On Mon, 9 Apr 2001 17:47:54 -0500, Emre Yildirim wrote:

> http://www.pgp.com/research/covert/advisories/048.asp
>=20
> What the hell are they talking about?  Wasn't something like this=20
> posted on bugtraq/vuln-dev a few weeks ago, and confirmed that=20
> NetBSD's ftpd is not vulnerable?

Uh, I think there are two related but different vulnerabilities in the =
FTP
daemon code - the CERT advisory for this at
http://www.cert.org/advisories/CA-2001-07.html says :

"A variety of FTP servers incorrectly manage buffers in a way that can =
lead
to remote intruders executing arbitrary code on the FTP server. The
incorrect management of buffers is centered around the return from the
glob() function, and may be confused with a related denial-of-service
problem.
[...]
The COVERT Labs at PGP Security have discovered a means to use the =
expansion
done by the glob function to overflow various buffers in FTP servers,
allowing an intruder to execute arbitrary code"

IIRC, the item mentioned a few weeks ago was the DoS problem due to the
globbing function chewing up a lot of CPU in trying to expand a =
maliciously
constructed wildcard string - and NetBSD's FTPD wasn't thought to be
vulnerable.

It now seems the problem is worse than was first thought.

I'm no kind of authority here - just an interested user.

The CERT advisory also says :

"NetBSD:   Please be aware that as of March 29, 2001, NetBSD has a fix =
for
both the glob resource consumption (via an application controlled =
GLOB_LIMIT
flag) and the buffer overflow (always enforced). These fixes should work =
on
any 4.4BSD derived glob(3)."

I guess a NetBSD advisory is pending.

Nick
Bristol, UK

--
If you ate pasta and antipasta, would you still be hungry?