Title: Solaris ftpd glob() Expansion LIST Heap Overflow Vulnerability
Severity: HIGH
Description:
The Solaris ftp daemon contains a heap-based buffer overflow condition. The overflow occurs when the LIST command is issued with an argument that expands into an oversized string after being processed by glob().
When processing user input, the ftp daemon uses 'glob()' functions to expand wildcards and metacharacters in filepaths, as shells do. An example of this is the tilde ('~') character. The glob() function replaces this character in the filepath with the path to the user's home directory. The output, an expanded path, is then used by the ftp daemon to construct a command string for the execution of '/bin/ls'. When constructing this string, an unsafe string copy creates a buffer overflow condition if the source string is too long.
This buffer overflow occurs in memory that is dynamically allocated. It may be possible for attackers to exploit this vulnerability and execute arbitrary code on the affected host. This could be accomplished by overwriting pointers in neighboring malloc headers. If exploited successfully, malloc could be tricked into writing arbitrary values to attacker-supplied locations in memory when free() is called on the targetted chunk. By overwriting something such as a PLT entry or function return address on the stack, an attacker may be able to execute arbitray code.
To exploit this, the attacker must be able to create directories on the target host. In most cases, this limits exploitability to local users. On systems where anonymous ftp users can write to a directory (such as 'incoming/'), remote exploitation may be a threat.
Affected Products:
- Sun Solaris 2.3
- Sun Solaris 2.4
- Sun Solaris 2.5
- Sun Solaris 2.5.1
- Sun Solaris 2.6
- Sun Solaris 7.0
- Sun Solaris 8
References:
- Sun Microsystems: Sun-00205
- Sun Microsystems: Sunsolve Online(tm)
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
