(CERT Issues Advisory) Re: Several FTP Server Implementations Allow Remote Users to Obtain Root-Level Privileges on the Server
SecurityTracker Alert ID: 1001280|
SecurityTracker URL: http://securitytracker.com/id/1001280
(Links to External Site)
Date: Apr 10 2001
Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Network Associates COVERT Labs issued an advisory (COVERT-2001-02) for multiple FTP server implementations. These implementations allow remote and local users to obtain root-level privileges on the server.|
In general, if the remote user has the ability to create directories on the FTP server, these vulnerabilities can be exploited. The vulnerabilities are related to the use of the glob() function.
In some cases, user input that has been expanded by glob() can exceed expected boundary lengths and trigger a buffer overflow. In other cases, the glob() function contains other buffer overflows.
Network Associates reports that the following operating systems have been confirmed to contain vulnerable FTP daemons:
FreeBSD 4.2, OpenBSD 2.8, NetBSD 1.5, IRIX 6.5.x, HPUX 11, Solaris 8
For details on the exact nature of the vulnerabilities, see the source message or refer to the COVERT Labs Advisory:
A remote or local user can obtain root privileges on the FTP server.|
Each vendor is releasing separate advisories. Please contact your vendor for details, or refer to the follow-up Alerts in the Message History. CERT issued security Advisory CA-2001-07. To read the advisory, see the source message or visit:|
|Underlying OS: UNIX (FreeBSD), UNIX (HP/UX), UNIX (NetBSD), UNIX (OpenBSD), UNIX (SGI/IRIX), UNIX (Solaris - SunOS)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: CERT Advisory CA-2001-07|
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2001-07 File Globbing Vulnerabilities in Various FTP
Original release date: April 10, 2001
Last revised: --
A complete revision history can be found at the end of this file.
FTP servers on various platforms
A variety of FTP servers incorrectly manage buffers in a way that can
lead to remote intruders executing arbitrary code on the FTP server.
The incorrect management of buffers is centered around the return from
the glob() function, and may be confused with a related
denial-of-service problem. These problems were discovered by the
COVERT Labs at PGP Security.
Filename "globbing" is the process of expanding short-hand notation
into complete file names. For example, the expression "*.c" (without
the quotes) is short-hand notation for "all files ending in ".c"
(again, without the quotes). This is commonly used in UNIX shells, in
commands such as ls *.c. Globbing also often includes the expansion of
certain characters into system-specific paths, such as the expansion
of tilde character (~) into the path of the home directory of the user
specified to the right of the tilde character. For example, "~foo"
expands to the home directory for the user "foo" on the current
system. The expressions used in filename globbing are not strictly
regular expressions, but they are syntactically similar in many ways.
Many FTP servers also implement globbing, so that the command mget *.c
means retrieve all the files ending in ".c," and get ~foo/file.name
means get the file named "file.name" in the home directory of foo.
The COVERT Labs at PGP Security have discovered a means to use the
expansion done by the glob function to overflow various buffers in FTP
servers, allowing an intruder to execute arbitrary code. For more
details about their discovery, see
Quoting from that document:
[...] when an FTP daemon receives a request involving a file
that has a tilde as its first character, it typically runs the
entire filename string through globbing code in order to
resolve the specified home directory into a full path. This has
the side effect of expanding other metacharacters in the
pathname string, which can lead to very large input strings
being passed into the main command processing routines. This
can lead to exploitable buffer overflow conditions, depending
upon how these routines manipulate their input.
For the latest information regarding this vulnerability, including
information related to vendors' exposure to this problem, consult the
vulnerability note describing this problem, available at
Intruders can execute arbitrary code with the permissions of the
process running the FTP server.
Apply a patch or workaround from your vendor, as described in Appendix
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
Compaq Computer Corporation
COMPAQ COMPUTER CORPORATION
x-ref: J Compaq case id - SSRT1-83
At the time of writing this document, Compaq is currently
investigating the potential impact to Compaq's ftp service.
Initial tests indicate Compaq's ftp service is not vulnerable.
As further information becomes available Compaq will provide notice of
the completion/availibility of any necessary patches through AES
services (DIA,DSNlink FLASH and posted to the Services WEB page) and
be available from your normal Compaq Services Support channel.
COMPAQ COMPUTER CORPORATION
FreeBSD is vulnerable to the glob-related bugs. We have corrected
these bugs in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE, and they
will not be present in FreeBSD 4.3-RELEASE.
[...] we have determined that the versions of UXP/V shown below are
vulnerable. JPatches are being prepared and will be assigned the patch
numbers also shown below:
OS Version,PTF level patch ID
UXP/V V20L10 X01021 UX28161
UXP/V V20L10 X00091 UX28160
UXP/V V10L20 X01041 UX15527
[...] we have not found the described vulnerabilities to exist in the
AIX versions of glob as used in the ftp daemon.
Please be aware that as of March 29, 2001, NetBSD has a fix for both
the glob resource consumption (via an application controlled
GLOB_LIMIT flag) and the buffer overflow (always enforced). These
fixes should work on any 4.4BSD derived glob(3).
SGI acknowledges the vulnerability reported by NAI COVERT Labs and is
currently investigating. No further information is available at this
As further information becomes available, additional advisories will
be issued via the normal SGI security information distribution methods
including the wiretap mailing list and
For the protection of all our customers, SGI does not disclose,
discuss or confirm vulnerabilities until a full investigation has
occurred and any necessary patch(es) or release streams are available
for all vulnerable and supported IRIX operating systems.
Until SGI has more definitive information to provide, customers are
encouraged to assume all security vulnerabilities as exploitable and
take appropriate steps according to local site security policies and
The CERT Coordination Center would like to thank the COVERT Labs at
PGP Security for notifying us about this problem and for their help in
constructing this advisory.
Author: Shawn V. Hernan
This document is available from:
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more
Getting security information
CERT publications and other security information are available from
our web site
To subscribe to the CERT mailing list for advisories and bulletins,
send email to email@example.com. Please include in the body of your
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.
April 10, 2001: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
-----END PGP SIGNATURE-----
This message was posted through the FIRST mailing list server. If you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-info" to first-majordomo@FIRST.ORG
Go to the Top of This SecurityTracker Archive Page