FTP glob() vulnerable to command line argument when using tilde and left brace
| ftp-glob-tilde-brace (8942) |  High Risk |
Description:
Glob functions allow programs to search for path names matching specific patterns according to the rules used by the shell. Multiple FTP server implementations are vulnerable to attacks using command arguments that begin with a tilde "~" and end with a open brace "{". The specific vulnerability may vary between different FTP servers.
Consequences:
Gain Privileges
Remedy:
This event could indicate a vulnerability in either Washington University's FTP daemon (WU-FTPD), or the glibc package included with multiple Linux distributions. Refer to the related X-Force Database record for each specific vulnerability regarding upgrade or patch information. See References.
References:
- IBM Internet Security Systems X-Force Database: glibc glob() functions buffer overflow.
- IBM Internet Security Systems X-Force Database: WU-FTPD glob() function error handling heap corruption.
Platforms Affected:
- IETF FTP
- Linux Kernel
- Unix Unix
Reported:
Not available
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net