Vulnerability in the standard glob () function as a threat to FTP servers
SecurityReason reports that a dangerous error has been detected in the implementation of the library function glob () from the standard C library (libc) on many platforms.
This function is intended to get a list of files whose names match a given pattern. The error lies in the fact that the restriction on the output of the function, which is set by the variable GLOB_LIMIT, does not apply if you specify incorrect paths in the template. Such incorrect values can be, for example, “* / .. / * / .. / * foo” or “{.., .., ..} / * / {.., .., ..} / * bar ". In this case, the call to the glob () function can exhaust all the available process memory.
This error is particularly dangerous for (S) FTP servers, especially with anonymous access allowed. Obviously, a request to list files with the above mask results in an early denial of service to the FTP server.
')
Vulnerabilities are subject to the latest data, at least the following OS: OpenBSD 4.7, NetBSD 5.0.2, FreeBSD 7.3 / 8.1, Oracle / Sun Solaris 10, as well as all versions of Linux with GLIBC. Vulnerability so far fixed only in NetBSD; companies and communities developing the above operating systems (with the exception of NetBSD) do not provide any information yet; this is why the vulnerability is classified as “0-day”. It is also reported that vsftpd is not vulnerable.
Those who wish to try the vulnerability in action can suggest typing a command in the bash console like
ls ../../*/../*/*/../../*/*/*/*
You can exploit, for example, from PHP:
php -r 'print glob ("../../*/../*/*/../../*/*/*/*");'
or python
python -c 'import glob; glob.glob ("../../*/../*/*/../../*/*/*/*") '
and from any other language accessing this function.
The original vulnerability report is here: securityreason.com/securityalert/7822
This function is intended to get a list of files whose names match a given pattern. The error lies in the fact that the restriction on the output of the function, which is set by the variable GLOB_LIMIT, does not apply if you specify incorrect paths in the template. Such incorrect values can be, for example, “* / .. / * / .. / * foo” or “{.., .., ..} / * / {.., .., ..} / * bar ". In this case, the call to the glob () function can exhaust all the available process memory.
This error is particularly dangerous for (S) FTP servers, especially with anonymous access allowed. Obviously, a request to list files with the above mask results in an early denial of service to the FTP server.
')
Vulnerabilities are subject to the latest data, at least the following OS: OpenBSD 4.7, NetBSD 5.0.2, FreeBSD 7.3 / 8.1, Oracle / Sun Solaris 10, as well as all versions of Linux with GLIBC. Vulnerability so far fixed only in NetBSD; companies and communities developing the above operating systems (with the exception of NetBSD) do not provide any information yet; this is why the vulnerability is classified as “0-day”. It is also reported that vsftpd is not vulnerable.
Those who wish to try the vulnerability in action can suggest typing a command in the bash console like
ls ../../*/../*/*/../../*/*/*/*
You can exploit, for example, from PHP:
php -r 'print glob ("../../*/../*/*/../../*/*/*/*");'
or python
python -c 'import glob; glob.glob ("../../*/../*/*/../../*/*/*/*") '
and from any other language accessing this function.
The original vulnerability report is here: securityreason.com/securityalert/7822
Source: https://habr.com/ru/post/105894/
All Articles