bin SITE EXEC Misconfiguration Vulnerability

Due to a misconfiguration in the configuration file pathnames.h, some distributed binaries of wuftp version 2.4.1 and earlier allow an attacker with an FTP account on the system to gain root access. This is accomplished by running the "site exec" command. The problem lies in the fact that pathnames.h erroneously set _PATH_EXECPATH to /bin - this pathname is relative to ~ftp for anonymous users, but for users with accounts it is relative to / and therefore specifies the real /bin rather than ~ftp/bin. If SITE EXEC is enabled, the user can gain root access by running a shell or other command using site exec.

Exploit / POC

wu-ftpd /bin SITE EXEC Misconfiguration Vulnerability

To find out if your machine is affected, ftp to your own account, log in
and enter this: quote "site exec bash -c id". If ftpd responds with
a line that says something like "uid=0(root) euid=1234(your_login)... ",
then your ftpd is vulnerable.

Solution / Fix

wu-ftpd /bin SITE EXEC Misconfiguration Vulnerability

Solution:
Upgrade to a newer version of wuftp

References

wu-ftpd /bin SITE EXEC Misconfiguration Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report