||||
Symantec.com > Business > Security Response > Attack Signatures > FTP Pathname Glob BO
PRINT THIS PAGE

FTP Pathname Glob BO

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects buffer overflow attempts that exploit an FTP Glob vulnerability.

Additional Information

The BSD FTP daemon and derivatives (such as the IRIX ftpd or the ftp daemon shipped with Kerberos 5) contain a number of buffer overflow vulnerabilities that may lead to a compromise of root access to malicious users.

During the parsing of user input, the FTP daemon assumes that there can never be more than 512 bytes of user-supplied data, as that is usually the amount of data read from a socket.

Because of this assumption, certain memory copy operations involving user data lack bounds checking.

When processing user input, the FTP daemon uses "glob()" functions to expand the wildcards and meta-characters in the file paths, as shells do. The tilde ('~') character is one example.

The glob() function replaces this character in the file path with the path to the user's home directory. The FTP daemon then uses the output, an expanded path, to execute any operation that the user wishes.

Because meta-characters can expand the length of a path string, the data can become larger than 512 bytes once glob() processes it. If this is the case, exploiting the seemingly unexploitable buffer overflow conditions, which use the expanded string in unsafe copy operations, is possible.

If an attacker can submit input in the form of a filename or path to a vulnerable FTP server, which contains the correct meta-characters with exploit code, it may be possible to exploit one of these bugs in a typical buffer overflow manner. Such a filename would argue a regular FTP command, such as "LIST".

In order to execute the manipulation of input required to exploit this vulnerability on most systems, an attacker would need to be able to create directories with names long enough to create a proper post-glob() string. This is certainly possible for users with legitimate local access.

By default, the anonymous users usually do not have access to writeable directories (though sometimes administrators set up a writeable "incoming" directory). This makes exploitation by anonymous FTP users less likely. However, if directories already exist in the anonymous FTP tree with long enough names, exploiting this vulnerability without creating directories is possible. In configurations in which this is the case, remote exploitation by anonymous FTP users may be possible.

The directory name lengths required to exploit this vulnerability without creating directories are (from COVERT advisory):

- OpenBSD and NetBSD: 12 characters
- FreeBSD: 9 characters

Any attacker who successfully exploits this vulnerability would gain root access on the target host.

Affected

  • Compaq Tru64 4.0 f, 4.0 f PK6 (BL17), 4.0 f PK7 (BL18), 4.0 g, 4.0 g PK3 (BL17), 5.0, 5.0 PK4 (BL17), 5.0 PK4 (BL18), 5.0 a, 5.0 a PK3 (BL17), 5.0 f, 5.1, 5.1 PK3 (BL17), 5.1 PK4 (BL18), 5.1 a, 5.1 a PK1 (BL1)
  • FreeBSD FreeBSD 2.2, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.8, 3.0, 3.1, 3.2, 3.3, 3.4, 3.5, 3.5.1, 4.0, 4.1, 4.1.1, 4.2
  • MIT Kerberos 5 1.1.1, 1.2, 1.2.1, 1.2.2
  • NetBSD NetBSD 1.2.1, 1.3, 1.3.1, 1.3.2, 1.3.3, 1.4, 1.4.1, 1.4.2, 1.4.3, 1.5
  • OpenBSD OpenBSD 2.3, 2.4, 2.5, 2.6, 2.7, 2.8
  • SGI IRIX 6.5, 6.5.1, 6.5.2 m, 6.5.3, 6.5.3 f, 6.5.3 m, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.10, 6.5.11

Response

MandrakeSoft released an advisory stating that the version of Proftpd, distributed as part of Mandrake Linux, is not vulnerable to glob()-related buffer overflows.

A workaround would be to disable the service until patches become available.

If this is not feasible, perform the following:
- Restrict access to the service.
- Ensure that anonymous users cannot create any directories.
- Ensure that directories with a name longer than eight characters do not exist.

OpenBSD has released a patch for the OpenBSD FTP daemon.

MIT has released the source code patches for the FTP daemon shipped with Kerberos 5 1.2.2. Users with networks running older versions of Kerberos 5 should upgrade to 1.2.2 and apply the patch listed below.

- RedHat has released upgraded versions of their Kerberos 5 packages.
- Immunix has released upgraded versions of their Kerberos 5 packages.
- HP/Compaq has released fixes for Tru64.
For Compaq Tru64 4.0f PK7 (BL18):
HP duv40fb18-c0067201-15265-es-20020827.tar

For Compaq Tru64 4.0g PK3 (BL17):
HP t64v40gb17-c0011101-15266-es-20020827.tar

For Compaq Tru64 5.0a PK3 (BL17):
HP t64v50ab17-c0018601-15270-es-20020827.tar

For FreeBSD FreeBSD 3.0:
FreeBSD 3.x glob.3.x.patch

For FreeBSD FreeBSD 3.1:
FreeBSD 3.x glob.3.x.patch

For FreeBSD FreeBSD 3.2:
FreeBSD 3.x glob.3.x.patch

For FreeBSD FreeBSD 3.3:
FreeBSD 3.x glob.3.x.patch

For FreeBSD FreeBSD 3.4:
FreeBSD 3.x glob.3.x.patch

For FreeBSD FreeBSD 3.5:
FreeBSD 3.x glob.3.x.patch

For FreeBSD FreeBSD 3.5.1:
FreeBSD 3.x glob.3.x.patch

For FreeBSD FreeBSD 4.0:
FreeBSD 4.x glob.4.x.patch

For FreeBSD FreeBSD 4.1:
FreeBSD 4.x glob.4.x.patch

For FreeBSD FreeBSD 4.1.1:
FreeBSD 4.x glob.4.x.patch

For FreeBSD FreeBSD 4.2:
FreeBSD 4.x glob.4.x.patch

For MIT Kerberos 5 1.1.1:
Immunix 6.2 krb5-configs-1.1.1-27_StackGuard.i386.rpm
Immunix 6.2 krb5-devel-1.1.1-27_StackGuard.i386.rpm
Immunix 6.2 krb5-libs-1.1.1-27_StackGuard.i386.rpm
Immunix 6.2 krb5-server-1.1.1-27_StackGuard.i386.rpm
Immunix 6.2 krb5-workstation-1.1.1-27_StackGuard.i386.rpm
Red Hat 6.2 alpha krb5-configs-1.1.1-27.alpha.rpm
Red Hat 6.2 alpha krb5-devel-1.1.1-27.alpha.rpm
Red Hat 6.2 alpha krb5-libs-1.1.1-27.alpha.rpm
Red Hat 6.2 alpha krb5-server-1.1.1-27.alpha.rpm
Red Hat 6.2 alpha krb5-workstation-1.1.1-27.alpha.rpm
Red Hat 6.2 i386 krb5-configs-1.1.1-27.i386.rpm
Red Hat 6.2 i386 krb5-devel-1.1.1-27.i386.rpm
Red Hat 6.2 i386 krb5-libs-1.1.1-27.i386.rpm
Red Hat 6.2 i386 krb5-server-1.1.1-27.i386.rpm
Red Hat 6.2 i386 krb5-workstation-1.1.1-27.i386.rpm
Red Hat 6.2 sparc krb5-configs-1.1.1-27.sparc.rpm
Red Hat 6.2 sparc krb5-devel-1.1.1-27.sparc.rpm
Red Hat 6.2 sparc krb5-libs-1.1.1-27.sparc.rpm
Red Hat 6.2 sparc krb5-server-1.1.1-27.sparc.rpm

For MIT Kerberos 5 1.2.2:
Immunix 7.0 krb5-devel-1.2.2-5_imnx.i386.rpm
Immunix 7.0 krb5-libs-1.2.2-5_imnx.i386.rpm
Immunix 7.0 krb5-server-1.2.2-5_imnx.i386.rpm
Immunix 7.0 krb5-workstation-1.2.2-5_imnx.i386.rpm
MIT 1.2.2 ftpbuf_122_patch.txt
Red Hat 7.0 alpha krb5-devel-1.2.2-5.alpha.rpm
Red Hat 7.0 alpha krb5-libs-1.2.2-5.alpha.rpm
Red Hat 7.0 alpha krb5-server-1.2.2-5.alpha.rpm
Red Hat 7.0 alpha krb5-workstation-1.2.2-5.alpha.rpm
Red Hat 7.0 i386 krb5-devel-1.2.2-5.i386.rpm
Red Hat 7.0 i386 krb5-libs-1.2.2-5.i386.rpm
Red Hat 7.0 i386 krb5-server-1.2.2-5.i386.rpm
Red Hat 7.0 i386 krb5-workstation-1.2.2-5.i386.rpm
Red Hat 7.1 i386 krb5-devel-1.2.2-5.i386.rpm
Red Hat 7.1 i386 krb5-libs-1.2.2-5.i386.rpm
Red Hat 7.1 i386 krb5-server-1.2.2-5.i386.rpm
Red Hat 7.1 i386 krb5-workstation-1.2.2-5.i386.rpm

For OpenBSD OpenBSD 2.8:
OpenBSD 025_glob.patch

Additional References



©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS