AUSCERT External Security Bulletin Redistribution

                 ESB-2001.145 -- CERT Advisory CA-2001-07
           File Globbing Vulnerabilities in Various FTP Servers
                               10 April 2001


        AusCERT Security Bulletin Summary

Product:                FTP
Vendor:                 FreeBSD
Operating System:       FreeBSD
                        Fujitsu UXP/V V20L10
                        Fujitsu UXP/V V20L10
                        Fujitsu UXP/V V10L20
Impact:                 Root Compromise
Access Required:        Remote

Ref:                    ESB-2001.143

- --------------------------BEGIN INCLUDED TEXT--------------------


CERT Advisory CA-2001-07 File Globbing Vulnerabilities in Various FTP

   Original release date: April 10, 2001
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

   FTP servers on various platforms


   A variety of FTP servers incorrectly manage buffers in a way that can
   lead to remote intruders executing arbitrary code on the FTP server.
   The incorrect management of buffers is centered around the return from
   the glob() function, and may be confused with a related
   denial-of-service problem. These problems were discovered by the
   COVERT Labs at PGP Security.

I. Description

   Filename "globbing" is the process of expanding short-hand notation
   into complete file names. For example, the expression "*.c" (without
   the quotes) is short-hand notation for "all files ending in ".c"
   (again, without the quotes). This is commonly used in UNIX shells, in
   commands such as ls *.c. Globbing also often includes the expansion of
   certain characters into system-specific paths, such as the expansion
   of tilde character (~) into the path of the home directory of the user
   specified to the right of the tilde character. For example, "~foo"
   expands to the home directory for the user "foo" on the current
   system. The expressions used in filename globbing are not strictly
   regular expressions, but they are syntactically similar in many ways.

   Many FTP servers also implement globbing, so that the command mget *.c
   means retrieve all the files ending in ".c," and get ~foo/file.name
   means get the file named "file.name" in the home directory of foo.

   The COVERT Labs at PGP Security have discovered a means to use the
   expansion done by the glob function to overflow various buffers in FTP
   servers, allowing an intruder to execute arbitrary code. For more
   details about their discovery, see


   Quoting from that document:

          [...] when an FTP daemon receives a request involving a file
          that has a tilde as its first character, it typically runs the
          entire filename string through globbing code in order to
          resolve the specified home directory into a full path. This has
          the side effect of expanding other metacharacters in the
          pathname string, which can lead to very large input strings
          being passed into the main command processing routines. This
          can lead to exploitable buffer overflow conditions, depending
          upon how these routines manipulate their input.

   For the latest information regarding this vulnerability, including
   information related to vendors' exposure to this problem, consult the
   vulnerability note describing this problem, available at


II. Impact

   Intruders can execute arbitrary code with the permissions of the
   process running the FTP server.

III. Solution

   Apply a patch or workaround from your vendor, as described in Appendix

Appendix A. - Vendor Information

   This appendix contains information provided by vendors for this
   advisory. When vendors report new information to the CERT/CC, we
   update this section and note the changes in our revision history. If a
   particular vendor is not listed below, we have not received their

Compaq Computer Corporation


   x-ref: J Compaq case id - SSRT1-83

   At the time of writing this document, Compaq is currently
   investigating the potential impact to Compaq's ftp service.

   Initial tests indicate Compaq's ftp service is not vulnerable.

   As further information becomes available Compaq will provide notice of
   the completion/availibility of any necessary patches through AES
   services (DIA,DSNlink FLASH and posted to the Services WEB page) and
   be available from your normal Compaq Services Support channel.


FreeBSD, Inc.

   FreeBSD is vulnerable to the glob-related bugs. We have corrected
   these bugs in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE, and they
   will not be present in FreeBSD 4.3-RELEASE.


   [...] we have determined that the versions of UXP/V shown below are
   vulnerable. JPatches are being prepared and will be assigned the patch
   numbers also shown below:

   OS Version,PTF level patch ID
   -------------------- --------
   UXP/V V20L10 X01021  UX28161
   UXP/V V20L10 X00091  UX28160
   UXP/V V10L20 X01041  UX15527

IBM Corporation

   [...] we have not found the described vulnerabilities to exist in the
   AIX versions of glob as used in the ftp daemon.


   Please be aware that as of March 29, 2001, NetBSD has a fix for both
   the glob resource consumption (via an application controlled
   GLOB_LIMIT flag) and the buffer overflow (always enforced). These
   fixes should work on any 4.4BSD derived glob(3).


   SGI acknowledges the vulnerability reported by NAI COVERT Labs and is
   currently investigating. No further information is available at this

   As further information becomes available, additional advisories will
   be issued via the normal SGI security information distribution methods
   including the wiretap mailing list and

   For the protection of all our customers, SGI does not disclose,
   discuss or confirm vulnerabilities until a full investigation has
   occurred and any necessary patch(es) or release streams are available
   for all vulnerable and supported IRIX operating systems.

   Until SGI has more definitive information to provide, customers are
   encouraged to assume all security vulnerabilities as exploitable and
   take appropriate steps according to local site security policies and

   The CERT Coordination Center would like to thank the COVERT Labs at
   PGP Security for notifying us about this problem and for their help in
   constructing this advisory.

   Author: Shawn V. Hernan

   This document is available from:

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from


   If you prefer to use DES, please call the CERT hotline for more

Getting security information

   CERT publications and other security information are available from
   our web site


   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2001 Carnegie Mellon University.

   Revision History
April 10, 2001:  Initial release

Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv


- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key