FreeBSD Mail Archives

Date:      Wed, 18 Apr 2001 10:15:14 +0300
From:      Krassimir Slavchev <krassi@bulinfo.net>
To:        freebsd-security@FreeBSD.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob
Message-ID:  <3ADD3F02.D54F692D@bulinfo.net>
References:  <200104171909.f3HJ9gH14235@freefall.freebsd.org>

index | next in thread | previous in thread | raw e-mail


[-- Attachment #1 --]
Hmmm, any ideas?


/usr/src# patch -p < /tmp/glob.4.x.patch

Hmm...  Looks like a unified diff to me...

The text leading up to this was:

--------------------------

|Index: lib/libc/gen/glob.c

|===================================================================

|RCS file: /home/ncvs/src/lib/libc/gen/glob.c,v

|--- lib/libc/gen/glob.c        1998/02/20 07:54:56     1.11

|+++ lib/libc/gen/glob.c        2001/04/07 21:00:20

--------------------------

Patching file lib/libc/gen/glob.c using Plan A...

Hunk #1 succeeded at 129.

Hunk #2 succeeded at 137.

Hunk #3 succeeded at 158.

Hunk #4 succeeded at 168.

Hunk #5 succeeded at 197.

Hunk #6 succeeded at 207.

Hunk #7 succeeded at 233.

Hunk #8 succeeded at 274.

Hunk #9 succeeded at 321.

Hunk #10 succeeded at 415.

Hunk #11 succeeded at 480.

Hunk #12 succeeded at 493.

Hunk #13 succeeded at 508.

Hunk #14 succeeded at 528.

Hunk #15 succeeded at 552.

Hunk #16 succeeded at 567.

Hunk #17 succeeded at 606.

Hunk #18 succeeded at 636.

Hunk #19 succeeded at 674.

Hunk #20 succeeded at 710.

Hunk #21 succeeded at 791.

Hunk #22 succeeded at 804.

Hunk #23 succeeded at 823.

Hunk #24 succeeded at 840.

Hunk #25 succeeded at 860.

Hmm...  The next patch looks like a unified diff to me...

The text leading up to this was:

--------------------------

|Index: libexec/ftpd/popen.c

|===================================================================

|RCS file: /home/ncvs/src/libexec/ftpd/popen.c,v

|--- libexec/ftpd/popen.c       2000/09/20 09:57:58     1.18.2.1

|+++ libexec/ftpd/popen.c       2001/04/07 21:08:09

--------------------------

Patching file libexec/ftpd/popen.c using Plan A...

Hunk #1 succeeded at 107.

Hmm...  The next patch looks like a unified diff to me...

The text leading up to this was:

--------------------------

|===================================================================

|RCS file: /home/ncvs/src/libexec/ftpd/ftpd.c,v

|--- libexec/ftpd/ftpd.c        2001/03/11 13:20:44     1.73

|+++ libexec/ftpd/ftpd.c        2001/03/19 19:11:00

--------------------------

Patching file libexec/ftpd/ftpd.c using Plan A...

Hunk #1 succeeded at 189.

Hunk #2 succeeded at 2658 (offset 30 lines).

Hmm...  The next patch looks like a unified diff to me...

The text leading up to this was:

--------------------------

|===================================================================

|RCS file: /home/ncvs/src/libexec/ftpd/ftpcmd.y,v

|--- libexec/ftpd/ftpcmd.y      2001/04/16 22:20:26     1.23

|+++ libexec/ftpd/ftpcmd.y      2001/04/17 03:03:45

--------------------------

Patching file libexec/ftpd/ftpcmd.y using Plan A...

Hunk #1 succeeded at 137 (offset -1 lines).

Hunk #2 succeeded at 471 (offset -4 lines).

Hunk #3 succeeded at 928 (offset -13 lines).

Hunk #4 succeeded at 1037 (offset -4 lines).

done


cd /usr/src/lib/libc

make all


cc -O -pipe -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include
-D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE -I/usr/src/lib/libc/../libc/locale
-DBROKEN_DES -DYP -c /usr/src/lib/libc/../libc/gen/glob.c -o glob.o

/usr/src/lib/libc/../libc/gen/glob.c: In function `glob':

/usr/src/lib/libc/../libc/gen/glob.c:171: `GLOB_MAXPATH' undeclared (first use in
this function)

/usr/src/lib/libc/../libc/gen/glob.c:171: (Each undeclared identifier is reported
only once

/usr/src/lib/libc/../libc/gen/glob.c:171: for each function it appears in.)

/usr/src/lib/libc/../libc/gen/glob.c: In function `globextend':

/usr/src/lib/libc/../libc/gen/glob.c:689: `GLOB_LIMIT' undeclared (first use in this
function)

*** Error code 1


Stop in /usr/src/lib/libc.





FreeBSD Security Advisories wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> =============================================================================
> FreeBSD-SA-01:33                                           Security Advisory
>                                                                 FreeBSD, Inc.
>
> Topic:          globbing vulnerability in ftpd
>
> Category:       core
> Module:         ftpd/libc
> Announced:      2001-04-17
> Credits:        John McDonald and Anthony Osborne, COVERT Labs
> Affects:        FreeBSD 3.x (all releases), FreeBSD 4.x (all releases),
>                 FreeBSD 3.5-STABLE and 4.3-RC prior to the
>                 correction date.
> Corrected:      2001-04-17 (FreeBSD 4.3-RC)
>                 2001-04-17 (FreeBSD 3.5-STABLE)
> Vendor status:  Corrected
> FreeBSD only:   NO
>
> I.   Background
>
> Numerous FTP daemons, including the daemon distributed with FreeBSD,
> use server-side globbing to expand pathnames via user input.  This
> globbing is performed by FreeBSD's glob() implementation in libc.
>
> II.  Problem Description
>
> The glob() function contains potential buffer overflows that may be
> exploitable through the FTP daemon.  If a directory with a name of
> a certain length is present, a remote user specifying a pathname
> using globbing characters may cause arbitrary code to be executed
> on the FTP server as user running ftpd, usually root.
>
> Additionally, when given a path containing numerous globbing
> characters, the glob() functions may consume significant system
> resources when expanding the path.  This can be controlled by
> setting user limits via /etc/login.conf and setting limits on
> globbing expansion.
>
> All versions of FreeBSD prior to the correction date, including
> FreeBSD 3.5.1 and 4.2 contain this problem.  The base system that
> will ship with FreeBSD 4.3 does not contain this problem since it
> was corrected before the release.
>
> III. Impact
>
> Remote users may be able to execute arbitrary code on the FTP server
> as the user running ftpd, usually root.
>
> The FTP daemon supplied with FreeBSD is enabled by default to allow
> access to authorized local users and not anonymous users, thus
> limiting the impact to authorized local users.
>
> IV.  Workaround
>
> If the FTP daemon is executed from inetd, disable the FTP daemon by
> commenting out the ftp line in /etc/inetd.conf, then reload the
> inetd configuration by executing the following command as root:
>
> # killall -HUP inetd
>
> V.   Solution
>
> One of the following:
>
> 1) Upgrade to FreeBSD 4.3-RC or 3.5.1-STABLE after the correction
> date.
>
> 2) Download the patch and detached PGP signature from the following
> location:
>
> The following patch applies to FreeBSD 4.x:
>
> # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch
> # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch.asc
>
> The following patch applies to FreeBSD 3.x:
>
> # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch
> # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch.asc
>
> Verify the detached signature using your PGP utility.
>
> Issue the following commands as root:
>
> # cd /usr/src
> # patch -p < /path/to/patch
> # cd /usr/src/lib/libc
> # make all install
> # cd /usr/src/libexec/ftpd
> # make all install
>
> If the FTP daemon is running standalone, it will have to be manually
> stopped and restarted.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iQCVAwUBOtyT/VUuHi5z0oilAQGiIAP8CJ6Hsp52DuBQhQnA4xBl23kTCtCUKdPf
> zRP5yg5B9w+j+6Q6+k2P1B9lv5JcdvmS8+fzfrWUpUAogqkbL5f0njS7fnA68a5H
> oiGJgWqLQiMQiszeOOpgqvd1fNRCcCX+SgYewIfP93Cvam+GG+TvZQziV2zcne3O
> tjBG/FVzXkg=
> =P1j0
> -----END PGP SIGNATURE-----
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

--
 Krassimir Slavchev           Bulinfo Ltd.
 krassi@bulinfo.net           (+359-2)963-3652
 http://www.bulinfo.net       (+359-2)963-3764



[-- Attachment #2 --]
0��	*�H��
���0��10	+0	*�H��
���0��0�
�u:0
	*�H��
0��10	UZA10UWestern Cape10UDurbanville10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 1999.9.160
000419103037Z
010419103037Z0D10UThawte Freemail Member1!0	*�H��
	krassi@bulinfo.net0��0
	*�H��
��0�����!�'�P㶶t��(�x������)!-�p\ڡg��8�&������m����W��6q?�OuI��ʱ4�������T>�b����W׶�T]F°�����9ꤨS��S'���P0N0U0�krassi@bulinfo.net0U�00U#0����`�fU��X�F�a�#�Ì0
	*�H��
��fY48lH��c���ɐ*A{��]��|&�U�m�Y='�Ih�<Ye�g�s�x��`}	,��7�5��#�
�A
��R�"'�TU����?c7}b	2�{�.��==�v�^����U�'y:��W�B�K0�0�}�0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
990916140140Z
010915140140Z0��10	UZA10UWestern Cape10UDurbanville10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 1999.9.160��0
	*�H��
��0�����iZ���z��]�!�#r�LK�~����r$�BR�W��{az���r98����e��^��e���yvL>�hpu��t�,O	1��A�rƦ]�D��.�M��օ>l�x�~@�эW��s�0�F�O�7050U�0�0U#0�rI�s4�U�vr�~w��Ʋ0
	*�H��
��k�Y�1�����rr��`H��U�{�g��ap�m¥7؝�(V��\uoƑ��lfq�|k�o��!6-���	��-mƃR����������t��\���~��
orzg,ks�����n�Ν��c)�	~U�1��0��0��0��10	UZA10UWestern Cape10UDurbanville10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 1999.9.16u:0	+���0	*�H��
	1	*�H��
0	*�H��
	1
010418071515Z0#	*�H��
	1B
@����<�9ct��q߂0R	*�H��
	1E0C0
*�H��
0*�H��
�0+0
*�H��
@0
*�H��
(0
	*�H��
��J����7�Úz��=o�rt�EC��o=0y����aটh�M�{l���Q�h[�0Ջcz��c��y���$B��1�R�ai�v;����f���G���A�Ё�����rU/����y��

help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ADD3F02.D54F692D>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation