ls *.cwould list all files in the current directory which end with .c. For example, in a directory which had the files main.c, start.c, and stop.c, it would be equivalent to:
ls main.c start.c stop.cSimilarly, the tilde character refers to the home directory of the user immediately following the tilde. That is, if joe's home directory is /home/joe, then
ls ~joewould be interpreted as
ls /home/joeMany FTP servers implement filename globbing using the same rule sets as Unix shells. This could allow multiple files to be stored or retrieved from the FTP server using a single command.
In many implementations, the length of the string returned by filename globbing routines is not checked before copying the string into a fixed-length buffer. An attacker could send the FTP server a specially-crafted command with a file name including special characters, which is then expanded by the globbing routine. The result is a very large string which overwrites the stack pointer, allowing the execution of arbitrary commands. In order to exploit this vulnerability, the attacker would in most cases need access to a writable directory on the server. However, on OpenBSD or NetBSD, the attacker would not need access to a writable directory as long as there is already a directory whose name is 12 characters long. On FreeBSD, the attacker would not need access to a writable directory if there is already a directory whose name is 9 characters long.
The following operating systems and FTP servers are known to be affected by this vulnerability. Earlier versions are likely to be affected as well.
11/30/01
CVE 2001-0550
CAN 2001-0935
Although the Washington University FTP server (wu-ftpd) is
not affected by the vulnerability described above, there is a different
vulnerability in wu-ftpd's globbing routine. In some cases,
the globbing routine does not return the proper value to indicate
an error condition, causing wu-ftpd to attempt to free an area
of memory which was never allocated. This condition could be
exploited to execute arbitrary code if the attacker is first able
to place the code at a certain memory address. This vulnerability
affects wu-ftpd 2.6.1 and earlier, and can be exploited either
by a user with an account on the server, or by an anonymous user
if anonymous FTP is enabled.
12/21/01
CVE 2001-0886
The vulnerabilities described above are due to flaws in
particular implementations of globbing features in FTP
servers. However, in some cases, it is the glob function
itself which is vulnerable. The glibc
system library, which comes with Linux systems, contains
a vulnerability in the glob function. Passing the function
an input string ending with an open bracket ({)
could cause the program to read beyond its assigned memory space.
In most cases, this vulnerability is not exploitable. However,
in some implementations, such as the Linux port of the
OpenBSD FTP server, it could be possible for an attacker
to execute arbitrary code.
For Linux servers other than wu-ftpd, install the latest version of the glibc package from your vendor. Although only the OpenBSD ftpd Linux port is known to be exploitable, it would be a good idea to upgrade glibc on all Linux systems, since there could be exploits discovered for other applications which depend on the glob function.
For other FTP servers, apply a patch or upgrade the FTP server. See CERT Advisory 2001-07 for instructions specific to your operating system. See CIAC Bulletin L-129 if your operating system is Solaris, CIAC Bulletin L-118 if your operating system is HP-UX, CIAC Bulletin L-135 if your operating system is IRIX, or Caldera Security Advisory 2001-SCO.27 if your operating system is UnixWare. If you are using glftpd, upgrade to version 1.24.
Alternatively, disable the anonymous FTP account, or if that cannot be done, then:
For more information about the glibc vulnerability, see Global InterSec advisory 2001121001 and CIAC Bulletin M-029.
For more information about the buffer overflow vulnerability, see CERT Advisory 2001-07 and the COVERT Labs Security Advisory.
The problem in glftpd is a variation of the originally reported problem. See the posting to Bugtraq if you are using glftpd.