Date: Mon, 9 Apr 2001 19:10:39 -0700
From: COVERT Labs <[email protected]>
To: [email protected]Subject: [COVERT-2001-02] Globbing Vulnerabilities in Multiple FTP Daemons
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________
Network Associates, Inc.
COVERT Labs Security Advisory
April 9, 2001
Globbing Vulnerabilities in Multiple FTP Daemons
COVERT-2001-02
______________________________________________________________________
o Synopsis
Multiple FTP server implementations contain buffer overflows that
allow local and remote attackers to gain root privileges on affected
servers. These vulnerabilities are contingent upon the remote user
having the ability to create directories on the server hosting the
FTP daemon, with the exception of a few cases noted below. The
vulnerabilities presented are all related to the use of the glob()
function, and can be divided into the following two categories:
- glob() expansion vulnerabilities
User input that has been expanded by glob() can exceed expected
lengths and trigger otherwise benign buffer mismanagement problems
present in certain FTP daemons.
- glob() implementation vulnerabilities
Certain implementations of the glob() function contain buffer
overflows. These vulnerabilities are exploitable through FTP daemons
that utilize these problematic implementations.
CVE Candidate numbers for these issues have been assigned and are
listed in the Vulnerable Systems section.
RISK FACTOR: HIGH
______________________________________________________________________
o Vulnerable Systems
The following operating systems have been confirmed to contain
vulnerable FTP daemons:
FreeBSD 4.2 CAN-2001-0247
OpenBSD 2.8
NetBSD 1.5
IRIX 6.5.x
HPUX 11 CAN-2001-0248
Solaris 8 CAN-2001-0249
______________________________________________________________________
o Vulnerability Overview
glob() implements filename pattern matching, following rules similar
to those used by Unix shells. It is a pathname generator, which
accepts an input pattern representing a set of filenames and returns
a list of accessible pathnames matching that pattern. The input
pattern is specified by using special metacharacters, taken from
the following: *?[]{}~' . For example, a pattern of '/e*' would
match all directories and files in the root of the file system that
begin with the character 'e'.
The File Transfer Protocol (FTP), as defined in RFC959, describes
numerous commands with pathname arguments that specify files or
directories. Though it is not required by the specification, most FTP
daemon implementations provide server-side globbing functionality
that performs pattern expansion on these pathnames. The actual
glob() implementation is often located in the FTP daemon itself,
though some FTP servers use an underlying libc implementation.
The ability of a remote or local user to deliver input patterns to
glob() implementations allows for two general types of security
exposures.
- glob() expansion vulnerabilities
A number of vulnerabilities result from an FTP daemon assuming that
the length of the user input is limited to the number of characters
that are read in from the socket. This is typically 512 characters.
This assumption is problematic because most FTP daemons contain a
parser rule for processing pathnames beginning with a tilde. The
intended effect of this rule is to replace the tilde directory
component with the referenced home directory. However, since this
is performed by running the string through the glob() function, the
FTP daemon will also expand any other wildcard characters present.
This allows for user input that can exceed the number of characters
read in from the socket, which can make otherwise benign unbounded
string operations exploitable.
- glob() implementation vulnerabilities
Certain glob() implementations contain buffer overflows in their
internal utility functions. These overflows are typically triggered
by requesting a pattern that expands to a very large pathname, or
by submitting a pattern that the user intends to have the FTP daemon
run through glob() twice.
______________________________________________________________________
o Detailed Information
- glob() expansion vulnerabilities
As mentioned above, when an FTP daemon receives a request involving a
file that has a tilde as its first character, it typically runs the
entire filename string through globbing code in order to resolve the
specified home directory into a full path. This has the side effect
of expanding other metacharacters in the pathname string, which can
lead to very large input strings being passed into the main command
processing routines. This can lead to exploitable buffer overflow
conditions, depending upon how these routines manipulate their input.
In Solaris, an exploitable heap overflow of this nature is triggered
by using the LIST command. This vulnerability occurs when the
FTP daemon attempts to construct a string using unbounded string
operations in order to execute the /bin/ls program.
HPUX contains a stack based overflow of this nature that can be
triggered by the use of the STAT command.
- glob() implementation vulnerabilities
There are two implementations of glob() that are known to contain
buffer overflow vulnerabilities.
Implementations based off of the c-shell globbing code contain a
buffer overflow that can be triggered by supplying a pattern string
such that a set of brackets {} is followed by a string that is longer
than the length reserved for the stack based buffer defined in
execbrc(). This could be exploited by utilizing a code path in the
FTP daemon that fed the expanded output of one globbed pathname into
a second call to glob().
BSD implementations of glob() contain four exploitable buffer
overflows. The first buffer overflow occurs in the static utility
function g_opendir(), which copies the provided pathname onto the
stack. This is performed using the function g_Ctoc, which converts a
16-bit character string to an 8-bit character string, but otherwise
works like strcpy. Similar overflows occur in g_lstat(), and
g_stat(). A fourth overflow, one that affects the stack based buffer
reserved in glob0, is the result of the behavior of the mutually
recursive functions glob2() and glob3().
Note that these vulnerabilities do not require the last component
of the provided directory to be a valid file, thus allowing
exploitation even without the ability to create directories and
files. Testing has shown that it would be possible to exploit
OpenBSD and NetBSD without a writable directory being present if a
directory name with a length of 12 characters is available. FreeBSD
can be exploited without a writable directory being present if a
directory name of length 9 is available.
______________________________________________________________________
o Resolution
This advisory will be updated as more information becomes available.
The most recent version is available from the PGP Security website
at:
http://www.pgp.com/research/covert/advisories/048.asp
The CERT/CC is coordinating the collection of information on
vulnerable distributions from third party vendors. For more
information, please read CERT Advisory CA-2001-07 available at:
http://www.cert.org/advisories/CA-2001-07.html
In lieu of a patch, these vulnerabilities may be addressed in a
general fashion by ensuring that no directories exist in the
anonymous FTP tree that are writable by the anonymous FTP user.
Furthermore, BSD and Irix users should take care to ensure that no
directory in the anonymous FTP tree has a name longer than 8
characters. It is important to note that these precautions will not
prevent local user privilege escalation through the FTP daemon.
______________________________________________________________________
o Credits
Discovery and documentation of these vulnerabilities was conducted
by John McDonald and Anthony Osborne of the COVERT Labs at PGP
Security.
______________________________________________________________________
o Contact Information
For more information about the COVERT Labs at PGP Security, visit our
website at http://www.pgp.com/covert or send e-mail to [email protected]
______________________________________________________________________
o Legal Notice
The information contained within this advisory is Copyright (C) 2001
Networks Associates Technology Inc. It may be redistributed provided
that no fee is charged for distribution and that the advisory is not
modified in any way.
Network Associates and PGP are registered Trademarks of Network
Associates, Inc. and/or its affiliated companies in the United States
and/or other Countries. All other registered and unregistered
trademarks in this document are the sole property of their respective
owners.
______________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBOtJcuNwDUegFyneEEQIKJQCgi1WKTSgOPxQRF/19QJQF3WPQVGEAnjjG
dBREJa5JxVbD2iB58biLZTwd
=EA8e
-----END PGP SIGNATURE-----