Vulnerability Note VU#808552
Multiple ftpd implementations contain buffer overflows
A variety of ftp servers incorrectly manage buffers in a way that can lead to remote intruders executing arbitrary code on the FTP server. The incorrect management of buffers centers around the return from the glob() function, and may be confused with a related denial-of-service problem. These problems were discovered by the COVERT Labs at PGP Security.
Filename "globbing" is the process of expanding certain short hand notation into complete file names. For example, the expression "*.c" (without the quotes) is short hand notation for "all files ending in ".c" (again, without the quotes). This is commonly used in UNIX shells, in commands such as ls *.c. Globbing also often includes the expansion of certain characters into system-specific paths, such as the expansion of tilde character (~) into the path of the home directory of the user specified to the right of the tilde character. For example, "~svh" expands to the home directory for the user "svh" on the current system. The expressions used in file name globbing are not strictly regular expressions, but they are syntactically similar in many ways.
FTP servers also commonly implement globbing, so that the command mget *.c means retrieve all the files ending in ".c," and get ~svh/file.name means get the file named file.name in the home directory of svh.
Intruders can execute arbitrary code with the permissions of the process running the FTP server.
Apply a patch from your vendor.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|FreeBSD||Affected||28 Mar 2001||09 Apr 2001|
|Fujitsu||Affected||28 Mar 2001||09 Apr 2001|
|Hewlett Packard||Affected||28 Mar 2001||09 May 2001|
|NetBSD||Affected||-||09 Apr 2001|
|Sun||Affected||28 Mar 2001||29 Jul 2001|
|IBM||Not Affected||28 Mar 2001||09 Apr 2001|
|publicfile||Not Affected||10 Apr 2001||11 Apr 2001|
|Apple||Unknown||-||16 May 2001|
|Apple||Unknown||28 Mar 2001||09 Apr 2001|
|BSDI||Unknown||28 Mar 2001||09 Apr 2001|
|Caldera||Unknown||28 Mar 2001||09 Apr 2001|
|Compaq Computer Corporation||Unknown||-||09 Apr 2001|
|Data General||Unknown||28 Mar 2001||09 Apr 2001|
|Debian||Unknown||28 Mar 2001||09 Apr 2001|
|OpenBSD||Unknown||28 Mar 2001||09 Apr 2001|
CVSS Metrics (Learn More)
The CERT/CC portions of this document were written by Shawn V. Hernan.
- CVE IDs: Unknown
- CERT Advisory: CA-2001-07
- Date Public: 10 Apr 2001
- Date First Published: 10 Apr 2001
- Date Last Updated: 25 Jun 2001
- Severity Metric: 42.24
- Document Revision: 26
If you have feedback, comments, or additional information about this vulnerability, please send us email.