Vulnerability Note VU#808552

Multiple ftpd implementations contain buffer overflows

Original Release date: 10 Apr 2001 | Last revised: 25 Jun 2001

Overview

A variety of ftp servers incorrectly manage buffers in a way that can lead to remote intruders executing arbitrary code on the FTP server. The incorrect management of buffers centers around the return from the glob() function, and may be confused with a related denial-of-service problem. These problems were discovered by the COVERT Labs at PGP Security.

Description

Filename "globbing" is the process of expanding certain short hand notation into complete file names. For example, the expression "*.c" (without the quotes) is short hand notation for "all files ending in ".c" (again, without the quotes). This is commonly used in UNIX shells, in commands such as ls *.c. Globbing also often includes the expansion of certain characters into system-specific paths, such as the expansion of tilde character (~) into the path of the home directory of the user specified to the right of the tilde character. For example, "~svh" expands to the home directory for the user "svh" on the current system. The expressions used in file name globbing are not strictly regular expressions, but they are syntactically similar in many ways.

FTP servers also commonly implement globbing, so that the command mget *.c means retrieve all the files ending in ".c," and get ~svh/file.name means get the file named file.name in the home directory of svh.

The COVERT Labs at PGP Security have discovered a means to use the expansion done by the glob function to overflow various buffers in FTP servers, allowing an intruder to execute arbitrary code. For more details about their discovery, see

http://www.pgp.com/research/covert/advisories/048.asp

Quoting from that document:

    [...] when an FTP daemon receives a request involving a file that has a tilde as its first character, it typically runs the entire filename string through globbing code in order to resolve the specified home directory into a full path. This has the side effect of expanding other metacharacters in the pathname string, which can lead to very large input strings being passed into the main command processing routines. This can lead to exploitable buffer overflow conditions, depending upon how these routines manipulate their input.

Impact

Intruders can execute arbitrary code with the permissions of the process running the FTP server.

Solution

Apply a patch from your vendor.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
FreeBSDAffected28 Mar 200109 Apr 2001
FujitsuAffected28 Mar 200109 Apr 2001
Hewlett PackardAffected28 Mar 200109 May 2001
NetBSDAffected-09 Apr 2001
SunAffected28 Mar 200129 Jul 2001
IBMNot Affected28 Mar 200109 Apr 2001
publicfileNot Affected10 Apr 200111 Apr 2001
AppleUnknown-16 May 2001
AppleUnknown28 Mar 200109 Apr 2001
BSDIUnknown28 Mar 200109 Apr 2001
CalderaUnknown28 Mar 200109 Apr 2001
Compaq Computer CorporationUnknown-09 Apr 2001
Data GeneralUnknown28 Mar 200109 Apr 2001
DebianUnknown28 Mar 200109 Apr 2001
OpenBSDUnknown28 Mar 200109 Apr 2001
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC portions of this document were written by Shawn V. Hernan.

Other Information

  • CVE IDs: Unknown
  • CERT Advisory: CA-2001-07
  • Date Public: 10 Apr 2001
  • Date First Published: 10 Apr 2001
  • Date Last Updated: 25 Jun 2001
  • Severity Metric: 42.24
  • Document Revision: 26

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.