Vulnerability Note VU#808552

Multiple ftpd implementations contain buffer overflows

Overview

A variety of ftp servers incorrectly manage buffers in a way that can lead to remote intruders executing arbitrary code on the FTP server. The incorrect management of buffers centers around the return from the glob() function, and may be confused with a related denial-of-service problem. These problems were discovered by the COVERT Labs at PGP Security.

I. Description

Filename "globbing" is the process of expanding certain short hand notation into complete file names. For example, the expression "*.c" (without the quotes) is short hand notation for "all files ending in ".c" (again, without the quotes). This is commonly used in UNIX shells, in commands such as ls *.c. Globbing also often includes the expansion of certain characters into system-specific paths, such as the expansion of tilde character (~) into the path of the home directory of the user specified to the right of the tilde character. For example, "~svh" expands to the home directory for the user "svh" on the current system. The expressions used in file name globbing are not strictly regular expressions, but they are syntactically similar in many ways.

FTP servers also commonly implement globbing, so that the command mget *.c means retrieve all the files ending in ".c," and get ~svh/file.name means get the file named file.name in the home directory of svh.

The COVERT Labs at PGP Security have discovered a means to use the expansion done by the glob function to overflow various buffers in FTP servers, allowing an intruder to execute arbitrary code. For more details about their discovery, see

http://www.pgp.com/research/covert/advisories/048.asp
Quoting from that document:

[...] when an FTP daemon receives a request involving a file that has a tilde as its first character, it typically runs the entire filename string through globbing code in order to resolve the specified home directory into a full path. This has the side effect of expanding other metacharacters in the pathname string, which can lead to very large input strings being passed into the main command processing routines. This can lead to exploitable buffer overflow conditions, depending upon how these routines manipulate their input.

II. Impact

Intruders can execute arbitrary code with the permissions of the process running the FTP server.

III. Solution

Apply a patch from your vendor.

Systems Affected

Vendor	Status	Date Updated
Apple	Unknown	16-May-2001
Apple	Unknown	9-Apr-2001
BSDI	Unknown	9-Apr-2001
Caldera	Unknown	9-Apr-2001
Compaq Computer Corporation	Unknown	9-Apr-2001
Data General	Unknown	9-Apr-2001
Debian	Unknown	9-Apr-2001
FreeBSD	Vulnerable	9-Apr-2001
Fujitsu	Vulnerable	9-Apr-2001
Hewlett Packard	Vulnerable	9-May-2001
IBM	Not Vulnerable	9-Apr-2001
NetBSD	Vulnerable	9-Apr-2001
OpenBSD	Unknown	9-Apr-2001
publicfile	Not Vulnerable	11-Apr-2001
RedHat	Unknown	9-Apr-2001
SCO	Unknown	9-Apr-2001
Sequent	Unknown	9-Apr-2001
SGI	Unknown	9-Apr-2001
Sun	Vulnerable	29-Jul-2001
Unisys	Unknown	9-Apr-2001
WU-FTPD Development Group	Unknown	9-Apr-2001

References

http://www.pgp.com/research/covert/advisories/048.asp
http://www.securityfocus.com/bid/2552
http://www.securityfocus.com/bid/2550
http://www.securityfocus.com/bid/2548

Credit

The CERT/CC portions of this document were written by Shawn V. Hernan.

Other Information

Date Public	04/10/2001
Date First Published	04/10/2001 12:21:18 AM
Date Last Updated	06/25/2001
CERT Advisory	CA-2001-07
CVE-ID(s)
NVD-ID(s)
US-CERT Technical Alerts
Metric	42.24
Document Revision	26

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader