Operating System - HP-UX
1833873 Members
2201 Online
110063 Solutions
New Discussion

does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

 
SOLVED
Go to solution
PamelaJThrasher
Regular Advisor

does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

Hello
I am being asked to make sure that all my HP-UX servers have been remediated against the RealPath off-by-one buffer over flow vulnerability in wu-ftp that was identified in 2003.

According to the documentation that I found, wu-ftp version 2.6.2 this has been addressed but I cannot find that version available to download from HP.

Does anyone know if the wu-ftp version 2.6.1 from November 2007 that is available from HP addresses this issue? I have glanced through the release notes and cannot find any mention of it.

Attached is a detailed description of the vulernability that I found at the SANS institute site.

Thanks in advance!
11 REPLIES 11
Steven E. Protter
Exalted Contributor

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

Shalom,

It is safe to say the November 2007 release of wu-ftpd included fixes to all known vulnerabilities released in 2003.

In addition, there are several binary fixes to wu-ftpd that are available via ftp via the itrc website or by making a call to the response center.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
PamelaJThrasher
Regular Advisor

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

Thank you!

The HP download site for wu-ftp 2.6.1 states that it is for 11.0 and 11.11.

I also have 11.23(PA-RISC) and 11.31 (Itanium) servers. Do you know where I could get version 2.6.1 for those servers?
Paul Sperry
Honored Contributor

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

you can download the source code here and build it.

ftp://ftp.wu-ftpd.org/pub/wu-ftpd/


you want to get the wu-ftpd-2.6.2.tar.gz file

or wu-ftpd-2.6.1.tar.gz if ou want all of yoour systems on the save version

PamelaJThrasher
Regular Advisor

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

I have tried multiple times to get to the link in the above post.

I always get the following response:

Windows cannot access this folder. Make sure you type the file name correctly and that you have permission to access the folder.
Details: Operation timed out

I get that message from clicking on the link in the above response as well as going directly to the http://www.wu-ftpd.org/ site and clicking on the link that they provide there. I also get that response when trying to download from any of the mirror sites close to me.
Paul Sperry
Honored Contributor

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

Thats weird
the link ftp://ftp.wu-ftpd.org/pub/wu-ftpd/
and http://www.wu-ftpd.org
both work for me.
Are you behind a fire wall and do you have your proxy settings set correctly?
PamelaJThrasher
Regular Advisor

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

I am behind a firewall. I am able to get to the http://www.wu-ftpd.org site with no problem but none of the ftp sites seem to be working for me.

I have my HP Account Support Consultant coming on site tomorrow. He has said that he can look into this and get the download for me if it is my proxy settings.

Thanks for your help.
Paul Sperry
Honored Contributor
Solution

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

I am assuming your using IE
If so try this.

1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. Click the Advanced tab, click to clear the Enable folder view for FTP sites check box, click Apply, and then click OK.
PamelaJThrasher
Regular Advisor

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

I looked and that box is already checked. :-(

Thanks for trying.
Paul Sperry
Honored Contributor

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

You need to un-check it (clear the check mark)
PamelaJThrasher
Regular Advisor

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

That worked. Thank you! I have saved the 2.6.2 version.

Thanks again.
PamelaJThrasher
Regular Advisor

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

I have downloaded wu-ftp 2.6.2 from their site. This will definitely have the fix in place.