AUSCERT External Security Bulletin Redistribution

       ESB-2001.143 -- COVERT Labs Security Advisory COVERT-2001-02
             Globbing Vulnerabilities in Multiple FTP Daemons
                               10 April 2001


        AusCERT Security Bulletin Summary

Product:                FTP
Vendor:                 FreeBSD
                        Sun Microsystems

Operating System:       FreeBSD 4.2
                        OpenBSD 2.8
                        NetBSD 1.5
                        IRIX 6.5.x
                        HPUX 11
                        Solaris 8

Impact:                 Root Compromise
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1


                     Network Associates, Inc.
                  COVERT Labs Security Advisory 
                          April 9, 2001

          Globbing Vulnerabilities in Multiple FTP Daemons


o Synopsis

Multiple FTP server implementations contain buffer overflows that
allow local and remote attackers to gain root privileges on affected
servers.  These vulnerabilities are contingent upon the remote user
having the ability to create directories on the server hosting the
FTP daemon, with the exception of a few cases noted below. The
vulnerabilities presented are all related to the use of the glob()
function, and can be divided into the following two categories:

 - glob() expansion vulnerabilities

User input that has been expanded by glob() can exceed expected
lengths and trigger otherwise benign buffer mismanagement problems
present in certain FTP daemons.

 - glob() implementation vulnerabilities

Certain implementations of the glob() function contain buffer
overflows. These vulnerabilities are exploitable through FTP daemons
that utilize these problematic implementations.

CVE Candidate numbers for these issues have been assigned and are
listed in the Vulnerable Systems section.



o Vulnerable Systems

The following operating systems have been confirmed to contain
vulnerable FTP daemons:

FreeBSD 4.2     CAN-2001-0247
OpenBSD 2.8
NetBSD  1.5 
IRIX    6.5.x 

HPUX    11      CAN-2001-0248

Solaris 8       CAN-2001-0249


o Vulnerability Overview

glob() implements filename pattern matching, following rules similar
to those used by Unix shells.  It is a pathname generator, which
accepts an input pattern representing a set of filenames and returns 
a list of accessible pathnames matching that pattern. The input 
pattern is specified by using special metacharacters, taken from 
the following: *?[]{}~' . For example, a pattern of '/e*' would
match all directories and files in the root of the file system that
begin with the character 'e'.

The File Transfer Protocol (FTP), as defined in RFC959, describes
numerous commands with pathname arguments that specify files or
directories. Though it is not required by the specification, most FTP
daemon implementations provide server-side globbing functionality
that performs pattern expansion on these pathnames.  The actual
glob() implementation is often located in the FTP daemon itself,
though some FTP servers use an underlying libc implementation.

The ability of a remote or local user to deliver input patterns to
glob() implementations allows for two general types of security

 - glob() expansion vulnerabilities

A number of vulnerabilities result from an FTP daemon assuming that
the length of the user input is limited to the number of characters
that are read in from the socket. This is typically 512 characters.
This assumption is problematic because most FTP daemons contain a
parser rule for processing pathnames beginning with a tilde. The
intended effect of this rule is to replace the tilde directory
component with the referenced home directory. However, since this
is performed by running the string through the glob() function, the
FTP daemon will also expand any other wildcard characters present.
This allows for user input that can exceed the number of characters
read in from the socket, which can make otherwise benign unbounded
string operations exploitable.

 - glob() implementation vulnerabilities

Certain glob() implementations contain buffer overflows in their
internal utility functions. These overflows are typically triggered
by requesting a pattern that expands to a very large pathname, or
by submitting a pattern that the user intends to have the FTP daemon
run through glob() twice.


o Detailed Information

 - glob() expansion vulnerabilities

As mentioned above, when an FTP daemon receives a request involving a
file that has a tilde as its first character, it typically runs the
entire filename string through globbing code in order to resolve the
specified home directory into a full path.  This has the side effect
of expanding other metacharacters in the pathname string, which can
lead to very large input strings being passed into the main command
processing routines. This can lead to exploitable buffer overflow
conditions, depending upon how these routines manipulate their input.

In Solaris, an exploitable heap overflow of this nature is triggered
by using the LIST command. This vulnerability occurs when the
FTP daemon attempts to construct a string using unbounded string
operations in order to execute the /bin/ls program.

HPUX contains a stack based overflow of this nature that can be
triggered by the use of the STAT command.

 - glob() implementation vulnerabilities

There are two implementations of glob() that are known to contain
buffer overflow vulnerabilities.

Implementations based off of the c-shell globbing code contain a
buffer overflow that can be triggered by supplying a pattern string
such that a set of brackets {} is followed by a string that is longer
than the length reserved for the stack based buffer defined in
execbrc().  This could be exploited by utilizing a code path in the
FTP daemon that fed the expanded output of one globbed pathname into
a second call to glob().

BSD implementations of glob() contain four exploitable buffer
overflows. The first buffer overflow occurs in the static utility
function g_opendir(), which copies the provided pathname onto the
stack. This is performed using the function g_Ctoc, which converts a
16-bit character string to an 8-bit character string, but otherwise
works like strcpy. Similar overflows occur in g_lstat(), and
g_stat(). A fourth overflow, one that affects the stack based buffer
reserved in glob0, is the result of the behavior of the mutually
recursive functions glob2() and glob3().

Note that these vulnerabilities do not require the last component
of the provided directory to be a valid file, thus allowing
exploitation even without the ability to create directories and
files.  Testing has shown that it would be possible to exploit
OpenBSD and NetBSD without a writable directory being present if a 
directory name with a length of 12 characters is available. FreeBSD 
can be exploited without a writable directory being present if a 
directory name of length 9 is available.


o Resolution

This advisory will be updated as more information becomes available.
The most recent version is available from the PGP Security website 


The CERT/CC is coordinating the collection of information on 
vulnerable distributions from third party vendors. For more 
information, please read CERT Advisory CA-2001-07 available at:


In lieu of a patch, these vulnerabilities may be addressed in a
general fashion by ensuring that no directories exist in the
anonymous FTP tree that are writable by the anonymous FTP user.
Furthermore, BSD and Irix users should take care to ensure that no
directory in the anonymous FTP tree has a name longer than 8
characters. It is important to note that these precautions will not
prevent local user privilege escalation through the FTP daemon.


o Credits

Discovery and documentation of these vulnerabilities was conducted
by John McDonald and Anthony Osborne of the COVERT Labs at PGP 


o Contact Information

For more information about the COVERT Labs at PGP Security, visit our
website at http://www.pgp.com/covert or send e-mail to covert@nai.com


o  Legal Notice

The information contained within this advisory is Copyright (C) 2001
Networks Associates Technology Inc. It may be redistributed provided
that no fee is charged for distribution and that the advisory is not
modified in any way.

Network Associates and PGP are registered Trademarks of Network
Associates, Inc. and/or its affiliated companies in the United States
and/or other Countries. All other registered and unregistered
trademarks in this document are the sole property of their respective


Version: PGP 7.0.1


- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key