{"vuid":"VU#808552","idnumber":"808552","name":"Multiple ftpd implementations contain buffer overflows","keywords":["security","glob() implementation vulnerabilities","glob","glob()","globbing","ftp","ftpd","buffer overflow"],"overview":"A variety of ftp servers incorrectly manage buffers in a way that can lead to remote intruders executing arbitrary code on the FTP server. The incorrect management of buffers centers around the return from the glob() function, and may be confused with a related denial-of-service problem. These problems were discovered by the COVERT Labs at PGP Security.","clean_desc":"Filename \"globbing\" is the process of expanding certain short hand notation into complete file names. For example, the expression \"*.c\" (without the quotes) is short hand notation for \"all files ending in \".c\" (again, without the quotes). This is commonly used in UNIX shells, in commands such as ls *.c. Globbing also often includes the expansion of certain characters into system-specific paths, such as the expansion of tilde character (~) into the path of the home directory of the user specified to the right of the tilde character. For example, \"~svh\" expands to the home directory for the user \"svh\" on the current system. The expressions used in file name globbing are not strictly regular expressions, but they are syntactically similar in many ways. FTP servers also commonly implement globbing, so that the command mget *.c means retrieve all the files ending in \".c,\" and get ~svh/file.name means get the file named file.name in the home directory of svh. The COVERT Labs at PGP Security have discovered a means to use the expansion done by the glob function to overflow various buffers in FTP servers, allowing an intruder to execute arbitrary code. For more details about their discovery, see http://www.pgp.com/research/covert/advisories/048.asp Quoting from that document: [...] when an FTP daemon receives a request involving a file that has a tilde as its first character, it typically runs the entire filename string through globbing code in order to resolve the specified home directory into a full path. This has the side effect of expanding other metacharacters in the pathname string, which can lead to very large input strings being passed into the main command processing routines. This can lead to exploitable buffer overflow conditions, depending upon how these routines manipulate their input.","impact":"Intruders can execute arbitrary code with the permissions of the process running the FTP server.","resolution":"Apply a patch from your vendor.","workarounds":"","sysaffected":"","thanks":"","author":"The CERT/CC portions of this document were written by Shawn V. Hernan.","public":["http://www.pgp.com/research/covert/advisories/048.asp","http://www.securityfocus.com/bid/2552","http://www.securityfocus.com/bid/2550","http://www.securityfocus.com/bid/2548"],"cveids":[""],"certadvisory":"CA-2001-07","uscerttechnicalalert":null,"datecreated":"2001-03-22T20:23:50Z","publicdate":"2001-04-10T00:00:00Z","datefirstpublished":"2001-04-10T04:21:19Z","dateupdated":"2001-06-26T03:11:43Z","revision":29,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"17","cam_population":"15","cam_impact":"19","cam_easeofexploitation":"13","cam_attackeraccessrequired":"19","cam_scorecurrent":"42.237","cam_scorecurrentwidelyknown":"48.83653125","cam_scorecurrentwidelyknownexploited":"75.23465625","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":42.237,"vulnote":null}