FreeBSD Security Advisories
2001-Apr-17 12:09 UTC
FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob
-----BEGIN PGP SIGNED MESSAGE----- ============================================================================FreeBSD-SA-01:33 Security Advisory FreeBSD, Inc. Topic: globbing vulnerability in ftpd Category: core Module: ftpd/libc Announced: 2001-04-17 Credits: John McDonald and Anthony Osborne, COVERT Labs Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), FreeBSD 3.5-STABLE and 4.3-RC prior to the correction date. Corrected: 2001-04-17 (FreeBSD 4.3-RC) 2001-04-17 (FreeBSD 3.5-STABLE) Vendor status: Corrected FreeBSD only: NO I. Background Numerous FTP daemons, including the daemon distributed with FreeBSD, use server-side globbing to expand pathnames via user input. This globbing is performed by FreeBSD's glob() implementation in libc. II. Problem Description The glob() function contains potential buffer overflows that may be exploitable through the FTP daemon. If a directory with a name of a certain length is present, a remote user specifying a pathname using globbing characters may cause arbitrary code to be executed on the FTP server as user running ftpd, usually root. Additionally, when given a path containing numerous globbing characters, the glob() functions may consume significant system resources when expanding the path. This can be controlled by setting user limits via /etc/login.conf and setting limits on globbing expansion. All versions of FreeBSD prior to the correction date, including FreeBSD 3.5.1 and 4.2 contain this problem. The base system that will ship with FreeBSD 4.3 does not contain this problem since it was corrected before the release. III. Impact Remote users may be able to execute arbitrary code on the FTP server as the user running ftpd, usually root. The FTP daemon supplied with FreeBSD is enabled by default to allow access to authorized local users and not anonymous users, thus limiting the impact to authorized local users. IV. Workaround If the FTP daemon is executed from inetd, disable the FTP daemon by commenting out the ftp line in /etc/inetd.conf, then reload the inetd configuration by executing the following command as root: # killall -HUP inetd V. Solution One of the following: 1) Upgrade to FreeBSD 4.3-RC or 3.5.1-STABLE after the correction date. 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.x: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch.asc The following patch applies to FreeBSD 3.x: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/lib/libc # make all install # cd /usr/src/libexec/ftpd # make all install If the FTP daemon is running standalone, it will have to be manually stopped and restarted. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOtyT/VUuHi5z0oilAQGiIAP8CJ6Hsp52DuBQhQnA4xBl23kTCtCUKdPf zRP5yg5B9w+j+6Q6+k2P1B9lv5JcdvmS8+fzfrWUpUAogqkbL5f0njS7fnA68a5H oiGJgWqLQiMQiszeOOpgqvd1fNRCcCX+SgYewIfP93Cvam+GG+TvZQziV2zcne3O tjBG/FVzXkg=P1j0 -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message
Reasonably Related Threads
- [Bug 2463] New: Conflict with openbsd compat glob() function in shared libraries
- [Bug 1634] New: [PATCH] openbsd-compat/glob.h conflicts with system glob.h
- pure-ftpd-1.0.22
- Another oddity - users get no ftp (no ftpd) on latest update from CentOS 5.0
- Strange FTPD behavior