• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: HP-UX ftpd glob() Expansion STAT Buffer Overflow Vulnerability

Severity: HIGH

Description:

Hewlett Packard's HP-UX ftp daemon contains a stack-based buffer overflow condition. The overflow occurs when the STAT command is issued with an argument that expands into an oversized string after being processed by glob().

When the STAT command is argumented with a filename or path, the output is the same as the LIST command. The only difference is that the output is sent via the FTP control connection. For this reason, any argument to STAT is passed to the glob() function.

When processing user input, the ftp daemon uses 'glob()' functions to expand wildcards and metacharacters in filepaths, as shells do. An example of this is the tilde ('~') character. The glob() function replaces this character in the filepath with the path to the user's home directory. The output, an expanded path, is then used by the ftp daemon to construct a command string for the execution of '/bin/ls'. When constructing this string, an unsafe string copy creates a buffer overflow condition if the source string is too long.

The overflow condition occurs in memory on the stack. The unsafe memory copy copies from the expanded filepath to a local variable. The excess data overwrites stack variables, making it possible for the attacker to replace critical values such as the function return address and exploit this vulnerability in a typical stack overflow manner.

Succesful exploitation of this vulnerability would allow an attacker to execute arbitrary code with root privileges.

To exploit this, the attacker must be able to create directories on the target host. In most cases, this limits exploitability to users with legitimate local access. On systems where anonymous ftp users can write to a directory (such as 'incoming/'), remote exploitation may be a threat.

Affected Products:

• HP HP-UX (VVOS) 10.24.0
• HP HP-UX (VVOS) 11.0.4
• HP HP-UX 10.0.0
• HP HP-UX 10.0.0 1
• HP HP-UX 10.10.0
• HP HP-UX 10.20.0
• HP HP-UX 10.30.0
• HP HP-UX 11.0.0

References:

• Hewlett Packard: HP Support

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.