FTP: OpenBSD FTP Daemon glob() Buffer Overflow
This signature detects attempts to exploit a known vulnerability in the OpenBSD FTP daemon, by submitting a malicious LIST request containing file globbing characters. Other malicious file globbing operations performed during this attack can be detected by the FTP:DOS:PROFTPD-GLOB-DOS1 signature. Successful exploitation of this vulnerability can allow an attacker to execute arbitrary code on the victim host with administrator privileges. OpenBSD versions 2.0-2.8 are vulnerable.
Extended Description
The BSD ftp daemon and derivatives (such as IRIX ftpd or the ftp daemon shipped with Kerberos 5) contain a number of buffer overflows that may lead to a compromise of root access to malicious users. During parsing operations, the ftp daemon assumes that there can never be more than 512 bytes of user-supplied data. This is because that is usually how much data is read from a socket. Because of this assumption, certain memory copy operations involving user data lack bounds checking. It is possible for users to use metacharacters to expand file/path names through interpretation by glob() and exploit these overflowable conditions. In order to do so, the attacker's ftp account must be able to either create directories or directories with long enough names must exist already. Any attacker to successfully exploit this vulnerability would gain root access on the target host.
Affected Products
Compaq tru64
Short Name
FTP:OVERFLOW:OPENBSD-FTPD-GLOB
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
FTP
Keywords
Buffer CA-2001-07 CVE-2001-0247 Daemon FTP OpenBSD Overflow bid:2548 glob()
Release Date
04/24/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Unknown
Vendors
Openbsd
Compaq
Sgi
Freebsd
Netbsd
Mit
CVSS Score
10.0