Date: Thu, 21 Jun 2001 13:51:33 +0400 From: "Magdalinin Kirill" <bsdforumen@hotmail.com> To: freebsd-questions@freebsd.org Cc: bio.metrix@gte.net Subject: Re: server stopped responding Message-ID: <F2956AmX3qrB0Xn2Pi100006d3f@hotmail.com>
next in thread | raw e-mail | index | archive | help
Hello, I downloaded glob.4.x.patch, but when I run cd /usr/src patch -p < /download/glob.4.x.patch I get: Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: include/glob.h |=================================================================== |RCS file: /home/ncvs/src/include/glob.h,v |--- include/glob.h 1998/02/25 02:15:59 1.3 |+++ include/glob.h 2001/03/21 14:33:56 1.3.6.1 -------------------------- File to patch: /usr/src/include/glob.h No file found--skip this patch? [n] What is wrong? Thanks for helping me, Kirill Magdalinin magcyril@hotmail.com >From: "biometrix" <bio.metrix@gte.net> >To: "Magdalinin Kirill" <bsdforumen@hotmail.com> >Subject: Re: server stopped responding >Date: Wed, 20 Jun 2001 12:15:43 -0500 > >Not sure if it's related, or if you patched it but: > >============================================================================ >= >FreeBSD-SA-01:33 Security >Advisory > FreeBSD, >Inc. > >Topic: globbing vulnerability in ftpd [REVISED] > >Category: core >Module: ftpd/libc >Announced: 2001-04-17 >Revised: 2001-04-19 >Credits: John McDonald and Anthony Osborne, COVERT Labs >Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), > FreeBSD 3.5-STABLE and 4.3-RC prior to the > correction date. >Corrected: 2001-04-17 (FreeBSD 4.3-RC) > 2001-04-17 (FreeBSD 3.5-STABLE) >Vendor status: Corrected >FreeBSD only: NO > >0. Revision History > >2001-04-17 v1.0 Initial release >2001-04-19 v1.1 Corrected patch and patch instructions > >I. Background > >Numerous FTP daemons, including the daemon distributed with FreeBSD, >use server-side globbing to expand pathnames via user input. This >globbing is performed by FreeBSD's glob() implementation in libc. > >II. Problem Description > >The glob() function contains potential buffer overflows that may be >exploitable through the FTP daemon. If a directory with a name of >a certain length is present, a remote user specifying a pathname >using globbing characters may cause arbitrary code to be executed >on the FTP server as user running ftpd, usually root. > >Additionally, when given a path containing numerous globbing >characters, the glob() functions may consume significant system >resources when expanding the path. This can be controlled by >setting user limits via /etc/login.conf and setting limits on >globbing expansion. > >All versions of FreeBSD prior to the correction date, including >FreeBSD 3.5.1 and 4.2 contain this problem. The base system that >will ship with FreeBSD 4.3 does not contain this problem since it >was corrected before the release. > >III. Impact > >Remote users may be able to execute arbitrary code on the FTP server >as the user running ftpd, usually root. > >The FTP daemon supplied with FreeBSD is enabled by default to allow >access to authorized local users and not anonymous users, thus >limiting the impact to authorized local users. > >IV. Workaround > >If the FTP daemon is executed from inetd, disable the FTP daemon by >commenting out the ftp line in /etc/inetd.conf, then reload the >inetd configuration by executing the following command as root: > ># killall -HUP inetd > >V. Solution > >One of the following: > >1) Upgrade to FreeBSD 4.3-RC or 3.5.1-STABLE after the correction >date. > >2) Download the patch and detached PGP signature from the following >location: > >The following patch applies to FreeBSD 4.x: > ># fetch >ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch ># fetch >ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch.asc > >The following patch applies to FreeBSD 3.x: > ># fetch >ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch ># fetch >ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch.asc > >Verify the detached signature using your PGP utility. > >Issue the following commands as root: > ># cd /usr/src ># patch -p < /path/to/patch ># cp /usr/src/include/glob.h /usr/include/ ># cd /usr/src/lib/libc ># make all install ># cd /usr/src/libexec/ftpd ># make all install > >If the FTP daemon is running standalone, it will have to be manually >stopped and restarted. > >--------- > >----- Original Message ----- >From: "Magdalinin Kirill" <bsdforumen@hotmail.com> >To: <freebsd-questions@freebsd.org> >Cc: <freebsd-security@freebsd.org> >Sent: Wednesday, June 20, 2001 11:39 AM >Subject: server stopped responding > > > > Hello, > > > > I have 4.1 Release box that today suddenly stopped responding > > except for ping command. I could not connect to it via http, > > ssh, ftp or telnet. Then it was rebooted by our hosting enginer > > and then I found just a few clues in the logs. > > > > last shows that > > > > some_login ftp xxx.xxx.xxx.xxx Wed Jun 20 16:06 - crash(02:26) > > > > which was the last record before it was rebooted. > > > > no errors in /var/log/messages > > > > apache caught a couple of errors before it stopped responding: > > > > (54)Connection reset by peer: getsockname > > > > Does anyone have any explanations or ideas what it was? > > What else should I look for? > > > > Please, send copy to my email address. > > > > Thanks in advance, > > > > Kirill Magdalinin > > magcyril@hotmail.com > > >_________________________________________________________________________ > > Get Your Private, Free E-mail from MSN Hotmail at >http://www.hotmail.com. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F2956AmX3qrB0Xn2Pi100006d3f>