Project

General

Profile

Bug #323

Need fix for glob() resource exhaustion

Added by Jason King about 9 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
-
Start date:
2010-10-08
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

http://securityreason.com/securityalert/7822 describes the bug. In short, carefully crafted values passed to glob(3c) can cause excessive resource consumption. This means any external facing apps using glob(3c) such as in.ftpd or sftp are vulnerable to a denial of service attack.

History

#1

Updated by sham pavman almost 9 years ago

  • Assignee set to sham pavman
#2

Updated by sham pavman almost 9 years ago

After spending some time on this issue I can see that the issue of resource exhaustion using ftp did not occur.

I ftp'd into a ncp machine from illumos and here are the results

1.)#ftp> ls /..//../*/../*/../*/../*/../*
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
IPS-SVR4
ips-deb
nexenta-gate
onu.sh
packages.i386.tgz
proto
proto.tar
usr
226 Transfer complete.
remote: /..//../*/../*/../*/../*/../*
83 bytes received in 0.00079 seconds (103.25 Kbytes/s)
(As you see there are no duplicate entries either.)

However when I try the regex as given in the CVE this is what happens..
ftp> ls /{..,..}//{..,..}/*/{..,..}/*/{..,..}/*
200 PORT command successful.
550 Arguments too long
ftp>
(From the discussions that I’ve gone through it clearly states that this regex is sufficient to bring down a machine but here we can see that this is not allowed at all.)

Apart from this I’ve also read the ftpd.c file and found out that there is a fix for a possible DOS already.
http://hg.genunix.org/onnv-gate.hg/file/f835be4545bb/usr/src/cmd/cmd-inet/usr.sbin/in.ftpd/ftpd.c#l7918
(under the fixpath() )

Apart from this the bug reports that 'sftp' is also vulnerable.
Initial tests i did suggests that this problem exists in sftp, however ftp looks clean.

Shampavman

#3

Updated by Garrett D'Amore almost 9 years ago

We need to make sure that we are testing an illumos machine, not NCP (unless testing NCP4 prealpha).

Specifically, NCP 3.x probably has a different ftp daemon.

While Nexenta needs to know that NCP3 is free from the problem (or a patch will need to be created), illumos is a separate matter. The interesting change to ftpd was integrated in 140, after the NCP3 was forked from OpenSolaris (which was in build 134.)

#4

Updated by Dan McDonald over 8 years ago

  • Difficulty set to Medium
  • Tags set to needs-triage

Sorry this took so long.

in.ftpd (which is a version of WUftpd) has its own globbing here:

usr/src/cmd/cmd-inet/usr.sbin/in.ftpd/glob.c

sftp also has its own globbing here:

usr/src/cmd/ssh/libopenbsd-compat/common/glob.c

the latter is a port of NetBSD/OpenBSD, and it's likely a direct drop from NetBSD will work here.

#5

Updated by Gary Mills over 8 years ago

The FTP server in oi_148b is version wu-2.6.2+Sun.
It uses a private globbing function called `ftpglob'.
I've built a test program that calls this function in a
similar way to the FTP server. With this, I've verified
that the resource exhaustion bug exists when it's given
a carefully-crafted path.

Oracle has fixed this bug in their copy of the source and
issued patches for it. The original wu-2.6.2 FTP server
has not been maintained for many years. An updated
version is available at http://www.wfms.org/wu-ftpd/ but
even this one has not been maintained since 2009. The
BSD FTP servers appear to be completely different from
the WU version. I'd recommend that the BSD version be
ported to Illumos, replacing the wu-2.6.2+Sun version.

In the interim, I should be able to develop a patch for the
glob.c file that will eliminate the resource exhaustion
vulnerability described in CVE-2010-2632.

#6

Updated by Gordon Ross over 8 years ago

  • Status changed from New to Resolved
  • Assignee changed from sham pavman to Gary Mills

changeset: 13385:3d898cde151e
tag: tip
user: Gary Mills <>
date: Tue Jun 07 21:38:05 2011 -0500
description:
323 Need fix for glob() resource exhaustion
Reviewed by: Garrett D'Amore <>
Reviewed by: Dan McDonald <>
Approved by: Gordon Ross <>

Also available in: Atom PDF