Public FTP Servers in Danger After Bug Found in libc

A weakness in a libc function allows attackers to execute denial of service attacks against numerous public FTP servers running on multiple operating systems.

The vulnerability was discovered by Maksymilian Arciemowicz (cixb) of SecurityReason.com and is described as a multiple-vendor libc/glob(3) resource exhaustion.

Apparently, the GLOB_LIMIT option, added back in 2001 to the glob(3) function with the purpose of limiting denial of service attacks, was improperly implemented and can be easily bypassed.

"This option should be set for programs that can be coerced to a denial of service attack via patterns that expand to a very large number of matches, such as a long string of */../*/.." the official description of the feature reads.

According to the researcher, who already published proof-of-concept exploit code, an attacker can exhaust the memory and/or CPU resources of a FTP server by serving it a command containing a specially crafted string.

In order to bypass it "we need only use pattern with many */.. and many inodes in current directory. On the end of pattern, we need add some not existed filename (like /cxib*)," he writes.

The attack was tested successfully on OpenBSD 4.7, NetBSD 5.0.2, FreeBSD 7.3/8.1 and Oracle Sun Solaris 10, but should also work on any system using the GNU libc (glibc).

A huge number of public FTP servers are possibly affected, including some belonging to large companies, that have already been confirmed vulnerable, like ftp.adobe.com, ftp.hp.com or ftp.sun.com.

So far, NetBSD was the only vendor to release a patch. "Patch, recompile and reinstall libc, restart ftpd. Patch, recompile and reinstall sftp. Patch, recompile and reinstall /rescue," its advisory instructs.

The secure ftp server (SFTP) which comes with OpenSSH is also vulnerable, but since it doesn't use GLOB_LIMIT to limit patterns, it can also be attacked in other ways.