what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

nai.00-ftp.glob

nai.00-ftp.glob
Posted Apr 10, 2001
Authored by Covert Labs | Site nai.com

NAI Security Advisory - Multiple FTP server implementations contain buffer overflows that allow local and remote attackers to gain root privileges on affected servers. These vulnerabilities are contingent upon the remote user having the ability to create directories on the server hosting the FTP daemon, with the exception of a few cases noted below. The vulnerabilities presented are all related to the use of the glob() function, and can be divided into the following two categories - glob() expansion vulnerabilities and glob() implementation vulnerabilities. Vulnerable FTP servers include OpenBSD, NetBSD, FreeBSD, Irix, HPUX 11, and Solaris 8.

tags | remote, overflow, local, root, vulnerability
systems | netbsd, solaris, freebsd, irix, openbsd, hpux
SHA-256 | 14a21100e205f31e8a5af8bf40f62968749848f4653fa977060110baa1c23a96

nai.00-ftp.glob

Change Mirror Download
   Globbing Vulnerabilities in Multiple FTP Daemons
Network Associates, Inc.
COVERT Labs Security Advisory
April 9, 2001
RISK FACTOR: HIGH
Vulnerable Systems
Detecting the Vulnerabilities
Vulnerability Overview
Detailed Information
Resolution
Credits
Contact Information
Synopsis
Multiple FTP server implementations contain buffer overflows that allow local and remote
attackers to gain root privileges on affected servers. These vulnerabilities are contingent
upon the remote user having the ability to create directories on the server hosting the FTP
daemon, with the exception of a few cases noted below. The vulnerabilities presented are all
related to the use of the glob() function, and can be divided into the following two
categories:
- glob() expansion vulnerabilities
User input that has been expanded by glob() can exceed expected lengths and trigger otherwise
benign buffer mismanagement problems present in certain FTP daemons.
- glob() implementation vulnerabilities
Certain implementations of the glob() function contain buffer overflows. These
vulnerabilities are exploitable through FTP daemons that utilize these problematic
implementations.
CVE Candidate numbers for these issues have been assigned and are listed in the Vulnerable
Systems section.
RISK FACTOR: HIGH


Vulnerable Systems
The following operating systems have been confirmed to contain vulnerable FTP daemons:
FreeBSD 4.2 CAN-2001-0247
OpenBSD 2.8
NetBSD 1.5
IRIX 6.5.x
HPUX 11 CAN-2001-0248
Solaris 8 CAN-2001-0249

Detecting the Vulnerabilities
CyberCop Scanner users can download a module that detects this vulnerability by using the
Autoupdate feature within the product.
Before CyberCop Scanner performs the update, it will output the MD5 hash of the update pack
file. The MD5 hash can be used to verify the authenticity of the update pack file.
The MD5 hash filename is md5hash.txt. It is located at:
ftp://ftp.nai.com/pub/security/ccscanner55/updates/winnt

Vulnerability Overview
glob() implements filename pattern matching, following rules similar to those used by Unix
shells. It is a pathname generator, which accepts an input pattern representing a set of
filenames and returns a list of accessible pathnames matching that pattern. The input pattern
is specified by using special metacharacters, taken from the following: *?[]{}~' . For
example, a pattern of '/e*' would match all directories and files in the root of the file
system that begin with the character 'e'.
The File Transfer Protocol (FTP), as defined in RFC959, describes numerous commands with
pathname arguments that specify files or directories. Though it is not required by the
specification, most FTP daemon implementations provide server-side globbing functionality
that performs pattern expansion on these pathnames. The actual glob() implementation is often
located in the FTP daemon itself, though some FTP servers use an underlying libc
implementation.
The ability of a remote or local user to deliver input patterns to glob() implementations
allows for two general types of security exposures.
- glob() expansion vulnerabilities
A number of vulnerabilities result from an FTP daemon assuming that the length of the user
input is limited to the number of characters that are read in from the socket. This is
typically 512 characters. This assumption is problematic because most FTP daemons contain a
parser rule for processing pathnames beginning with a tilde. The intended effect of this rule
is to replace the tilde directory component with the referenced home directory. However,
since this is performed by running the string through the glob() function, the FTP daemon
will also expand any other wildcard characters present. This allows for user input that can
exceed the number of characters read in from the socket, which can make otherwise benign
unbounded string operations exploitable.
- glob() implementation vulnerabilities
Certain glob() implementations contain buffer overflows in their internal utility functions.
These overflows are typically triggered by requesting a pattern that expands to a very large
pathname, or by submitting a pattern that the user intends to have the FTP daemon run through
glob() twice.


Detailed Information
- glob() expansion vulnerabilities
As mentioned above, when an FTP daemon receives a request involving a file that has a tilde
as its first character, it typically runs the entire filename string through globbing code in
order to resolve the specified home directory into a full path. This has the side effect of
expanding other metacharacters in the pathname string, which can lead to very large input
strings being passed into the main command processing routines. This can lead to exploitable
buffer overflow conditions, depending upon how these routines manipulate their input.
In Solaris, an exploitable heap overflow of this nature is triggered by using the LIST
command. This vulnerability occurs when the FTP daemon attempts to construct a string using
unbounded string operations in order to execute the /bin/ls program.
HPUX contains a stack based overflow of this nature that can be triggered by the use of the
STAT command.
- glob() implementation vulnerabilities
There are two implementations of glob() that are known to contain buffer overflow
vulnerabilities.
Implementations based off of the c-shell globbing code contain a buffer overflow that can be
triggered by supplying a pattern string such that a set of brackets {} is followed by a
string that is longer than the length reserved for the stack based buffer defined in
execbrc(). This could be exploited by utilizing a code path in the FTP daemon that fed the
expanded output of one globbed pathname into a second call to glob().
BSD implementations of glob() contain four exploitable buffer overflows. The first buffer
overflow occurs in the static utility function g_opendir(), which copies the provided
pathname onto the stack. This is performed using the function g_Ctoc, which converts a 16-bit
character string to an 8-bit character string, but otherwise works like strcpy. Similar
overflows occur in g_lstat(), and g_stat(). A fourth overflow, one that affects the stack
based buffer reserved in glob0, is the result of the behavior of the mutually recursive
functions glob2() and glob3().
Note that these vulnerabilities do not require the last component of the provided directory
to be a valid file, thus allowing exploitation even without the ability to create directories
and files. Testing has shown that it would be possible to exploit OpenBSD and NetBSD without
a writable directory being present if a directory name with a length of 12 characters is
available. FreeBSD can be exploited without a writable directory being present if a directory
name of length 9 is available.

Resolution
Updated information on vendor patches will be made available on this page
The CERT/CC is coordinating the collection of information on vulnerable distributions from
third party vendors. For more information, please read CERT Advisory CA-2001-07 available at:
http://www.cert.org/advisories/CA-2001-07.html
In lieu of a patch, these vulnerabilities may be addressed in a general fashion by ensuring
that no directories exist in the anonymous FTP tree that are writable by the anonymous FTP
user. Furthermore, BSD and Irix users should take care to ensure that no directory in the
anonymous FTP tree has a name longer than 8 characters. It is important to note that these
precautions will not prevent local user privilege escalation through the FTP daemon.

Credits
Discovery and documentation of these vulnerabilities was conducted by John McDonald and
Anthony Osborne of the COVERT Labs at PGP Security.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close