FTP Filename Globbing

Updated 12/21/01
CAN 2001-0247
CAN 2001-0248
CAN 2001-0249
CVE 2001-0550
CVE 2001-0886
CAN 2001-0935
CVE 2001-0965

Impact

Regular users or anonymous users could gain root access on the server if this vulnerability is exploitable.

Background

In Unix shells, certain characters such as the asterisk (*) and tilde (~) automatically cause lists of filenames to be generated based on pattern matches. This feature is known as globbing. For example, the command: 
ls *.c
would list all files in the current directory which end with .c. For example, in a directory which had the files main.c, start.c, and stop.c, it would be equivalent to: 
ls main.c start.c stop.c
Similarly, the tilde character refers to the home directory of the user immediately following the tilde. That is, if joe's home directory is /home/joe, then 
ls ~joe
would be interpreted as 
ls /home/joe
Many FTP servers implement filename globbing using the same rule sets as Unix shells. This could allow multiple files to be stored or retrieved from the FTP server using a single command.

The Problem

Glob buffer overflow in FTP implementations

In many implementations, the length of the string returned by filename globbing routines is not checked before copying the string into a fixed-length buffer. An attacker could send the FTP server a specially-crafted command with a file name including special characters, which is then expanded by the globbing routine. The result is a very large string which overwrites the stack pointer, allowing the execution of arbitrary commands. In order to exploit this vulnerability, the attacker would in most cases need access to a writable directory on the server. However, on OpenBSD or NetBSD, the attacker would not need access to a writable directory as long as there is already a directory whose name is 12 characters long. On FreeBSD, the attacker would not need access to a writable directory if there is already a directory whose name is 9 characters long.

The following operating systems and FTP servers are known to be affected by this vulnerability. Earlier versions are likely to be affected as well.

If your system is running a version of ftpd which is listed above or which came with one of the above operating systems, your system is probably vulnerable. Furthermore, if the anonymous account is enabled and there are directories writable by the anonymous user (or, in some cases, any directories with names of a certain length), the vulnerability could be exploited by a remote user without an account on the system.

Memory deallocation flaw in wu-ftpd

11/30/01
CVE 2001-0550
CAN 2001-0935
Although the Washington University FTP server (wu-ftpd) is not affected by the vulnerability described above, there is a different vulnerability in wu-ftpd's globbing routine. In some cases, the globbing routine does not return the proper value to indicate an error condition, causing wu-ftpd to attempt to free an area of memory which was never allocated. This condition could be exploited to execute arbitrary code if the attacker is first able to place the code at a certain memory address. This vulnerability affects wu-ftpd 2.6.1 and earlier, and can be exploited either by a user with an account on the server, or by an anonymous user if anonymous FTP is enabled.

Bracket processing flaw in glibc glob

12/21/01
CVE 2001-0886
The vulnerabilities described above are due to flaws in particular implementations of globbing features in FTP servers. However, in some cases, it is the glob function itself which is vulnerable. The glibc system library, which comes with Linux systems, contains a vulnerability in the glob function. Passing the function an input string ending with an open bracket ({) could cause the program to read beyond its assigned memory space. In most cases, this vulnerability is not exploitable. However, in some implementations, such as the Linux port of the OpenBSD FTP server, it could be possible for an attacker to execute arbitrary code.

Resolution

For wu-ftpd, upgrade to wu-ftpd 2.6.2 or higher. This version fixes the problem described above, and also contains a fix for a format string vulnerability exposed when configured to use RFC 931 authentication and debug mode. (CVE 2001-0187)

For Linux servers other than wu-ftpd, install the latest version of the glibc package from your vendor. Although only the OpenBSD ftpd Linux port is known to be exploitable, it would be a good idea to upgrade glibc on all Linux systems, since there could be exploits discovered for other applications which depend on the glob function.

For other FTP servers, apply a patch or upgrade the FTP server. See CERT Advisory 2001-07 for instructions specific to your operating system. See CIAC Bulletin L-129 if your operating system is Solaris, CIAC Bulletin L-118 if your operating system is HP-UX, CIAC Bulletin L-135 if your operating system is IRIX, or Caldera Security Advisory 2001-SCO.27 if your operating system is UnixWare. If you are using glftpd, upgrade to version 1.24.

Alternatively, disable the anonymous FTP account, or if that cannot be done, then:

  1. ensure that there are no directories on the FTP server which are writable by the anonymous FTP account, and
  2. ensure that there are no directories whose names are longer than eight characters
Note that this workaround only prevents the vulnerability from being exploited from the anonymous account. Exploitation would still be possible from a regular user account, resulting in privilege elevation.

Where can I read more about this?

For more information about the wu-ftpd vulnerability, see CERT Advisory 2001-33.

For more information about the glibc vulnerability, see Global InterSec advisory 2001121001 and CIAC Bulletin M-029.

For more information about the buffer overflow vulnerability, see CERT Advisory 2001-07 and the COVERT Labs Security Advisory.

The problem in glftpd is a variation of the originally reported problem. See the posting to Bugtraq if you are using glftpd.