Friday, October 8, 2010

Flaw in glob function implementation put FTP servers at risk

H Security reports a DoS vulnerability that affects many FTP servers. These servers relay in a flawed implementation of the glob function, that is vulnerable to a resource exhaustion attack.

Quoting H Security,

The problem exists because GLOB_LIMIT, a feature added in 2001 to limit the amount of memory used by the glob() function is ineffective. Globbing, as it is called, calls on the glob() function to match wildcard patterns when generating a list of matching file names. Because GLOB_LIMIT is not effective, it potentially allows a system's main memory to be flooded when processing certain patterns and this may, depending on the hardware used, cause the system to become very slow, cease to respond or even crash as a result.

Maksymilian Arciemowicz, the researcher that published the advisory (Also published in,  reported that the main BSD operative systems are affected (OpenBSD, NetBSD, FreeBSD and Solaris) as well as GNU libc.

The advisory confirms that the vulnerability is easily exploitable:

protect us before attacks like
because glob will find more patches as in GLOB_LIMIT declared. Anyway, if
we use path what do not exists (with */.. strings) like
GLOB_LIMIT will be never overflowed. Many combinations of paths, will
execute this proces a long time. We can also try allocate
(GLOB_LIMIT-1)*MAXPATHNAMELEN bytes per one process. ~200~300MB
> telnet 21
Connected to
Escape character is '^]'.
220 FTP server (NetBSD-ftpd 20100320) ready.
user anonymous
331 Guest login ok, type your name as password.
pass anon@cxib
The NetBSD Project FTP Server located in Redwood City, CA, USA

230 Guest login ok, access restrictions apply.

this request will generate 100% usage of process a long time. ftpd come
into glob(3) and will not fast out. Very similar sympthon was described in
vulnerability for glibc strfmon(3)

No comments:

Post a Comment