Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-1668

Overview

Vulnerability Score 10.0 10.0
CVE Id CVE-2008-1668
Last Modified 17 Jul 2013 11:41:05
Published 13 Aug 2008 02:41:00
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2008-1668

Summary

ftpd.c in (1) wu-ftpd 2.4.2 and (2) ftpd in HP HP-UX B.11.11 assigns uid 0 to the FTP client in certain operating-system misconfigurations in which PAM authentication can succeed even though no passwd entry is available for a user, which allows remote attackers to gain privileges, as demonstrated by a login attempt for an LDAP account when nsswitch.conf does not specify LDAP for passwd information.

Vulnerable Systems

Operating System

  • Hp-ux 11.11


References

HP - HPSBUX02356

XF - hpux-ftpd-security-bypass(44414)

VUPEN - ADV-2008-2364

SECTRACK - 1020682

BID - 30666

MLIST - [oss-security] 20080820 FW: CVE-2008-1668 - ftpd 2.4 - unauthorized root access - patch details

SECUNIA - 31471

HP - SSRT080051


Last Updated: 27 May 2016 10:49:54