Network Associates’ PGP Security has issued an advisory concerning a security flaw in many implementations of FTPd-derived server software. File transfer protocol (FTP) software is a critical element in all Internet servers, allowing both administrators and users to upload and download files. This particular flaw, related to a buffer overflow in the glob() function, affects FTP daemons in a half dozen Unix server platforms.?

When dealing with file systems it is useful to be able to use wildcards and other file-search shortcuts. For example, listing the contents of a directory using the DOS command: DIR *.MP3 (in Unix, ls *.mp3) will list all files that end in an .MP3 suffix. The asterisk here is called a “metacharacter.” Other commonly used metacharacters are the slash, question mark, colon, and tilde. The process of expanding metacharacters into identifiable file names is called “globbing.”

Not just file names, but paths can also be “globbed.” For example, the tilde character (”~”) can be expanded into the path of the home directory of the specified user. In the case of FTP server code that allows globbing of the tilde character, the FTP daemon typically expects file paths limited to 512 characters. But when expanded in the glob() function by wildcard characters, the resolution of the path can result in “very large input strings being passed into the main command processing routines,” which can lead to “exploitable buffer overflow conditions” and “unbounded string operations.”

Out of Bounds

The deliberately triggered buffer overflow is at the heart of many software “hacks.” When a buffer overflows it spills data over a memory boundary, and is mistaken by the operating system as a legitimate command. How the buffer overflow occurs differs from system to system. In Solaris, a LIST command can do the trick; in HPUX, the STAT command causes a stack-based overflow; BSD has four commands tied to the glob() function that can be exploited.

COVERT labs at PGP Security has so far confirmed that six Unix operating systems have vulnerable FTP daemons, though many others may also be affected:

FreeBSD 4.2
OpenBSD 2.8
NetBSD 1.5
IRIX 6.5.x
HPUX 11
Solaris 8

PGP Security has also published an update to its CyberCop Scanner utility that detects affected software.

Patches in the Works

PGP recommends that until patches become available, administrators should make sure to protect any directories in the anonymous FTP tree that are writeable by an anonymous FTP user. But even without a writeable directory present, OpenBSD and NetBSD can be exploited if a directory has a name longer than 12 characters; FreeBSD is vulnerable for names longer than 9 characters.

The CERT Coordination Center at Carnegie Mellon University has contacted the various Unix vendors about the status of their Unix products in regards to these flaws. FreeBSD reports that they have corrected the bugs “in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE, and they will not be present in FreeBSD 4.3-RELEASE.” NetBSD has a fix that should “work on any 4.4BSD derived glob(3).” Fujitsu is in the process of preparing patches to UXP/V versions V10L20 and V20L10. SGI has acknowledged that the flaw exists in its software and is “currently investigating.”

For Unix operating systems not listed above, webmasters and network administrators should contact their vendors and confirm whether their software contains the FTP flaw, and if so, when a patch will be made available.