From owner-freebsd-security Tue Apr 24 11:49:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id D2DE137B422 for ; Tue, 24 Apr 2001 11:49:38 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 7FA2866DF6; Tue, 24 Apr 2001 11:49:38 -0700 (PDT) Date: Tue, 24 Apr 2001 11:49:38 -0700 From: Kris Kennaway To: djs@uscreativetypes.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: other services vulnerable to globbing exploit? Message-ID: <20010424114938.E89156@xor.obsecurity.org> References: <3AE590D4.66E038DA@starband.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jKBxcB1XkHIR0Eqt" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AE590D4.66E038DA@starband.net>; from djstrobelite@starband.net on Tue, Apr 24, 2001 at 08:42:41AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --jKBxcB1XkHIR0Eqt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 24, 2001 at 08:42:41AM -0600, Jumpin Joe wrote: > Greetings: >=20 > I have followed with interest the recent exchanges about the ftpd > globbing vulnerability. Below is a line from the logs of a certain site > I host. The output looks very similar to the output I've seen shared > here about how the vulnerability is exploited. Could this be an > (attempt) to exploit the same vulnerability through httpd? And as > always, can this even be considered an attack? My apache and bind are > up to date and requests like this come through at a variable rate, have > not crashed the service, but do seem to be increasing load and eating up > bandwidth. Thanks in advance for your consideration. This doesn't look like a globbing attempt, but other services certainly could be vulnerable to the buffer overflow, since glob() is in libc (this was noted in the advisory, I believe). Recompile libc and any statically-linked servers, etc. Kris --jKBxcB1XkHIR0Eqt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE65crBWry0BWjoQKURAt1UAJ9ylrLqEFOY+q948MCL0r64cdZRaACfVXYp 4jW4a5IFtC+ESuatLLLu4pw= =ft5R -----END PGP SIGNATURE----- --jKBxcB1XkHIR0Eqt-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message