Short Name |
FTP:OVERFLOW:OPENBSD-FTPD-GLOB |
---|---|
Severity |
Critical |
Recommended |
No |
Recommended Action |
Drop |
Category |
FTP |
Keywords |
OpenBSD FTP Daemon glob() Buffer Overflow |
Release Date |
2003/04/23 |
Update Number |
1213 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
This signature detects attempts to exploit a known vulnerability in the OpenBSD FTP daemon, by submitting a malicious LIST request containing file globbing characters. Other malicious file globbing operations performed during this attack can be detected by the FTP:DOS:PROFTPD-GLOB-DOS1 signature. Successful exploitation of this vulnerability can allow an attacker to execute arbitrary code on the victim host with administrator privileges. OpenBSD versions 2.0-2.8 are vulnerable.
The BSD ftp daemon and derivatives (such as IRIX ftpd or the ftp daemon shipped with Kerberos 5) contain a number of buffer overflows that may lead to a compromise of root access to malicious users. During parsing operations, the ftp daemon assumes that there can never be more than 512 bytes of user-supplied data. This is because that is usually how much data is read from a socket. Because of this assumption, certain memory copy operations involving user data lack bounds checking. It is possible for users to use metacharacters to expand file/path names through interpretation by glob() and exploit these overflowable conditions. In order to do so, the attacker's ftp account must be able to either create directories or directories with long enough names must exist already. Any attacker to successfully exploit this vulnerability would gain root access on the target host.