Globbing Function Leaves Some FTP Servers Vulnerable

COVERT Labs at PGP Security, a division of Network Associates Inc., Tuesday uncovered “high-risk” flaws in the “globbing” process of a variety of FTP servers. The flaws allow for the creation of buffer overflows which in turn can allow remote intruders to execute arbitrary code on the FTP servers.

Globbing is a process — common in UNIX shells — used to expand short-hand notation into complete file names. For instance, *.c is short-hand for all files ending in .c. Globbing can also be used to expand certain characters into system specific paths. For instance, the tilde character (~) designates expansion into the path of the home directory of the user specified to the right of the tilde; i.e. ~foo expands to the home directory for the user foo on the current system.

Most FTP daemon implementations provide server-side globbing functionality to perform pattern expansion on pathnames. For instance, the command mget *.c retrieves all files ending in .c, and get ~foo/ would get the file named in the foo home directory. The glob ( ) implementation is often located on the FTP daemon itself, though some servers use an underlying libc implementation.

If a remote user has the ability to create directories on the server hosting the FTP daemon, with the exception of a few cases, it is possible to create buffer overflows that allow local and remote users to gain root privileges on the servers.

The vulnerabilities come in two flavors: glob ( ) expansion vulnerabilities and glob ( ) implementation vulnerabilities.

The expansion vulnerabilities are the result of the FTP daemon assuming that the length of the user input is limited to the number of characters that are read from the socket — typically 512 characters. But most FTP daemons have a parser rule for processing pathways beginning with a tilde in order to replace the tilde directory component with the referenced home directory. Because this process is performed by running the string through the glob ( ) function, the FTP daemon will also expand any other wildcard characters, allowing for user input exceeding the number of characters read from the socket and making the string operation exploitable.

For example, when an FTP daemon receives a request involving a file name with a tilde as its first character, it typically runs the entire filename through the globbing code in order to resolve the specified home directory into a full path. But this also expands other metacharacters in the pathname string, which can lead to the passing of very large input strings into the main command processing routines. Depending on how the routines manipulate the input, this can cause exploitable buffer overflow conditions.

Certain glob ( ) implementations also contain buffer overflows in their internal utility functions which are typically triggered by requesting a pattern that expands to a very large pathname or by submitting a pattern that the user intends to have the FTP daemon run through glob ( ) twice.

According to COVERT Labs, implementations based of the c-shell globbing code contain a buffer overflow that can be triggered by supplying a pattern string in which a set of brackets { } is followed by a string that is longer than the length reserved for the stack based buffer defined in execbrc ( ). COVERT Labs said this could be exploited by utilizing a code path in the FTP daemon that feeds the expanded output of one globbed pathname into a second call to glob ( ).

Also, BSD implementations of glob ( ) contain four exploitable buffer overflows, according to COVERT Labs. The first occurs in the static utility function g_opendir ( ), which copies the provided pathname onto the stack. This is performed using the function g_Ctoc, which converts a 16-bit character string to an 8-bit character string. Similar overflows were found in g_lstat ( ) and g_stat ( ). A fourth overflow — affecting the stack based buffer reserved in glob0 — is the result of the behavior of the mutually recursive functions glob2 ( ) and glob3 ( ), according to COVERT Labs.

To date, according to a security advisory published by the Computer Emergency Response Team (CERT) Coordination Center Tuesday, vulnerable FTP servers include versions of FreeBSD, Fujitsu’s UXP/V, and NetBSD. COVERT Labs said it has confirmed vulnerabilities in FreeBSD 4.2, OpenBSD 2.8, NetBSD 1.5, IRIX 6.5.x, HPUX 11, and Solaris 8.

CERT said FreeBSD has corrected the bugs in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE, and the bugs will not be present in FreeBSD 4.3-RELEASE. Fujitsu told CERT that JPatches were being prepared, while NetBSD prepared a fix as of March 29.

Compaq Computer told CERT that initial test indicated that its FTP service was not vulnerable, but the company said it would provide notice of any necessary patches through AES services. IBM Corp. said it had not found the vulnerabilities in the AIX versions of glob, while SGI said only that it is currently investigating.

COVERT Labs recommended that until patches become available the vulnerabilities can be addressed by ensuring that no directories exist in the anonymous FTP tree that are writable by the anonymous FTP user. It also noted that BSD and IRIX users should make sure that no directory in the anonymous FTP tree has a name longer than eight characters.

News Around the Web