Multiple signal handler race conditions in lukemftpd (aka tnftpd before 20040810) allow remote authenticated attackers to cause a denial of service or execute arbitrary code.

lukemftpd(8) is an enhanced BSD FTP server produced within the NetBSD project. The sources for lukemftpd are shipped with some versions of FreeBSD, however it is not built or installed by default. The build system option WANT_LUKEMFTPD must be set to build and install lukemftpd. [NOTE: An exception is FreeBSD 4.7-RELEASE, wherein lukemftpd was installed, but not enabled, by default.]

Przemyslaw Frasunek discovered several vulnerabilities in lukemftpd arising from races in the out-of-band signal handling code used to implement the ABOR command. As a result of these races, the internal state of the FTP server may be manipulated in unexpected ways.

A remote attacker may be able to cause FTP commands to be executed with the privileges of the running lukemftpd process. This may be a low-privilege `ftp' user if the `-r' command line option is specified, or it may be superuser privileges if `-r' is *not* specified.

Przemyslaw Frasunek discovered a vulnerability in tnftpd or lukemftpd respectively, the enhanced ftp daemon from NetBSD. An attacker could utilise this to execute arbitrary code on the server.

The remote host is affected by the vulnerability described in GLSA-200409-19 (Heimdal: ftpd root escalation)

    Przemyslaw Frasunek discovered several flaws in lukemftpd, which also apply     to Heimdal ftpd's out-of-band signal handling code.
    Additionally, a potential vulnerability that could lead to Denial of     Service by the Key Distribution Center (KDC) has been fixed in this     version.
  Impact :

    A remote attacker could be able to run arbitrary code with escalated     privileges, which can result in a total compromise of the server.
  Workaround :

    There is no known workaround at this time.

The remote host is missing Apple's Security Update 2004-09-07. This security update fixes the following components: CoreFoundation, IPSec, Kerberos, libpcap, lukemftpd, NetworkConfig, OpenLDAP, OpenSSH, PPPDialer, rsync, Safari and tcpdump

The remote host is missing Security Update 2004-09-07.  This security update fixes the following components :

  - CoreFoundation
  - IPSec
  - Kerberos
  - libpcap
  - lukemftpd
  - NetworkConfig
  - OpenLDAP
  - OpenSSH
  - PPPDialer
  - rsync
  - Safari
  - tcpdump

These applications contain multiple vulnerabilities that may allow a remote attacker to execute arbitrary code.

The remote host is running TNFTPD, a port of the NetBSD FTP daemon. It is reported that this version of TNFTPD is vulnerable to multiple vulnerabilities in the signal handling functions. An attacker may remotely gain superuser privileges on the remote host. TNFTPD was formerly named lukemftpd.

ID	Name	Product	Family	Severity
36240	FreeBSD : tnftpd -- remotely exploitable vulnerability (c4b025bb-f05d-11d8-9837-000c41e2cdad)	Nessus	FreeBSD Local Security Checks	medium
15388	Debian DSA-551-1 : lukemftpd - incorrect internal variable handling	Nessus	Debian Local Security Checks	medium
14745	GLSA-200409-19 : Heimdal: ftpd root escalation	Nessus	Gentoo Local Security Checks	medium
2274	Mac OS X Multiple Vulnerabilities (Security Update 2004-09-07)	Nessus Network Monitor	Web Clients	medium
14676	Mac OS X Multiple Vulnerabilities (Security Update 2004-09-07)	Nessus	MacOS X Local Security Checks	high
1854	TNFTPD Multiple Signal Handler Remote Superuser Privilege Escalation	Nessus Network Monitor	FTP Servers	high
800802	Mac OS X Multiple Vulnerabilities (Security Update 2004-09-07)	Log Correlation Engine	Operating System Detection	high

Detections

Analytics

CVE-2004-0794

high

Tenable Plugins

medium

medium

medium

medium

high

high

high