Date: Wed, 18 Apr 2001 10:15:14 +0300 From: Krassimir Slavchev <krassi@bulinfo.net> To: freebsd-security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob Message-ID: <3ADD3F02.D54F692D@bulinfo.net> References: <200104171909.f3HJ9gH14235@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms577BBB9BCDC5A985EA8A97AF Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Hmmm, any ideas? /usr/src# patch -p < /tmp/glob.4.x.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: lib/libc/gen/glob.c |=================================================================== |RCS file: /home/ncvs/src/lib/libc/gen/glob.c,v |--- lib/libc/gen/glob.c 1998/02/20 07:54:56 1.11 |+++ lib/libc/gen/glob.c 2001/04/07 21:00:20 -------------------------- Patching file lib/libc/gen/glob.c using Plan A... Hunk #1 succeeded at 129. Hunk #2 succeeded at 137. Hunk #3 succeeded at 158. Hunk #4 succeeded at 168. Hunk #5 succeeded at 197. Hunk #6 succeeded at 207. Hunk #7 succeeded at 233. Hunk #8 succeeded at 274. Hunk #9 succeeded at 321. Hunk #10 succeeded at 415. Hunk #11 succeeded at 480. Hunk #12 succeeded at 493. Hunk #13 succeeded at 508. Hunk #14 succeeded at 528. Hunk #15 succeeded at 552. Hunk #16 succeeded at 567. Hunk #17 succeeded at 606. Hunk #18 succeeded at 636. Hunk #19 succeeded at 674. Hunk #20 succeeded at 710. Hunk #21 succeeded at 791. Hunk #22 succeeded at 804. Hunk #23 succeeded at 823. Hunk #24 succeeded at 840. Hunk #25 succeeded at 860. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: libexec/ftpd/popen.c |=================================================================== |RCS file: /home/ncvs/src/libexec/ftpd/popen.c,v |--- libexec/ftpd/popen.c 2000/09/20 09:57:58 1.18.2.1 |+++ libexec/ftpd/popen.c 2001/04/07 21:08:09 -------------------------- Patching file libexec/ftpd/popen.c using Plan A... Hunk #1 succeeded at 107. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |=================================================================== |RCS file: /home/ncvs/src/libexec/ftpd/ftpd.c,v |--- libexec/ftpd/ftpd.c 2001/03/11 13:20:44 1.73 |+++ libexec/ftpd/ftpd.c 2001/03/19 19:11:00 -------------------------- Patching file libexec/ftpd/ftpd.c using Plan A... Hunk #1 succeeded at 189. Hunk #2 succeeded at 2658 (offset 30 lines). Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |=================================================================== |RCS file: /home/ncvs/src/libexec/ftpd/ftpcmd.y,v |--- libexec/ftpd/ftpcmd.y 2001/04/16 22:20:26 1.23 |+++ libexec/ftpd/ftpcmd.y 2001/04/17 03:03:45 -------------------------- Patching file libexec/ftpd/ftpcmd.y using Plan A... Hunk #1 succeeded at 137 (offset -1 lines). Hunk #2 succeeded at 471 (offset -4 lines). Hunk #3 succeeded at 928 (offset -13 lines). Hunk #4 succeeded at 1037 (offset -4 lines). done cd /usr/src/lib/libc make all cc -O -pipe -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include -D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE -I/usr/src/lib/libc/../libc/locale -DBROKEN_DES -DYP -c /usr/src/lib/libc/../libc/gen/glob.c -o glob.o /usr/src/lib/libc/../libc/gen/glob.c: In function `glob': /usr/src/lib/libc/../libc/gen/glob.c:171: `GLOB_MAXPATH' undeclared (first use in this function) /usr/src/lib/libc/../libc/gen/glob.c:171: (Each undeclared identifier is reported only once /usr/src/lib/libc/../libc/gen/glob.c:171: for each function it appears in.) /usr/src/lib/libc/../libc/gen/glob.c: In function `globextend': /usr/src/lib/libc/../libc/gen/glob.c:689: `GLOB_LIMIT' undeclared (first use in this function) *** Error code 1 Stop in /usr/src/lib/libc. FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-01:33 Security Advisory > FreeBSD, Inc. > > Topic: globbing vulnerability in ftpd > > Category: core > Module: ftpd/libc > Announced: 2001-04-17 > Credits: John McDonald and Anthony Osborne, COVERT Labs > Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), > FreeBSD 3.5-STABLE and 4.3-RC prior to the > correction date. > Corrected: 2001-04-17 (FreeBSD 4.3-RC) > 2001-04-17 (FreeBSD 3.5-STABLE) > Vendor status: Corrected > FreeBSD only: NO > > I. Background > > Numerous FTP daemons, including the daemon distributed with FreeBSD, > use server-side globbing to expand pathnames via user input. This > globbing is performed by FreeBSD's glob() implementation in libc. > > II. Problem Description > > The glob() function contains potential buffer overflows that may be > exploitable through the FTP daemon. If a directory with a name of > a certain length is present, a remote user specifying a pathname > using globbing characters may cause arbitrary code to be executed > on the FTP server as user running ftpd, usually root. > > Additionally, when given a path containing numerous globbing > characters, the glob() functions may consume significant system > resources when expanding the path. This can be controlled by > setting user limits via /etc/login.conf and setting limits on > globbing expansion. > > All versions of FreeBSD prior to the correction date, including > FreeBSD 3.5.1 and 4.2 contain this problem. The base system that > will ship with FreeBSD 4.3 does not contain this problem since it > was corrected before the release. > > III. Impact > > Remote users may be able to execute arbitrary code on the FTP server > as the user running ftpd, usually root. > > The FTP daemon supplied with FreeBSD is enabled by default to allow > access to authorized local users and not anonymous users, thus > limiting the impact to authorized local users. > > IV. Workaround > > If the FTP daemon is executed from inetd, disable the FTP daemon by > commenting out the ftp line in /etc/inetd.conf, then reload the > inetd configuration by executing the following command as root: > > # killall -HUP inetd > > V. Solution > > One of the following: > > 1) Upgrade to FreeBSD 4.3-RC or 3.5.1-STABLE after the correction > date. > > 2) Download the patch and detached PGP signature from the following > location: > > The following patch applies to FreeBSD 4.x: > > # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch > # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch.asc > > The following patch applies to FreeBSD 3.x: > > # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch > # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch.asc > > Verify the detached signature using your PGP utility. > > Issue the following commands as root: > > # cd /usr/src > # patch -p < /path/to/patch > # cd /usr/src/lib/libc > # make all install > # cd /usr/src/libexec/ftpd > # make all install > > If the FTP daemon is running standalone, it will have to be manually > stopped and restarted. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iQCVAwUBOtyT/VUuHi5z0oilAQGiIAP8CJ6Hsp52DuBQhQnA4xBl23kTCtCUKdPf > zRP5yg5B9w+j+6Q6+k2P1B9lv5JcdvmS8+fzfrWUpUAogqkbL5f0njS7fnA68a5H > oiGJgWqLQiMQiszeOOpgqvd1fNRCcCX+SgYewIfP93Cvam+GG+TvZQziV2zcne3O > tjBG/FVzXkg= > =P1j0 > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Krassimir Slavchev Bulinfo Ltd. krassi@bulinfo.net (+359-2)963-3652 http://www.bulinfo.net (+359-2)963-3764 --------------ms577BBB9BCDC5A985EA8A97AF Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIH7AYJKoZIhvcNAQcCoIIH3TCCB9kCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC Bb0wggKhMIICCqADAgECAgMCdTowDQYJKoZIhvcNAQEEBQAwgZQxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxFDASBgNVBAcTC0R1cmJhbnZpbGxlMQ8wDQYDVQQKEwZU aGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25h bCBGcmVlbWFpbCBSU0EgMTk5OS45LjE2MB4XDTAwMDQxOTEwMzAzN1oXDTAxMDQxOTEwMzAz N1owRDEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEhMB8GCSqGSIb3DQEJARYS a3Jhc3NpQGJ1bGluZm8ubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAIbgn84q8 UBjjtrZ04/Mo4o8WeALj1B7DzOAD+ykhAi0evRBwXNqhZ7oS3zjYDibfHJaEu5XNbeYLu7eQ VwysyzZxHT/GT3VJjO/KsTQc/eWz687v+8VUPrtiudAGBg+B31fXtoYPVF1GA38YwrCPndTL wTnqpKhTrOVTJ9HtnwIDAQABo1AwTjAdBgNVHREEFjAUgRJrcmFzc2lAYnVsaW5mby5uZXQw DAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSIq/Fgg2ZV9ORYx0YdwGG9I9fDjDANBgkqhkiG 9w0BAQQFAAOBgQBmWTQ4bEjN+WOEhKjJkCpBe87AXZjnfCaOVf1tCIZZPQInnUloyTwTDlll u2eBc9R4++ZgfQksENPbNx2hNbf2I8sNiEENhtVSHvsiJxebB1QEVbehoYMTP2M3fWIJMuF7 H+cDLofptD095Xa+XpocifT/VfcneTr9ph5X80KGSzCCAxQwggJ9oAMCAQICAQswDQYJKoZI hvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNV BAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0Nl cnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25h bCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3Rl LmNvbTAeFw05OTA5MTYxNDAxNDBaFw0wMTA5MTUxNDAxNDBaMIGUMQswCQYDVQQGEwJaQTEV MBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxsZTEPMA0GA1UEChMG VGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29u YWwgRnJlZW1haWwgUlNBIDE5OTkuOS4xNjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA s2lal9TQFgt6tcVd6SGcI3LNEkxL937Px/vKciT0QlKsV5Xje2F6F4Tn/XI5OJS06u1lp5IG Xr3gZfYZu5R5dkw+uWhwdYQc9BF0ALwFLE8JAxcxzPRB1HLGpl3iiESwiy7ETfHw1oU+bPOV lHiRfkDpnNGNFVeOwnPlMN5G9U8CAwEAAaM3MDUwEgYDVR0TAQH/BAgwBgEB/wIBADAfBgNV HSMEGDAWgBRyScJzNMZV9At2coF+d/SH58ayDjANBgkqhkiG9w0BAQQFAAOBgQBrxlnpMfrp tuyxA9jfcnL+kWBI6sZV3XvwZ47GYXDnbcKlN9idtxcoVgWL3Vx1b8aRkMZsZnET0BB8a5Fv huAhNi3B1+qyCa3PLW3Gg1Kb+7v+nIed/LfpdJLkXJeu/H6syg1vcnpnLGtz9Yb5nfUAbvQd B86dnoJjKe+TCX5V3jGCAfcwggHzAgEBMIGcMIGUMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM V2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxsZTEPMA0GA1UEChMGVGhhd3RlMR0w GwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1h aWwgUlNBIDE5OTkuOS4xNgIDAnU6MAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqG SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDEwNDE4MDcxNTE1WjAjBgkqhkiG9w0BCQQxFgQU Qg1A9d7up+g81DkWY3SC1RBx34IwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggq hkiG9w0DAgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcNAwICASgwDQYJ KoZIhvcNAQEBBQAEgYAHSvgTrcIF3gw38MOaGnr/tT1vk3J07QxFERxDqLNvPTB5zAORFKWP YeCmn2i+TROHHnts8c7QUZ8RaFuJMNWLAGN6osNju6B5v8vvJELxGPMx8lKnYRhprHY7548a wc7GZuP/8Ucdr+nSQffQgfcSndcFy99yVS/qq/qPp3nx+w== --------------ms577BBB9BCDC5A985EA8A97AF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ADD3F02.D54F692D>