SCAN: FreeBSD FTP Daemon glob() Buffer Overflow
This signature detects attempts to exploit a known vulnerability against the FreeBSD FTP daemon. FreeBSD-4.2 is vulnerable. Attackers can submit a malicious STAT request that contains file globing characters, to execute arbitrary code on the target host with administrator privileges.
Extended Description
The BSD ftp daemon and derivatives (such as IRIX ftpd or the ftp daemon shipped with Kerberos 5) contain a number of buffer overflows that may lead to a compromise of root access to malicious users. During parsing operations, the ftp daemon assumes that there can never be more than 512 bytes of user-supplied data. This is because that is usually how much data is read from a socket. Because of this assumption, certain memory copy operations involving user data lack bounds checking. It is possible for users to use metacharacters to expand file/path names through interpretation by glob() and exploit these overflowable conditions. In order to do so, the attacker's ftp account must be able to either create directories or directories with long enough names must exist already. Any attacker to successfully exploit this vulnerability would gain root access on the target host.
Affected Products
Compaq tru64
References
BugTraq: 2548
CVE: CVE-2001-0247
URL: http://archives.neohapsis.com/archives/freebsd/2001-04/0466.html
Short Name
SCAN:MISC:FTP:FREEBSD-FTPD-GLOB
Severity
Warning
Recommended
False
Recommended Action
None
Category
SCAN
Keywords
Buffer CA-2001-07 CVE-2001-0247 Daemon FTP FreeBSD Overflow bid:2548 glob()
Release Date
04/24/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Unknown
Vendors
Openbsd
Compaq
Sgi
Freebsd
Netbsd
Mit
CVSS Score
10.0