search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Multiple ftpd implementations contain buffer overflows

Vulnerability Note VU#808552

Original Release Date: 2001-04-10 | Last Revised: 2001-06-26

Overview

A variety of ftp servers incorrectly manage buffers in a way that can lead to remote intruders executing arbitrary code on the FTP server. The incorrect management of buffers centers around the return from the glob() function, and may be confused with a related denial-of-service problem. These problems were discovered by the COVERT Labs at PGP Security.

Description

Filename "globbing" is the process of expanding certain short hand notation into complete file names. For example, the expression "*.c" (without the quotes) is short hand notation for "all files ending in ".c" (again, without the quotes). This is commonly used in UNIX shells, in commands such as ls *.c. Globbing also often includes the expansion of certain characters into system-specific paths, such as the expansion of tilde character (~) into the path of the home directory of the user specified to the right of the tilde character. For example, "~svh" expands to the home directory for the user "svh" on the current system. The expressions used in file name globbing are not strictly regular expressions, but they are syntactically similar in many ways.

FTP servers also commonly implement globbing, so that the command mget *.c means retrieve all the files ending in ".c," and get ~svh/file.name means get the file named file.name in the home directory of svh.

The COVERT Labs at PGP Security have discovered a means to use the expansion done by the glob function to overflow various buffers in FTP servers, allowing an intruder to execute arbitrary code. For more details about their discovery, see

http://www.pgp.com/research/covert/advisories/048.asp

Quoting from that document:

[...] when an FTP daemon receives a request involving a file that has a tilde as its first character, it typically runs the entire filename string through globbing code in order to resolve the specified home directory into a full path. This has the side effect of expanding other metacharacters in the pathname string, which can lead to very large input strings being passed into the main command processing routines. This can lead to exploitable buffer overflow conditions, depending upon how these routines manipulate their input.

Impact

Intruders can execute arbitrary code with the permissions of the process running the FTP server.

Solution

Apply a patch from your vendor.

Vendor Information

808552
Expand all

FreeBSD

Notified:  March 28, 2001 Updated:  April 09, 2001

Status

  Vulnerable

Vendor Statement

FreeBSD is vulnerable to the glob-related bugs. We have corrected these bugs in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE, and they will not be present in FreeBSD 4.3-RELEASE.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  March 28, 2001 Updated:  April 09, 2001

Status

  Vulnerable

Vendor Statement

[...] we have determined that the versions of UXP/V shown below are vulnerable.  Patches are being prepared and will be assigned the patch numbers also shown below:

   OS Version,PTF level    patch ID
  --------------------    --------
   UXP/V V20L10 X01021    UX28161
   UXP/V V20L10 X00091    UX28160
   UXP/V V10L20 X01041    UX15527

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard

Notified:  March 28, 2001 Updated:  May 09, 2001

Status

  Vulnerable

Vendor Statement

As originally stated in the NAI Covert labs Advisory, HP is vulnerable. We will be releasing four patches, one each for Pre 10.20, 10.20 , 11.00 and 11.11.

Watch for the associated HP security Bulletin announcing the patches when coding and testing is successfully completed.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Updated:  April 09, 2001

Status

  Vulnerable

Vendor Statement

Please be aware that as of March 29, 2001, NetBSD has a fix for both the glob resource consumption (via an application controlled GLOB_LIMIT flag) and the buffer overflow (always enforced). These fixes should work on any 4.4BSD derived glob(3).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun

Notified:  March 28, 2001 Updated:  July 29, 2001

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

NAI has reported that Sun is vulnerable. See http://www.pgp.com/research/covert/advisories/048.asp#Vulnerable%20Systems

Additionally, it appears that Sun has provided a patch for this problem, available at http://sunsolve.Sun.COM/pub-cgi/findPatch.pl?patchId=110646&rev=02.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  March 28, 2001 Updated:  April 09, 2001

Status

  Not Vulnerable

Vendor Statement

[...] we have not found the described vulnerabilities to exist in the AIX versions of glob as used in the ftp daemon.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

publicfile

Notified:  April 10, 2001 Updated:  April 11, 2001

Status

  Not Vulnerable

Vendor Statement

publicfile has none of these bugs, deliberately avoids globbing, and has never used any ftpd-derived code. See http://cr.yp.to/publicfile.html.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple

Updated:  May 16, 2001

Status

  Unknown

Vendor Statement

Mac OS X 10.0.2 and later include a fix for File Globbing vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple

Notified:  March 28, 2001 Updated:  April 09, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI

Notified:  March 28, 2001 Updated:  April 09, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Caldera

Notified:  March 28, 2001 Updated:  April 09, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation

Updated:  April 09, 2001

Status

  Unknown

Vendor Statement

COMPAQ COMPUTER CORPORATION
-----------------------------
x-ref:   Compaq case id - SSRT1-83

At the time of writing this document, Compaq is currently
investigating the potential impact to Compaq's ftp service.

Initial tests indicate Compaq's ftp service is not vulnerable.

As further information becomes available Compaq will
provide notice of the completion/availibility of any necessary
patches through AES services (DIA,DSNlink FLASH and posted
to the Services WEB page) and be available from your normal
Compaq Services Support channel.

COMPAQ COMPUTER CORPORATION

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  March 28, 2001 Updated:  April 09, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  March 28, 2001 Updated:  April 09, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  March 28, 2001 Updated:  April 09, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

NAI reports that OpenBSD is vulnerable. See http://www.pgp.com/research/covert/advisories/048.asp#Vulnerable%20Systems

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RedHat

Notified:  March 28, 2001 Updated:  April 09, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO

Notified:  March 28, 2001 Updated:  April 09, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  March 28, 2001 Updated:  April 09, 2001

Status

  Unknown

Vendor Statement

SGI
---

SGI acknowledges the vulnerability reported by NAI COVERT Labs and is currently
investigating. No further information is available at this time.

As further information becomes available, additional advisories will be
issued via the normal SGI security information distribution methods
including the wiretap mailing list and
http://www.sgi.com/support/security/

For the protection of all our customers, SGI does not disclose, discuss
or confirm vulnerabilities until a full investigation has occurred and
any necessary patch(es) or release streams are available for all vulnerable
and supported IRIX operating systems.

Until SGI has more definitive information to provide, customers
are encouraged to assume all security vulnerabilities as exploitable and take
appropriate steps according to local site security policies and requirements.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  March 28, 2001 Updated:  April 09, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  March 28, 2001 Updated:  April 09, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

WU-FTPD Development Group

Notified:  March 28, 2001 Updated:  April 09, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

At the present time, the CERT/CC does not believe wu-ftpd is affected by this problem.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The CERT/CC portions of this document were written by Shawn V. Hernan.

Other Information

CVE IDs: None
CERT Advisory: CA-2001-07
Severity Metric: 42.24
Date Public: 2001-04-10
Date First Published: 2001-04-10
Date Last Updated: 2001-06-26 03:11 UTC
Document Revision: 26

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.