A variety of ftp servers incorrectly manage buffers in a way that can lead to remote intruders executing arbitrary code on the FTP server. The incorrect management of buffers centers around the return from the glob() function, and may be confused with a related denial-of-service problem. These problems were discovered by the COVERT Labs at PGP Security.
Filename "globbing" is the process of expanding certain short hand notation into complete file names. For example, the expression "*.c" (without the quotes) is short hand notation for "all files ending in ".c" (again, without the quotes). This is commonly used in UNIX shells, in commands such as ls *.c. Globbing also often includes the expansion of certain characters into system-specific paths, such as the expansion of tilde character (~) into the path of the home directory of the user specified to the right of the tilde character. For example, "~svh" expands to the home directory for the user "svh" on the current system. The expressions used in file name globbing are not strictly regular expressions, but they are syntactically similar in many ways.
FTP servers also commonly implement globbing, so that the command mget *.c means retrieve all the files ending in ".c," and get ~svh/file.name means get the file named file.name in the home directory of svh.
Intruders can execute arbitrary code with the permissions of the process running the FTP server.
Apply a patch from your vendor.
Compaq Computer Corporation
WU-FTPD Development Group
The CERT/CC portions of this document were written by Shawn V. Hernan.