FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

wu-ftpd -- remote globbing DoS vulnerability

Affected packages
wu-ftpd < 2.6.2_6
wu-ftpd+ipv6 < 2.6.2_7

Details

VuXML ID ef410571-a541-11d9-a788-0001020eed82
Discovery 2005-02-05
Entry 2005-04-04

An iDEFENSE Security Advisory reports:

Remote exploitation of an input validation vulnerability in version 2.6.2 of WU-FPTD could allow for a denial of service of the system by resource exhaustion.

The vulnerability specifically exists in the wu_fnmatch() function in wu_fnmatch.c. When a pattern containing a '*' character is supplied as input, the function calls itself recursively on a smaller substring. By supplying a string which contains a large number of '*' characters, the system will take a long time to return the results, during which time it will be using a large amount of CPU time.

References

CVE Name CVE-2005-0256
Message FB24803D1DF2A34FA59FC157B77C970503E249AF@idserv04.idef.com