J-Security Center

Title: Multiple Vendor FTP glob Expansion Vulnerability

Severity: HIGH

Description:

Some FTP servers under specific operating environments are vulnerable to a potential denial of service or resource exhaustion vulnerability.

The condition results from lack of restrictions on globbing. Globbing is the process by which file name patterns containing common characters such as the wildcard symbols * and ?, multiple choices denoted by {}, and others are expanded to full pathname lists. Under conditions where a sufficient number of files and directories are accessible, and no per-user resource limits have been established, a denial of service is possible.

This can be accomplished by submitting a string such as:

"ls */../*/../*/../*/../*/../*/../*/../*/../" -

the repetitive portion repeated as many times as necessary - to the FTP server. WuFTPd 2.6.1 has incorporated a check for this issue.

Conflicting reports regarding numerous other FTP daemons have been received; likely these are a result of different operating environments - specifically, the number of pathnames that are accessible using a recursive file name pattern, and the presence or absence of per-user resource limits (either within the FTP daemon itself or at the operating system level.).

Some FTP daemons incorporate "partial fixes" at the time of writing - ie, they contain a check for the */../* pattern but not variants such as "*/..*/*/..*/*/.." or "*?/.*./*?/.*.". These "partially fixed" FTP daemons include PureFTPd 0.96 and TrollTech FTPd up to and including 1.25.

It may also be possible to execute arbitrary code on some vulnerable FTP daemons via a buffer overflow.

Affected Products:

  • Apple Mac OS X 10.0.0
  • Apple Mac OS X 10.0.1
  • BeroFTPD BeroFTPD 1.3.4
  • Caldera OpenLinux 2.4.0
  • Caldera OpenLinux Desktop 2.3.0
  • Caldera OpenLinux Standard 1.2.0
  • Cobalt Qube 1.0.0
  • Cobalt Qube 2.0.0
  • Cobalt Qube 3.0.0
  • Cobalt RaQ 1.1.0
  • Cobalt RaQ 2.0.0
  • Cobalt RaQ 3.0.0
  • Conectiva Linux 4.0.0
  • Conectiva Linux 4.0.0 es
  • Conectiva Linux 4.1.0
  • Conectiva Linux 4.2.0
  • Conectiva Linux 5.0.0
  • Conectiva Linux 5.1.0
  • Conectiva Linux 6.0.0
  • Conectiva Linux 7.0.0
  • Conectiva Linux ecommerce
  • Conectiva Linux graficas
  • Debian Linux 2.2.0
  • Debian Linux 2.2.0 68k
  • Debian Linux 2.2.0 alpha
  • Debian Linux 2.2.0 arm
  • Debian Linux 2.2.0 powerpc
  • Debian Linux 2.2.0 sparc
  • FreeBSD FreeBSD 3.5.1
  • FreeBSD FreeBSD 4.2.0
  • HP HP-UX 10.0.01
  • HP HP-UX 10.10.0
  • HP HP-UX 10.20.0
  • HP HP-UX 11.0.0
  • HP HP-UX 11.11.0
  • IBM AIX 4.3.0
  • MandrakeSoft Linux Mandrake 7.2.0
  • MandrakeSoft Linux Mandrake 8.0.0
  • MandrakeSoft Linux Mandrake 8.0.0 ppc
  • MandrakeSoft Linux Mandrake 8.1.0
  • MandrakeSoft Linux Mandrake 8.1.0 ia64
  • OpenBSD OpenBSD 2.6.0
  • OpenBSD OpenBSD 2.7.0
  • ProFTPD Project ProFTPD 1.2.0
  • ProFTPD Project ProFTPD 1.2.0.0rc3
  • ProFTPD Project ProFTPD 1.2.0pre1
  • ProFTPD Project ProFTPD 1.2.0pre10
  • ProFTPD Project ProFTPD 1.2.0pre11
  • ProFTPD Project ProFTPD 1.2.0pre2
  • ProFTPD Project ProFTPD 1.2.0pre3
  • ProFTPD Project ProFTPD 1.2.0pre4
  • ProFTPD Project ProFTPD 1.2.0pre5
  • ProFTPD Project ProFTPD 1.2.0pre6
  • ProFTPD Project ProFTPD 1.2.0pre7
  • ProFTPD Project ProFTPD 1.2.0pre8
  • ProFTPD Project ProFTPD 1.2.0pre9
  • ProFTPD Project ProFTPD 1.2.1
  • PureFTPd PureFTPd 0.96.0
  • RedHat Linux 5.2.0 alpha
  • RedHat Linux 5.2.0 i386
  • RedHat Linux 5.2.0 sparc
  • RedHat Linux 6.0.0
  • RedHat Linux 6.0.0 alpha
  • RedHat Linux 6.0.0 sparc
  • RedHat Linux 6.1.0 alpha
  • RedHat Linux 6.1.0 i386
  • RedHat Linux 6.1.0 sparc
  • RedHat Linux 6.2.0 alpha
  • RedHat Linux 6.2.0 i386
  • RedHat Linux 6.2.0 sparc
  • S.u.S.E. Linux 6.1.0
  • S.u.S.E. Linux 6.1.0 alpha
  • S.u.S.E. Linux 6.2.0
  • S.u.S.E. Linux 6.3.0
  • S.u.S.E. Linux 6.3.0 alpha
  • S.u.S.E. Linux 6.3.0 ppc
  • S.u.S.E. Linux 6.4.0
  • S.u.S.E. Linux 6.4.0 alpha
  • S.u.S.E. Linux 6.4.0 ppc
  • S.u.S.E. Linux 7.0.0 alpha
  • S.u.S.E. Linux 7.0.0 i386
  • S.u.S.E. Linux 7.0.0 ppc
  • S.u.S.E. Linux 7.0.0 sparc
  • S.u.S.E. Linux 7.1.0 alpha
  • S.u.S.E. Linux 7.1.0 ppc
  • S.u.S.E. Linux 7.1.0 sparc
  • S.u.S.E. Linux 7.1.0 x86
  • S.u.S.E. Linux 7.2.0
  • S.u.S.E. Linux 7.2.0 i386
  • S.u.S.E. Linux 7.3.0 i386
  • S.u.S.E. Linux 7.3.0 ppc
  • S.u.S.E. Linux 7.3.0 sparc
  • SCO eDesktop 2.4.0
  • SCO eServer 2.3.0
  • SCO eServer 2.3.1
  • Sun Solaris 7.0
  • Sun Solaris 7.0_x86
  • Sun Solaris 8
  • Sun Solaris 8_x86
  • Trolltech ftpd 1.21.0
  • Trolltech ftpd 1.22.0
  • Trolltech ftpd 1.23.0
  • Trolltech ftpd 1.24.0
  • Trolltech ftpd 1.25.0
  • Turbolinux Turbolinux 4.0.0
  • Washington University wu-ftpd 2.4.2 academ[BETA-18]
  • Washington University wu-ftpd 2.4.2 academ[BETA1-15]
  • Washington University wu-ftpd 2.5.0 .0
  • Washington University wu-ftpd 2.6.0 .0
  • WireX Immunix OS 6.2.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.