Multiple FTP servers glob(3) expansion buffer overflow
| ftp-glob-expansion (6332) |  High Risk |
Description:
Multiple FTP servers are vulnerable to a buffer overflow in the glob(3) function. By sending a request to the FTP server containing a tilde (~) and other wildcard characters in the pathname string, a remote attacker can overflow a buffer and execute arbitrary code on the FTP server to gain root privileges. Once the request is processed, the glob(3) function expands the user input, which could exceed the expected length. In order to exploit this vulnerability, the attacker must be able to create directories on the FTP server.
*CVSS:
| Base Score: | 6 |
| Access Vector: | Remote |
| Access Complexity: | Low |
| Authentication: | Required |
| Confidentiality Impact: | Complete |
| Integrity Impact: | Complete |
| Availability Impact: | Complete |
| Temporal Score: | 5 |
| Exploitability: | Functional |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Gain Privileges
Remedy:
For vulnerability detection:
Enable the following checks in the ISS Protection Platform:
FtpGlobExpansion
Enable the following checks in the ISS Protection Platform:
FTP_Glob_Expansion
Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 21
For Manual Protection:
For FreeBSD 4.2:
Upgrade to the latest version of FreeBSD (FreeBSD 4.2-STABLE, FreeBSD 5.0-CURRENT, or later), as listed in CERT Advisory CA-2001-07. See References.
For Fujitsu UXP/V:
Apply the appropriate patch for your system, as listed in CERT Advisory CA-2001-07. See References.
For NetBSD 1.4:
Upgrade to the latest version of NetBSD (NetBSD-RELEASE-1-4 dated 4-04-2001 or later), as listed in NetBSD Security Advisory 2001-005. See References.
For NetBSD 1.5:
Upgrade to the latest version of NetBSD (NetBSD-RELEASE-1-5 dated 4-04-2001 or later), as listed in NetBSD Security Advisory 2001-005. See References.
For NetBSD-Current:
Upgrade to the latest version of NetBSD (NetBSD-Current dated 4-03-2001 or later), as listed in NetBSD Security Advisory 2001-005. See References.
For Caldera UnixWare 7:
Apply the appropriate patch for your system, as listed in Caldera International, Inc. Security Advisory CSSA-2001-SCO.27. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- Caldera International, Inc. Security Advisory CSSA-2001-SCO.27: UnixWare 7: ftpd glob security.
- CERT Advisory CA-2001-07: File Globbing Vulnerabilities in Various FTP Servers.
- CIAC Information Bulletin L-070A: FTP Filename Expansion Vulnerability.
- CIAC Information Bulletin L-129: Sun in.ftpd Filename Expansion Vulnerability.
- CIAC Information Bulletin L-135: SGI File Globbing Vulnerability in ftpd.
- Compaq SECURITY BULLETIN SSRT-547: HP Tru64 UNIX Potential Security Vulnerabilities TCP/IP, FTPD, ARP .
- FreeBSD Security Advisory FreeBSD-SA-01:33: globbing vulnerability in ftpd.
- Kerberos Security Advisory 2001-04-25: KRB5 FTPD BUFFER OVERFLOWS.
- NetBSD Security Advisory 2000-018: One-byte buffer overrun in ftpd.
- NetBSD Security Advisory 2001-005: Ftpd denial of service and remote buffer overflow.
- Network Associates, Inc. COVERT Labs Security Advisory #48: Globbing Vulnerabilities in Multiple FTP Daemons. (From Packet Storm archive)
- SGI Security Advisory 20010802-01-P: File globbing vulnerability in ftpd.
- Sun Microsystems, Inc. Security Bulletin #00205: in.ftpd.
- BID-2548: Multiple Vendor BSD ftpd glob() Buffer Overflow Vulnerabilities
- BID-2550: Solaris ftpd glob() Expansion LIST Heap Overflow Vulnerability
- BID-2552: HP-UX ftpd glob() Expansion STAT Buffer Overflow Vulnerability
- CVE-2001-0247: Buffer overflows in BSD-based FTP servers allows remote attackers to execute arbitrary commands via a long pattern string containing a {} sequence, as seen in (1) g_opendir, (2) g_lstat, (3) g_stat, and (4) the glob0 buffer as used in the glob functions glob2 and glob3.
- CVE-2001-0248: Buffer overflow in FTP server in HPUX 11 allows remote attackers to execute arbitrary commands by creating a long pathname and calling the STAT command, which uses glob to generate long strings.
- CVE-2001-0249: Heap overflow in FTP daemon in Solaris 8 allows remote attackers to execute arbitrary commands by creating a long pathname and calling the LIST command, which uses glob to generate long strings.
- US-CERT VU#808552: Multiple ftpd implementations contain buffer overflows
Platforms Affected:
- Compaq Tru64 4.0f
- Compaq Tru64 4.0g
- Compaq Tru64 5.0a
- FreeBSD FreeBSD 4.2
- HP HP-UX 11.00
- MIT Kerberos
- NetBSD NetBSD
- OpenBSD OpenBSD 2.8
- SCO Caldera UnixWare 7
- SGI IRIX 6.5
- SGI IRIX 6.5 20
- SGI IRIX 6.5.1
- SGI IRIX 6.5.10
- SGI IRIX 6.5.10f
- SGI IRIX 6.5.10m
- SGI IRIX 6.5.11
- SGI IRIX 6.5.11f
- SGI IRIX 6.5.11m
- SGI IRIX 6.5.12
- SGI IRIX 6.5.12f
- SGI IRIX 6.5.12m
- SGI IRIX 6.5.13
- SGI IRIX 6.5.13f
- SGI IRIX 6.5.13m
- SGI IRIX 6.5.14
- SGI IRIX 6.5.14f
- SGI IRIX 6.5.14m
- SGI IRIX 6.5.15
- SGI IRIX 6.5.15f
- SGI IRIX 6.5.15m
- SGI IRIX 6.5.16
- SGI IRIX 6.5.16f
- SGI IRIX 6.5.16m
- SGI IRIX 6.5.17
- SGI IRIX 6.5.17f
- SGI IRIX 6.5.17m
- SGI IRIX 6.5.18
- SGI IRIX 6.5.18f
- SGI IRIX 6.5.18m
- SGI IRIX 6.5.19
- SGI IRIX 6.5.19f
- SGI IRIX 6.5.19m
- SGI IRIX 6.5.2
- SGI IRIX 6.5.20
- SGI IRIX 6.5.20f
- SGI IRIX 6.5.20m
- SGI IRIX 6.5.21
- SGI IRIX 6.5.21f
- SGI IRIX 6.5.21m
- SGI IRIX 6.5.22
- SGI IRIX 6.5.22m
- SGI IRIX 6.5.23
- SGI IRIX 6.5.23m
- SGI IRIX 6.5.24
- SGI IRIX 6.5.24m
- SGI IRIX 6.5.25
- SGI IRIX 6.5.26
- SGI IRIX 6.5.27
- SGI IRIX 6.5.28
- SGI IRIX 6.5.2f
- SGI IRIX 6.5.2m
- SGI IRIX 6.5.3
- SGI IRIX 6.5.3f
- SGI IRIX 6.5.3m
- SGI IRIX 6.5.4
- SGI IRIX 6.5.4f
- SGI IRIX 6.5.4m
- SGI IRIX 6.5.5
- SGI IRIX 6.5.5f
- SGI IRIX 6.5.5m
- SGI IRIX 6.5.6
- SGI IRIX 6.5.6f
- SGI IRIX 6.5.6m
- SGI IRIX 6.5.7
- SGI IRIX 6.5.7f
- SGI IRIX 6.5.7m
- SGI IRIX 6.5.8
- SGI IRIX 6.5.8f
- SGI IRIX 6.5.8m
- SGI IRIX 6.5.9
- SGI IRIX 6.5.9f
- SGI IRIX 6.5.9m
- Sun Solaris 8
Reported:
Apr 09, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.