-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:33 Security Advisory FreeBSD, Inc. Topic: globbing vulnerability in ftpd [REVISED] Category: core Module: ftpd/libc Announced: 2001-04-17 Revised: 2001-04-19 Credits: John McDonald and Anthony Osborne, COVERT Labs Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), FreeBSD 3.5-STABLE and 4.3-RC prior to the correction date. Corrected: 2001-04-17 (FreeBSD 4.3-RC) 2001-04-17 (FreeBSD 3.5-STABLE) Vendor status: Corrected FreeBSD only: NO 0. Revision History 2001-04-17 v1.0 Initial release 2001-04-19 v1.1 Corrected patch and patch instructions I. Background Numerous FTP daemons, including the daemon distributed with FreeBSD, use server-side globbing to expand pathnames via user input. This globbing is performed by FreeBSD's glob() implementation in libc. II. Problem Description The glob() function contains potential buffer overflows that may be exploitable through the FTP daemon. If a directory with a name of a certain length is present, a remote user specifying a pathname using globbing characters may cause arbitrary code to be executed on the FTP server as user running ftpd, usually root. Additionally, when given a path containing numerous globbing characters, the glob() functions may consume significant system resources when expanding the path. This can be controlled by setting user limits via /etc/login.conf and setting limits on globbing expansion. All versions of FreeBSD prior to the correction date, including FreeBSD 3.5.1 and 4.2 contain this problem. The base system that will ship with FreeBSD 4.3 does not contain this problem since it was corrected before the release. III. Impact Remote users may be able to execute arbitrary code on the FTP server as the user running ftpd, usually root. The FTP daemon supplied with FreeBSD is enabled by default to allow access to authorized local users and not anonymous users, thus limiting the impact to authorized local users. IV. Workaround If the FTP daemon is executed from inetd, disable the FTP daemon by commenting out the ftp line in /etc/inetd.conf, then reload the inetd configuration by executing the following command as root: # killall -HUP inetd V. Solution One of the following: 1) Upgrade to FreeBSD 4.3-RC or 3.5.1-STABLE after the correction date. 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.x: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch.asc The following patch applies to FreeBSD 3.x: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cp /usr/src/include/glob.h /usr/include/ # cd /usr/src/lib/libc # make all install # cd /usr/src/libexec/ftpd # make all install If the FTP daemon is running standalone, it will have to be manually stopped and restarted. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOt83elUuHi5z0oilAQGvLwP+Mg6yScJhgTuGnJ1037opvwPEbKb0JWF4 CuC8lKB0xV3BMQhQ8BRC3RVJWptFDv8qlWxW7kCyiuYk19oS8IUsllvwD6uftHZI iph5TF3F37DNiE2lEp4T5/VSPqkEaYoV0Iu9+S43V7M2dPWVPS4tziPQamtBupdQ OhsFSsEGgVU= =AV6T -----END PGP SIGNATURE-----