From covert@NAI.COM Tue Apr 10 09:09:04 2001 From: COVERT Labs To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 9 Apr 2001 19:10:39 -0700 Subject: [BUGTRAQ] [COVERT-2001-02] Globbing Vulnerabilities in Multiple FTP Daemons -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________ Network Associates, Inc. COVERT Labs Security Advisory April 9, 2001 Globbing Vulnerabilities in Multiple FTP Daemons COVERT-2001-02 ______________________________________________________________________ o Synopsis Multiple FTP server implementations contain buffer overflows that allow local and remote attackers to gain root privileges on affected servers. These vulnerabilities are contingent upon the remote user having the ability to create directories on the server hosting the FTP daemon, with the exception of a few cases noted below. The vulnerabilities presented are all related to the use of the glob() function, and can be divided into the following two categories: - glob() expansion vulnerabilities User input that has been expanded by glob() can exceed expected lengths and trigger otherwise benign buffer mismanagement problems present in certain FTP daemons. - glob() implementation vulnerabilities Certain implementations of the glob() function contain buffer overflows. These vulnerabilities are exploitable through FTP daemons that utilize these problematic implementations. CVE Candidate numbers for these issues have been assigned and are listed in the Vulnerable Systems section. RISK FACTOR: HIGH ______________________________________________________________________ o Vulnerable Systems The following operating systems have been confirmed to contain vulnerable FTP daemons: FreeBSD 4.2 CAN-2001-0247 OpenBSD 2.8 NetBSD 1.5 IRIX 6.5.x HPUX 11 CAN-2001-0248 Solaris 8 CAN-2001-0249 ______________________________________________________________________ o Vulnerability Overview glob() implements filename pattern matching, following rules similar to those used by Unix shells. It is a pathname generator, which accepts an input pattern representing a set of filenames and returns a list of accessible pathnames matching that pattern. The input pattern is specified by using special metacharacters, taken from the following: *?[]{}~' . For example, a pattern of '/e*' would match all directories and files in the root of the file system that begin with the character 'e'. The File Transfer Protocol (FTP), as defined in RFC959, describes numerous commands with pathname arguments that specify files or directories. Though it is not required by the specification, most FTP daemon implementations provide server-side globbing functionality that performs pattern expansion on these pathnames. The actual glob() implementation is often located in the FTP daemon itself, though some FTP servers use an underlying libc implementation. The ability of a remote or local user to deliver input patterns to glob() implementations allows for two general types of security exposures. - glob() expansion vulnerabilities A number of vulnerabilities result from an FTP daemon assuming that the length of the user input is limited to the number of characters that are read in from the socket. This is typically 512 characters. This assumption is problematic because most FTP daemons contain a parser rule for processing pathnames beginning with a tilde. The intended effect of this rule is to replace the tilde directory component with the referenced home directory. However, since this is performed by running the string through the glob() function, the FTP daemon will also expand any other wildcard characters present. This allows for user input that can exceed the number of characters read in from the socket, which can make otherwise benign unbounded string operations exploitable. - glob() implementation vulnerabilities Certain glob() implementations contain buffer overflows in their internal utility functions. These overflows are typically triggered by requesting a pattern that expands to a very large pathname, or by submitting a pattern that the user intends to have the FTP daemon run through glob() twice. ______________________________________________________________________ o Detailed Information - glob() expansion vulnerabilities As mentioned above, when an FTP daemon receives a request involving a file that has a tilde as its first character, it typically runs the entire filename string through globbing code in order to resolve the specified home directory into a full path. This has the side effect of expanding other metacharacters in the pathname string, which can lead to very large input strings being passed into the main command processing routines. This can lead to exploitable buffer overflow conditions, depending upon how these routines manipulate their input. In Solaris, an exploitable heap overflow of this nature is triggered by using the LIST command. This vulnerability occurs when the FTP daemon attempts to construct a string using unbounded string operations in order to execute the /bin/ls program. HPUX contains a stack based overflow of this nature that can be triggered by the use of the STAT command. - glob() implementation vulnerabilities There are two implementations of glob() that are known to contain buffer overflow vulnerabilities. Implementations based off of the c-shell globbing code contain a buffer overflow that can be triggered by supplying a pattern string such that a set of brackets {} is followed by a string that is longer than the length reserved for the stack based buffer defined in execbrc(). This could be exploited by utilizing a code path in the FTP daemon that fed the expanded output of one globbed pathname into a second call to glob(). BSD implementations of glob() contain four exploitable buffer overflows. The first buffer overflow occurs in the static utility function g_opendir(), which copies the provided pathname onto the stack. This is performed using the function g_Ctoc, which converts a 16-bit character string to an 8-bit character string, but otherwise works like strcpy. Similar overflows occur in g_lstat(), and g_stat(). A fourth overflow, one that affects the stack based buffer reserved in glob0, is the result of the behavior of the mutually recursive functions glob2() and glob3(). Note that these vulnerabilities do not require the last component of the provided directory to be a valid file, thus allowing exploitation even without the ability to create directories and files. Testing has shown that it would be possible to exploit OpenBSD and NetBSD without a writable directory being present if a directory name with a length of 12 characters is available. FreeBSD can be exploited without a writable directory being present if a directory name of length 9 is available. ______________________________________________________________________ o Resolution This advisory will be updated as more information becomes available. The most recent version is available from the PGP Security website at: http://www.pgp.com/research/covert/advisories/048.asp The CERT/CC is coordinating the collection of information on vulnerable distributions from third party vendors. For more information, please read CERT Advisory CA-2001-07 available at: http://www.cert.org/advisories/CA-2001-07.html In lieu of a patch, these vulnerabilities may be addressed in a general fashion by ensuring that no directories exist in the anonymous FTP tree that are writable by the anonymous FTP user. Furthermore, BSD and Irix users should take care to ensure that no directory in the anonymous FTP tree has a name longer than 8 characters. It is important to note that these precautions will not prevent local user privilege escalation through the FTP daemon. ______________________________________________________________________ o Credits Discovery and documentation of these vulnerabilities was conducted by John McDonald and Anthony Osborne of the COVERT Labs at PGP Security. ______________________________________________________________________ o Contact Information For more information about the COVERT Labs at PGP Security, visit our website at http://www.pgp.com/covert or send e-mail to covert@nai.com ______________________________________________________________________ o Legal Notice The information contained within this advisory is Copyright (C) 2001 Networks Associates Technology Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. Network Associates and PGP are registered Trademarks of Network Associates, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBOtJcuNwDUegFyneEEQIKJQCgi1WKTSgOPxQRF/19QJQF3WPQVGEAnjjG dBREJa5JxVbD2iB58biLZTwd =EA8e -----END PGP SIGNATURE-----