FTP Filename Globbing

Impact

Regular users or anonymous users could gain root access on the server if this vulnerability is exploitable.

Background

In Unix shells, certain characters such as the asterisk (*) and tilde (~) automatically cause lists of filenames to be generated based on pattern matches. This feature is known as globbing. For example, the command:
ls *.c
would list all files in the current directory which end with .c. For example, in a directory which had the files main.c, start.c, and stop.c, it would be equivalent to:
ls main.c start.c stop.c
Similarly, the tilde character refers to the home directory of the user immediately following the tilde. That is, if joe's home directory is /home/joe, then
ls ~joe
would be interpreted as
ls /home/joe
Many FTP servers implement filename globbing using the same rule sets as Unix shells. This could allow multiple files to be stored or retrieved from the FTP server using a single command.

The Problem

In many implementations, the length of the string returned by filename globbing routines is not checked before copying the string into a fixed-length buffer. An attacker could send the FTP server a specially-crafted command with a file name including special characters, which is then expanded by the globbing routine. The result is a very large string which overwrites the stack pointer, allowing the execution of arbitrary commands. In order to exploit this vulnerability, the attacker would in most cases need access to a writable directory on the server. However, on OpenBSD or NetBSD, the attacker would not need access to a writable directory as long as there is already a directory whose name is 12 characters long. On FreeBSD, the attacker would not need access to a writable directory if there is already a directory whose name is 9 characters long.

The following operating systems and FTP servers are known to be affected by this vulnerability. Earlier versions are likely to be affected as well.

If your system is running a version of ftpd which came with any of the above operating systems or any earlier versions of the above operating systems, your system is probably vulnerable. Furthermore, if the anonymous account is enabled and there are directories writable by the anonymous user (or, in some cases, any directories with names of a certain length), the vulnerability could be exploited by a remote user without an account on the system.

Resolution

Apply a patch or upgrade the FTP server. See CERT Advisory 2001-07 for instructions specific to your operating system.

Alternatively, disable the anonymous FTP account, or if that cannot be done, then:

  1. ensure that there are no directories on the FTP server which are writable by the anonymous FTP account, and
  2. ensure that there are no directories whose names are longer than eight characters
Note that this workaround only prevents the vulnerability from being exploited from the anonymous account. Exploitation would still be possible from a regular user account, resulting in privilege elevation.

Where can I read more about this?

For more information about this vulnerability, see CERT Advisory 2001-07 and the COVERT Labs Security Advisory.