AUSCERT External Security Bulletin Redistribution

             ESB-2001.144 -- NetBSD Security Advisory 2001-005
             Ftpd denial of service and remote buffer overflow
                               10 April 2001


        AusCERT Security Bulletin Summary

Product:                Ftpd
Vendor:                 NetBSD
Operating System:       NetBSD-current
Impact:                 Root Compromise
                        Denial of Service
Access Required:        Remote

Ref:                    ESB-2001.143

- --------------------------BEGIN INCLUDED TEXT--------------------


                 NetBSD Security Advisory 2001-005

Topic:          Ftpd denial of service and remote buffer overflow
Version:        NetBSD 1.4, 1.5, -current
Severity:       Remote root compromise
Fixed:          NetBSD-current:    April 03, 2001
                NetBSD-1.5 branch: April 04, 2001
                NetBSD-1.4 branch: April 04, 2001


A recent COVERT Labs Security Advisory (COVERT-2001-02) describes
a remote denial of service and buffer overrun that COVERT Labs
discovered in the glob(3) library function. This function is called
by the ftp server daemon (ftpd), and therefore the ftp server is
vulnerable to this attack.

Systems running ftpd are vulnerable.

ftpd is usually started from inetd; inetd is configured through
the /etc/inetd.conf file.

As of the release date of this advisory, all past NetBSD releases,
including NetBSD 1.5, are vulnerable.

Fresh installs of NetBSD 1.5 are not vulnerable as ftpd is disabled
by default in /etc/inetd.conf; however, a system upgraded from an
earlier release to 1.5 may still be using an old inetd.conf with
ftpd still enabled, or it may need to run an ftp server and will
thus have it enabled.

Technical Details

The glob(3) library function in the C library (libc) had two problems:

  * There was no limit placed on the number of matches returned.

    This vulnerability could lead to a remote denial of service
    against the service or the machine running the service when
    certain glob patterns are provided that result in the calling
    process consuming RAM, CPU, and disk I/O in building the pattern.

  * It used a stack-based buffer for storing pathnames, and the
    data transfers to this buffer did not enforce the end of
    buffer boundary.

    This vulnerability could lead to remote root compromise,
    through execution of arbitrary code in an overflowed buffer.

Solutions and Workarounds

All NetBSD official releases up to 1.5, have a vulnerable glob
function in libc, and a vulnerable ftp server binary in /usr/libexec/ftpd.
You should replace it to fix the problem.

If you do not run ftpd on your system, your system is not vulnerable.
Check /etc/inetd.conf to see if you have a line that starts with
"ftp".  In any event, we suggest you apply the fix, in case you want
to run ftpd in the future.  Note that NetBSD 1.5 does not run ftpd
by default (/etc/inetd.conf has a commented-out "ftp" line).

There are several ways that systems administrators may update their
versions of the C library and the ftp server.  Each of these
mechanisms is described in more detail in the following subsections.

  * System upgrade via source
  * Replace the system ftpd with one from the NetBSD Packages collection.

 Updating via source:

    Users may update their system source, from the appropriate release
    branch or NetBSD-current, and rebuild the C library and the ftp
    server (as well as other parts of the system).

    This method is recommended for users of NetBSD-current and
    technically literate users of the most recent releases on each
    branch (1.4.3 or 1.5).

    Note that the NetBSD release branches contain accumulated changes
    and bugfixes since the most recent release; these changes are
    intended to improve the system, but have not yet been through the
    complete release engineering cycle. Users who wish to remain at a
    formal release should use the pkgsrc method instead.

    System sources can be updated via anonymous CVS, SUP, or via
    download of source tarfiles from the appropriate branch,
    collection or directory:

    Release  CVS branch  SUP collection  FTP directory
    1.4      netbsd-1-4  release-1-4     /pub/NetBSD/NetBSD-release-1-4
    1.5      netbsd-1-5  release-1-5     /pub/NetBSD/NetBSD-release-1-5
    current  HEAD        current         /pub/NetBSD/NetBSD-current

    Systems running NetBSD-current dated from before 2001-04-04 should
    be upgraded to NetBSD-current dated 2001-04-04 or later.  For
    NetBSD-current, see /usr/src/UPDATING for additional instructions,
    as additional dependencies may need to be rebuilt before libc and

    Systems running the NetBSD 1.5 release branch dated from before
    2001-04-05 should be upgraded to 2001-04-05 or later.

    Systems running the NetBSD 1.4 release branch dated from before
    2001-04-05 should be upgraded to 2001-04-05 or later.

    It is recommended that users tracking inter-release sources do a
    full system update.  Once sources and dependencies have been taken
    care of, the following will rebuild *just* libc and ftpd:

      # cd /usr/src/include
      # make includes
      # cd /usr/src/lib/libc
      # make depend
      # make
      # make install
      # cd /usr/src/libexec/ftpd
      # make depend
      # make
      # make install

 Updating via pkgsrc:

    For many users looking for a quick and specific update, the NetBSD
    packages collection provides a simple mechanism to install a
    current version of NetBSD's ftpd that has been made portable to
    older NetBSD releases and other operating systems, to replace the
    system version.

    This technique is applicable to ALL systems, and is recommended
    for urgent fixes. It may be used as a temporary measure even by
    those intending to follow up with a full system upgrade.

    1) First, make sure you have an up-to-date pkgsrc collection (at
       least as recent as 2001-04-05).  This can be obtained via
       anonymous CVS, SUP or FTP from the project servers or mirrors.

    2) Change to the appropriate subdirectory:

       # cd /usr/pkgsrc/net/lukemftpd

    3) Ensure that the pkgsrc version is 1.0 or newer:

       # grep PKGNAME Makefile
       PKGNAME=        lukemftpd-1.0

    4) Build and install the package. This will download the sources
       automatically.  (If prompted to update the pkg tools first, do
       so according to the instructions presented, then return to the
       lukemftpd directory and resume here).

       # make install

       Now you have an up-to-date version of ftpd installed in /usr/pkg.

    5) Next, it is necessary to use the new ftpd instead of the system one.
       Edit /etc/inetd.conf and change the path in any entries for "ftp"
       from "/usr/libexec/ftpd" to "/usr/pkg/libexec/ftpd".  Notify inetd
       to reload its config file with:

       # kill -1 `cat /var/run/inetd.pid`

    Pre-compiled binary packages of net/lukemftpd have been prepared for
    some architectures and NetBSD versions. These can be found under


    You may wish to use one of these instead of having the pkgsrc
    system compile for you. Download the appropriate file for your
    system if available, and use:

       # pkg_add lukemftpd-1.0

    to install the pre-built package. Then follow the steps from 5
    above to use the new ftpd instead of the system ftpd.

Thanks To

COVERT Labs for bringing this problem to our attention.

Christos Zoulas for the glob(3) fixes, and the corresponding changes
to the ftp server, and Luke Mewburn for providing the `lukemftpd'
portable version of the ftp server.

Revision History

	2001-04-10	Initial release

More Information

Information about NetBSD and NetBSD security can be found at:
	http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/

COVERT Labs Security Advisory COVERT-2001-02, "Globbing
Vulnerabilities in Multiple FTP Daemons" is available at:

Copyright 2001, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2001-005.txt,v 1.7 2001/04/10 06:32:20 lukem Exp $

Version: GnuPG v1.0.4 (NetBSD)
Comment: For info see http://www.gnupg.org


- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key