View Source

Original release date: April 10, 2001<BR>
Last revised: May 09, 2001<BR>
Source: CERT/CC<BR>

<P>A complete revision history can be found at the end of this file.

<H4>Systems Affected</H4> 
<A NAME="affected">
FTP servers on various platforms

<A NAME="overview">
<H2>Overview</H2>

<P>A variety of FTP servers incorrectly manage buffers in a way that
can lead to remote intruders executing arbitrary code on the FTP
server. The incorrect management of buffers is centered around the
return from the glob() function, and may be confused with a related
denial-of-service problem. These problems were discovered by the
COVERT Labs at PGP Security.

<A NAME="description">
<H2>I. Description</H2>

<P>Filename "globbing" is the process of expanding short-hand notation
into complete file names. For example, the expression "*.c" (without
the quotes) is short-hand notation for "all files ending in ".c"
(again, without the quotes). This is commonly used in UNIX shells, in
commands such as ls *.c. Globbing also often includes the expansion of
certain characters into system-specific paths, such as the expansion
of tilde character (~) into the path of the home directory of the user
specified to the right of the tilde character. For example, "~foo"
expands to the home directory for the user "foo" on the current
system. The expressions used in filename globbing are not strictly
regular expressions, but they are syntactically similar in many
ways. </P>

<P>Many FTP servers also implement globbing, so that the command
mget *.c means retrieve all the files ending in ".c," and get
~foo/file.name means get the file named "file.name" in the home
directory of foo. 

<p>The COVERT Labs at PGP Security have discovered a means to use the
expansion done by the glob function to overflow various buffers in FTP
servers, allowing an intruder to execute arbitrary code. For more
details about their discovery, see

<DL><DD>
<A HREF="http://www.pgp.com/research/covert/advisories/048.asp">http://www.pgp.com/research/covert/advisories/048.asp</a>
</DD>
</DL>

<p>Quoting from that document: 

<dl>
<dd>
<p><i>[...] when an FTP daemon receives a request involving a file that has
a tilde as its first character, it typically runs the entire filename
string through globbing code in order to resolve the specified home
directory into a full path. This has the side effect of expanding
other metacharacters in the pathname string, which can lead to very
large input strings being passed into the main command processing
routines. This can lead to exploitable buffer overflow conditions,
depending upon how these routines manipulate their input.</i>
<dd>
</dl>

<p>For the latest information regarding this vulnerability, including
information related to vendors' exposure to this problem, consult the
vulnerability note describing this problem, available at 

<DL><DD>
<A HREF="http://www.kb.cert.org/vuls/id/808552">http://www.kb.cert.org/vuls/id/808552</A>
</DD>
</DL>


<A NAME="impact">
<H2>II. Impact</H2>

<p>Intruders can execute arbitrary code with the permissions of the
process running the FTP server.

<A NAME="solution">
<H2>III. Solution</H2>
Apply a patch or workaround from your vendor, as described in <A HREF="#vendors">Appendix
A</a>. 


<A NAME="vendors">
<H2>Appendix A. - Vendor Information</H2>

<P>This appendix contains information provided by vendors for this
advisory.  When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history.  If
a particular vendor is not listed below, we have not received their
comments.</P>


<A NAME="apple">
<H4>Apple</H4>

<p>Mac OS X 10.0.2 and later include a fix for File Globbing vulnerability.

<A NAME="compaq">
<H4>Compaq Computer Corporation</H4>

<p>COMPAQ COMPUTER CORPORATION<br>
<p>-----------------------------<br>
x-ref: J Compaq case id - SSRT1-83<br>

<p>At the time of writing this document, Compaq is currently
investigating the potential impact to Compaq's ftp service.

<p>Initial tests indicate Compaq's ftp service is not vulnerable.

<p>As further information becomes available Compaq will
provide notice of the completion/availibility of any necessary
patches through AES services (DIA,DSNlink FLASH and posted
to the Services WEB page) and be available from your normal
Compaq Services Support channel.<br>

<p>COMPAQ COMPUTER CORPORATION

<A NAME="freebsd">
<H4>FreeBSD, Inc.</H4>

<p>FreeBSD is vulnerable to the glob-related bugs. We have corrected
these bugs in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE, and they
will not be present in FreeBSD 4.3-RELEASE.

<!-- end vendor -->


<A NAME="fujitsu">
<H4>Fujitsu</H4>
<p>[...] we have determined that the versions of UXP/V shown below are
vulnerable. JPatches are being prepared and will be assigned the patch
numbers also shown below:

<pre>
OS Version,PTF level patch ID
-------------------- --------
UXP/V V20L10 X01021  UX28161
UXP/V V20L10 X00091  UX28160
UXP/V V10L20 X01041  UX15527
</pre>

<!-- end vendor -->


<A NAME="hp">
<H4>Hewlett-Packard Company</H4>

<P>

As originally stated in the NAI Covert labs Advisory,
HP is vulnerable. We will be releasing four patches,
one each for Pre 10.20, 10.20 , 11.00 and 11.11.
Watch for the associated HP security Bulletin announcing
the patches when coding and testing is successfully
completed.

</P>

<!-- end vendor -->


<A NAME="ibm">
<H4>IBM Corporation</H4>
<p>[...] we have not found the described vulnerabilities to exist in the
AIX versions of glob as used in the ftp daemon.
<!-- end vendor -->


<A NAME="netbsd">
<H4>NetBSD</H4>

<p>Please be aware that as of March 29, 2001, NetBSD has a fix for
both the glob resource consumption (via an application controlled
GLOB_LIMIT flag) and the buffer overflow (always enforced). These
fixes should work on any 4.4BSD derived glob(3).

<!-- end vendor -->

<A NAME="publicfile">
<H4>publicfile</H4>

<p>publicfile has none of these bugs, deliberately avoids globbing,
and has never used any ftpd-derived code. See
<A
HREF="http://cr.yp.to/publicfile.html">http://cr.yp.to/publicfile.html</a>. 


<!-- end vendor -->


<A NAME="sgi">
<H4>SGI</H4>

<p>SGI acknowledges the vulnerability reported by NAI COVERT Labs and is
currently investigating. No further information is available at this
time.

<p>As further information becomes available, additional advisories will
be issued via the normal SGI security information distribution methods
including the wiretap mailing list and
http://www.sgi.com/support/security/

<p>For the protection of all our customers, SGI does not disclose,
discuss or confirm vulnerabilities until a full investigation has
occurred and any necessary patch(es) or release streams are available
for all vulnerable and supported IRIX operating systems.

<p>Until SGI has more definitive information to provide, customers are
encouraged to assume all security vulnerabilities as exploitable and
take appropriate steps according to local site security policies and
requirements.


<!-- end vendor -->


<HR NOSHADE>

<P>The CERT Coordination Center would like to thank the COVERT Labs at
PGP Security for notifying us about this problem and for their help in
constructing this advisory.</P>

<P></P>

<HR NOSHADE>

<P>Author: <A
HREF="mailto:cert@cert.org?subject=CA-2001-07%20Feedback%20VU%23808552">Shawn
V. Hernan</A>

<P></P>

<!--#include virtual="/include/footer_nocopyright.html" -->

<P>Copyright 2001 Carnegie Mellon University.</P>

<P>Revision History
<PRE>
April 10, 2001:  Initial release
April 10, 2001: Added a statement from publicfile
May 09, 2001: Added a statement from HP
May 16, 2001: Added a statement from Apple
</PRE>