Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.164 -- FreeBSD-SA-01:33.ftpd-glob [REVISED] globbing vulnerability in ftpd 24 April 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ftpd Vendor: FreeBSD Operating System: FreeBSD 3.x (all releases) FreeBSD 4.x (all releases) FreeBSD 3.5-STABLE FreeBSD 4.3-RC (prior to the correction date) BSD Linux Unix Impact: Execute Arbitrary Code/Commands Root Compromise Access Required: Remote Ref: ESB-2001.155 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:33 Security Advisory FreeBSD, Inc. Topic: globbing vulnerability in ftpd [REVISED] Category: core Module: ftpd/libc Announced: 2001-04-17 Revised: 2001-04-19 Credits: John McDonald and Anthony Osborne, COVERT Labs Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), FreeBSD 3.5-STABLE and 4.3-RC prior to the correction date. Corrected: 2001-04-17 (FreeBSD 4.3-RC) 2001-04-17 (FreeBSD 3.5-STABLE) Vendor status: Corrected FreeBSD only: NO 0. Revision History 2001-04-17 v1.0 Initial release 2001-04-19 v1.1 Corrected patch and patch instructions I. Background Numerous FTP daemons, including the daemon distributed with FreeBSD, use server-side globbing to expand pathnames via user input. This globbing is performed by FreeBSD's glob() implementation in libc. II. Problem Description The glob() function contains potential buffer overflows that may be exploitable through the FTP daemon. If a directory with a name of a certain length is present, a remote user specifying a pathname using globbing characters may cause arbitrary code to be executed on the FTP server as user running ftpd, usually root. Additionally, when given a path containing numerous globbing characters, the glob() functions may consume significant system resources when expanding the path. This can be controlled by setting user limits via /etc/login.conf and setting limits on globbing expansion. All versions of FreeBSD prior to the correction date, including FreeBSD 3.5.1 and 4.2 contain this problem. The base system that will ship with FreeBSD 4.3 does not contain this problem since it was corrected before the release. III. Impact Remote users may be able to execute arbitrary code on the FTP server as the user running ftpd, usually root. The FTP daemon supplied with FreeBSD is enabled by default to allow access to authorized local users and not anonymous users, thus limiting the impact to authorized local users. IV. Workaround If the FTP daemon is executed from inetd, disable the FTP daemon by commenting out the ftp line in /etc/inetd.conf, then reload the inetd configuration by executing the following command as root: # killall -HUP inetd V. Solution One of the following: 1) Upgrade to FreeBSD 4.3-RC or 3.5.1-STABLE after the correction date. 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.x: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch.asc The following patch applies to FreeBSD 3.x: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cp /usr/src/include/glob.h /usr/include/ # cd /usr/src/lib/libc # make all install # cd /usr/src/libexec/ftpd # make all install If the FTP daemon is running standalone, it will have to be manually stopped and restarted. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOt83elUuHi5z0oilAQGvLwP+Mg6yScJhgTuGnJ1037opvwPEbKb0JWF4 CuC8lKB0xV3BMQhQ8BRC3RVJWptFDv8qlWxW7kCyiuYk19oS8IUsllvwD6uftHZI iph5TF3F37DNiE2lEp4T5/VSPqkEaYoV0Iu9+S43V7M2dPWVPS4tziPQamtBupdQ OhsFSsEGgVU= =AV6T - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOuVgmih9+71yA2DNAQFxcQP/cOVI/SX/mBaNaHOalgl2kP9MYpTnzp75 7GeusRxNkxvhx52f22XhKVfEggz2EstI7nsT2S3Y2i3K4kDGaUsXNH6hdHind5BK KZNuXBJIMEnG6sU+1kgwrERj3xodncInENeLFnI76N5UGCwv7Xm/lt57lkKZsQ7C lEjWiyXCmDg= =kbP0 -----END PGP SIGNATURE-----