Subject: Re: "Globbing Vulnerabilities in Multiple FTP Daemons"
To: Emre Yildirim <emre.yildirim@us.army.mil>
From: Nick <nick@glimmer.demon.co.uk>
List: netbsd-users
Date: 04/11/2001 02:46:47
On Mon, 9 Apr 2001 17:47:54 -0500, Emre Yildirim wrote:
> http://www.pgp.com/research/covert/advisories/048.asp
>=20
> What the hell are they talking about? Wasn't something like this=20
> posted on bugtraq/vuln-dev a few weeks ago, and confirmed that=20
> NetBSD's ftpd is not vulnerable?
Uh, I think there are two related but different vulnerabilities in the =
FTP
daemon code - the CERT advisory for this at
http://www.cert.org/advisories/CA-2001-07.html says :
"A variety of FTP servers incorrectly manage buffers in a way that can =
lead
to remote intruders executing arbitrary code on the FTP server. The
incorrect management of buffers is centered around the return from the
glob() function, and may be confused with a related denial-of-service
problem.
[...]
The COVERT Labs at PGP Security have discovered a means to use the =
expansion
done by the glob function to overflow various buffers in FTP servers,
allowing an intruder to execute arbitrary code"
IIRC, the item mentioned a few weeks ago was the DoS problem due to the
globbing function chewing up a lot of CPU in trying to expand a =
maliciously
constructed wildcard string - and NetBSD's FTPD wasn't thought to be
vulnerable.
It now seems the problem is worse than was first thought.
I'm no kind of authority here - just an interested user.
The CERT advisory also says :
"NetBSD: Please be aware that as of March 29, 2001, NetBSD has a fix =
for
both the glob resource consumption (via an application controlled =
GLOB_LIMIT
flag) and the buffer overflow (always enforced). These fixes should work =
on
any 4.4BSD derived glob(3)."
I guess a NetBSD advisory is pending.
Nick
Bristol, UK
--
If you ate pasta and antipasta, would you still be hungry?