Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

 SCAN:MISC:FTP:FREEBSD-FTPD-GLOB

Severity

 Low

Recommended

 No

Category

 SCAN

Keywords

 FreeBSD FTP Daemon glob() Buffer Overflow

Release Date

 2003/04/23

Update Number

 1213

Supported Platforms

 idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

SCAN: FreeBSD FTP Daemon glob() Buffer Overflow


This signature detects attempts to exploit a known vulnerability against the FreeBSD FTP daemon. FreeBSD-4.2 is vulnerable. Attackers can submit a malicious STAT request that contains file globing characters, to execute arbitrary code on the target host with administrator privileges.

Extended Description

The BSD ftp daemon and derivatives (such as IRIX ftpd or the ftp daemon shipped with Kerberos 5) contain a number of buffer overflows that may lead to a compromise of root access to malicious users. During parsing operations, the ftp daemon assumes that there can never be more than 512 bytes of user-supplied data. This is because that is usually how much data is read from a socket. Because of this assumption, certain memory copy operations involving user data lack bounds checking. It is possible for users to use metacharacters to expand file/path names through interpretation by glob() and exploit these overflowable conditions. In order to do so, the attacker's ftp account must be able to either create directories or directories with long enough names must exist already. Any attacker to successfully exploit this vulnerability would gain root access on the target host.

Affected Products

  • Compaq Tru64 4.0.0 f
  • Compaq Tru64 4.0.0 f PK6 (BL17)
  • Compaq Tru64 4.0.0 f PK7 (BL18)
  • Compaq Tru64 4.0.0 g
  • Compaq Tru64 4.0.0 g PK3 (BL17)
  • Compaq Tru64 5.0.0
  • Compaq Tru64 5.0.0 a
  • Compaq Tru64 5.0.0 a PK3 (BL17)
  • Compaq Tru64 5.0.0 f
  • Compaq Tru64 5.0.0 PK4 (BL17)
  • Compaq Tru64 5.0.0 PK4 (BL18)
  • Compaq Tru64 5.1.0
  • Compaq Tru64 5.1.0 a
  • Compaq Tru64 5.1.0 a PK1 (BL1)
  • Compaq Tru64 5.1.0 PK3 (BL17)
  • Compaq Tru64 5.1.0 PK4 (BL18)
  • FreeBSD 2.2.0
  • FreeBSD 2.2.2
  • FreeBSD 2.2.3
  • FreeBSD 2.2.4
  • FreeBSD 2.2.5
  • FreeBSD 2.2.6
  • FreeBSD 2.2.8
  • FreeBSD 3.0.0
  • FreeBSD 3.1.0
  • FreeBSD 3.2.0
  • FreeBSD 3.3.0
  • FreeBSD 3.4.0
  • FreeBSD 3.5.0
  • FreeBSD 3.5.1
  • FreeBSD 4.0.0
  • FreeBSD 4.1.0
  • FreeBSD 4.1.1
  • FreeBSD 4.2.0
  • MIT Kerberos 5 1.1.1
  • MIT Kerberos 5 1.2.0
  • MIT Kerberos 5 1.2.1
  • MIT Kerberos 5 1.2.2
  • NetBSD 1.2.1
  • NetBSD 1.3.0
  • NetBSD 1.3.1
  • NetBSD 1.3.2
  • NetBSD 1.3.3
  • NetBSD 1.4.0
  • NetBSD 1.4.1
  • NetBSD 1.4.2
  • NetBSD 1.4.3
  • NetBSD 1.5.0
  • OpenBSD 2.3.0
  • OpenBSD 2.4.0
  • OpenBSD 2.5.0
  • OpenBSD 2.6.0
  • OpenBSD 2.7.0
  • OpenBSD 2.8.0
  • SGI IRIX 6.1.0
  • SGI IRIX 6.5.0
  • SGI IRIX 6.5.1
  • SGI IRIX 6.5.10
  • SGI IRIX 6.5.11
  • SGI IRIX 6.5.2 m
  • SGI IRIX 6.5.3
  • SGI IRIX 6.5.3 f
  • SGI IRIX 6.5.3 m
  • SGI IRIX 6.5.4
  • SGI IRIX 6.5.5
  • SGI IRIX 6.5.6
  • SGI IRIX 6.5.7
  • SGI IRIX 6.5.8

References

  • BugTraq: 2548
  • CERT: CA-2001-07
  • CVE: CVE-2001-0247
  • URL: http://archives.neohapsis.com/archives/freebsd/2001-04/0466.html

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out