FTP Filename Globbing
Impact
Regular users or anonymous users could gain root access
on the server if this vulnerability is exploitable.
Background
In Unix shells, certain characters such as the asterisk (*)
and tilde (~) automatically cause lists of filenames to be
generated based on pattern matches. This feature is known
as globbing. For example, the command:
ls *.c
would list all files in the current directory which end
with .c. For example, in a directory which had the files
main.c, start.c, and stop.c, it would be equivalent to:
ls main.c start.c stop.c
Similarly, the tilde character refers to the home directory
of the user immediately following the tilde. That is, if
joe's home directory is /home/joe, then
ls ~joe
would be interpreted as
ls /home/joe
Many FTP servers implement filename globbing using the
same rule sets as Unix shells. This could allow multiple
files to be stored or retrieved from the FTP server using
a single command.
The Problem
In many implementations, the length of the string returned
by filename globbing routines is not checked before
copying the string into a fixed-length buffer.
An attacker could send
the FTP server a specially-crafted command with a file name
including special characters, which is then expanded
by the globbing routine. The result is a very large string which
overwrites the stack pointer, allowing the execution of
arbitrary commands. In order to exploit this vulnerability,
the attacker would in most cases need access to a writable
directory on the server. However, on OpenBSD or NetBSD,
the attacker would not need access to a writable directory
as long as there is already a directory whose name is
12 characters long. On FreeBSD, the attacker would not
need access to a writable directory if there is already a
directory whose name is 9 characters long.
The following operating systems and FTP servers are known to be affected
by this vulnerability. Earlier versions are likely to be
affected as well.
- FreeBSD 4.2
- OpenBSD 2.8
- NetBSD 1.5
- IRIX 6.5.x
- HP-UX 11
- Solaris 8
- WFTPD 3.00 (prior to release 4)
If your system is running a version of ftpd
which came with any of the above operating systems or any
earlier versions of the above operating systems, your system
is probably vulnerable. Furthermore, if the anonymous
account is enabled and there are directories writable by
the anonymous user (or, in some cases, any directories with names
of a certain length), the vulnerability could be exploited
by a remote user without an account on the system.
Resolution
Apply a patch or upgrade the FTP server. See
CERT Advisory
2001-07 for instructions specific to your operating
system.
Alternatively, disable the anonymous FTP account, or if
that cannot be done, then:
- ensure that there are no directories on
the FTP server which are writable by the anonymous FTP account, and
- ensure that there are no directories whose names
are longer than eight characters
Note that this workaround only prevents the vulnerability
from being exploited from the anonymous account. Exploitation
would still be possible from a regular user account, resulting
in privilege elevation.
Where can I read more about this?
For more information about this vulnerability, see
CERT Advisory
2001-07 and the COVERT
Labs Security Advisory.