__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN FTP Filename Expansion Vulnerability April 24, 2001 21:00 GMT Number L-070A [Revision A 4/24/2001 Added FreeBSD FreeBSD-SA-01:33] ______________________________________________________________________________ PROBLEM: The expansion of short-hand filename notation can lead to buffer overflows. PLATFORM: FreeBSD - Those prior to 5.0-CURRENT and 4.2-STABLE. See the "FreeBSD Update Section" at the bottom of bulletin for information announced by FreeBSD about the FreeBSD 3.x, FreeBSD 4.x, FreeBSD 3.5-STABLE, and FreeBSD-4.3-RC releases. Fujitsu - UXP/V V20L10 X01021 UXP/V V20L10 X00091 UXP/V V10L20 X01041 NetBSD - Those prior to 4.4BSD derived glob(3) Other vendors are investigating their software. DAMAGE: The buffer overflow can allow an intruder to execute arbitrary code. SOLUTION: Apply the patches as directed. If patches are not available, see the referenced PGP Security advisory. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The vulnerability can be exploited remotely ASSESSMENT: and has been discussed in detail in public forums. ______________________________________________________________________________ [Begin CERT Advisory] CERT Advisory CA-2001-07 File Globbing Vulnerabilities in Various FTP Servers Original release date: April 10, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected FTP servers on various platforms Overview A variety of FTP servers incorrectly manage buffers in a way that can lead to remote intruders executing arbitrary code on the FTP server. The incorrect management of buffers is centered around the return from the glob() function, and may be confused with a related denial-of-service problem. These problems were discovered by the COVERT Labs at PGP Security. I. Description Filename "globbing" is the process of expanding short-hand notation into complete file names. For example, the expression "*.c" (without the quotes) is short-hand notation for "all files ending in ".c" (again, without the quotes). This is commonly used in UNIX shells, in commands such as ls *.c. Globbing also often includes the expansion of certain characters into system-specific paths, such as the expansion of tilde character (~) into the path of the home directory of the user specified to the right of the tilde character. For example, "~foo" expands to the home directory for the user "foo" on the current system. The expressions used in filename globbing are not strictly regular expressions, but they are syntactically similar in many ways. Many FTP servers also implement globbing, so that the command mget *.c means retrieve all the files ending in ".c," and get ~foo/file.name means get the file named "file.name" in the home directory of foo. The COVERT Labs at PGP Security have discovered a means to use the expansion done by the glob function to overflow various buffers in FTP servers, allowing an intruder to execute arbitrary code. For more details about their discovery, see http://www.pgp.com/research/covert/advisories/048.asp Quoting from that document: [...] when an FTP daemon receives a request involving a file that has a tilde as its first character, it typically runs the entire filename string through globbing code in order to resolve the specified home directory into a full path. This has the side effect of expanding other metacharacters in the pathname string, which can lead to very large input strings being passed into the main command processing routines. This can lead to exploitable buffer overflow conditions, depending upon how these routines manipulate their input. For the latest information regarding this vulnerability, including information related to vendors' exposure to this problem, consult the vulnerability note describing this problem, available at http://www.kb.cert.org/vuls/id/808552 II. Impact Intruders can execute arbitrary code with the permissions of the process running the FTP server. III. Solution Apply a patch or workaround from your vendor, as described in Appendix A. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Compaq Computer Corporation COMPAQ COMPUTER CORPORATION ----------------------------- x-ref: J Compaq case id - SSRT1-83 At the time of writing this document, Compaq is currently investigating the potential impact to Compaq's ftp service. Initial tests indicate Compaq's ftp service is not vulnerable. As further information becomes available Compaq will provide notice of the completion/availibility of any necessary patches through AES services (DIA,DSNlink FLASH and posted to the Services WEB page) and be available from your normal Compaq Services Support channel. COMPAQ COMPUTER CORPORATION FreeBSD, Inc. FreeBSD is vulnerable to the glob-related bugs. We have corrected these bugs in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE, and they will not be present in FreeBSD 4.3-RELEASE. Fujitsu [...] we have determined that the versions of UXP/V shown below are vulnerable. JPatches are being prepared and will be assigned the patch numbers also shown below: OS Version,PTF level patch ID -------------------- -------- UXP/V V20L10 X01021 UX28161 UXP/V V20L10 X00091 UX28160 UXP/V V10L20 X01041 UX15527 IBM Corporation [...] we have not found the described vulnerabilities to exist in the AIX versions of glob as used in the ftp daemon. NetBSD Please be aware that as of March 29, 2001, NetBSD has a fix for both the glob resource consumption (via an application controlled GLOB_LIMIT flag) and the buffer overflow (always enforced). These fixes should work on any 4.4BSD derived glob(3). SGI SGI acknowledges the vulnerability reported by NAI COVERT Labs and is currently investigating. No further information is available at this time. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list and http://www.sgi.com/support/security/ For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. _________________________________________________________________ The CERT Coordination Center would like to thank the COVERT Labs at PGP Security for notifying us about this problem and for their help in constructing this advisory. _________________________________________________________________ Author: Shawn V. Hernan ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-07.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History April 10, 2001: Initial release [End CERT Advisory] _______________________________________________________________________________ [Begin "FreeBSD Update Section"] On April 17, 2001, FreeBSD announced the advisory "globbing vulnerability in ftpd". This advisory contains patches and workarounds for the following releases: FreeBSD 3.x (all releases) FreeBSD 4.x (all releases) FreeBSD 3.5-STABLE prior to the correction date 2001-04-17 FreeBSD 4.3-RC prior to the correction date 2001-04-17 Use your browser to get to the "FreeBSD Security Information" page at: http://www.freebsd.org/security/security.html Under the "Table of Contents" section, click on the "FreeBSD Security Advisories" link. If you do not find the advisory link "FreeBSD-SA-01:33.ftpd-glob.v1.1.asc" on the "FreeBSD Security Advisories" page, follow their instructions to get to their advisory archive. Double-click on the link "FreeBSD-SA-01:33.ftpd-glob.v1.1.asc" to download the FreeBSD-SA-01:33 advisory "globbing vulnerability in ftpd". [End "FreeBSD Update Section"] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CERT and FreeBSD for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-060: Mutt Format String Vulnerability and Incompatibility L-061: Microsoft IE can Divulge Location of Cached Content L-062: Erroneous Verisign-Issued Digital Certificates for Microsoft L-063: RedHat Linux Log Code Buffer Overflow/Unguarded Browser Call l-064: The Lion Internet Worm DDOS Risk L-065: Solaris Exploitation of snmpXdmid L-066: Internet Explorer MIME Mime Header Vulnerability L-067: Linux worm Adore L-068: Cisco VPN3000 Concentrator TELNET Vulnerability L-069: Cisco Content Services Switch User Account Vulnerability