CVE-2003-0466

CRITICAL

wu-ftpd 2.5.0-2.6.2 - Remote Code Execution via fb_realpath Off-by-one Error

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2003-0466. PoCs published by Xpl017Elz, [email protected].

AI-analyzed exploit summary This exploit targets an off-by-one vulnerability in wu-ftpd versions 2.6.0, 2.6.1, and 2.6.2, allowing remote code execution via a crafted directory name. It includes shellcode for Linux, FreeBSD, and OpenBSD to spawn a shell.

Description

Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Xpl017Elz · cremotelinux
https://www.exploit-db.com/exploits/78

This exploit targets an off-by-one vulnerability in wu-ftpd versions 2.6.0, 2.6.1, and 2.6.2, allowing remote code execution via a crafted directory name. It includes shellcode for Linux, FreeBSD, and OpenBSD to spawn a shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: wu-ftpd 2.6.0, 2.6.1, 2.6.2
Auth required
Prerequisites: Valid FTP credentials · Target running vulnerable wu-ftpd version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Xpl017Elz · cremoteunix
https://www.exploit-db.com/exploits/22975

This exploit targets an off-by-one stack buffer overflow in the `realpath()` function in WU-FTPD versions 2.6.0-2.6.2, allowing remote code execution. It includes shellcode for Linux, FreeBSD, and OpenBSD, with brute-force and banner scanning capabilities.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WU-FTPD 2.6.0, 2.6.1, 2.6.2
Auth required
Prerequisites: Network access to WU-FTPD service · Valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Xpl017Elz · cremotelinux
https://www.exploit-db.com/exploits/74

This exploit targets an off-by-one vulnerability in wu-ftpd v2.6.2, allowing remote code execution via a crafted directory name. It includes shellcode for privilege escalation and a brute-force mode for targeting different Linux distributions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: wu-ftpd v2.6.2
Auth required
Prerequisites: Valid FTP credentials · Target running vulnerable wu-ftpd version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Xpl017Elz · cremoteunix
https://www.exploit-db.com/exploits/22974

This exploit targets an off-by-one stack buffer overflow in the `realpath()` function in WU-FTPD versions 2.6.0, 2.6.1, and 2.6.2, allowing remote code execution via a crafted directory name. It includes shellcode for privilege escalation and a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WU-FTPD 2.6.0, 2.6.1, 2.6.2
Auth required
Prerequisites: Valid FTP credentials · Network access to the target FTP server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by [email protected] · perlremotefreebsd
https://www.exploit-db.com/exploits/22976

This exploit targets a stack-based buffer overflow in the 'realpath()' function in FreeBSD's libc, specifically affecting WU-FTPD. It uses a brute-force approach to guess the correct return address and offset to execute arbitrary shellcode, binding a shell on port 41254.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: FreeBSD 4.8 (WU-FTPD with vulnerable libc)
Auth required
Prerequisites: Valid FTP credentials · Network access to target FTP server · Vulnerable version of FreeBSD libc
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (27)

Core 27
Core References
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=106002488209129&w=2
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/9446
Broken Link vdb-entry x_refsource_osvdb
http://www.osvdb.org/6602
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/424852/100/0/threaded
Broken Link, Exploit, Patch, Third Party Advisory, VDB Entry, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/8315
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/9423
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=105967301604815&w=2
Broken Link, Exploit, Vendor Advisory mailing-list x_refsource_vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0065.html
Broken Link vendor-advisory x_refsource_immunix
http://download.immunix.org/ImmunixOS/7+/Updates/errata/IMNX-2003-7+-019-01
Broken Link vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2003-246.html
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/425061/100/0/threaded
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/743092
Broken Link vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2003-245.html
Broken Link vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2003_032_wuftpd.html
Broken Link vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1001257.1-1
Broken Link vendor-advisory x_refsource_debian
http://www.debian.org/security/2003/dsa-357
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=106001702232325&w=2
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1007380
Third Party Advisory vendor-advisory x_refsource_mandrake
http://www.mandriva.com/security/advisories?name=MDKSA-2003:080
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/12785
Mailing List vendor-advisory x_refsource_freebsd
http://marc.info/?l=bugtraq&m=106001410028809&w=2
Broken Link vendor-advisory x_refsource_turbo
http://www.turbolinux.com/security/TLSA-2003-46.txt
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/9535
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/9447

Scores

CVSS v3 9.8
EPSS 0.9083
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-193
Status published
Products (8)
apple/mac_os_x 10.2.6
apple/mac_os_x_server 10.2.6
freebsd/freebsd 4.0 - 5.0
netbsd/netbsd 1.5 - 1.6.1
openbsd/openbsd 2.0 - 3.3
redhat/wu_ftpd 2.6.1-16
sun/solaris 9.0
wuftpd/wu-ftpd 2.5.0 - 2.6.2
Published Aug 27, 2003
Tracked Since Feb 18, 2026