Flaw in libc implementation threatens FTP servers
A flaw in the implementation of the glob() function in various C libraries (libc) can be exploited to remotely cripple FTP servers. As many FTP servers allow anonymous log-ins, and the flaw is said to be easy to exploit, many servers are at risk of falling victim to the attack. A report by security specialist Maksymilian Arciemowicz says that even large FTP servers such as those run by Adobe and HP are affected.
The problem exists because GLOB_LIMIT, a feature added in 2001 to limit the amount of memory used by the glob() function is ineffective. Globbing, as it is called, calls on the glob() function to match wildcard patterns when generating a list of matching file names. Because GLOB_LIMIT is not effective, it potentially allows a system's main memory to be flooded when processing certain patterns and this may, depending on the hardware used, cause the system to become very slow, cease to respond or even crash as a result.
FTP and SFTP servers tend to support globbing. In most servers, the function is implemented via libc, but some vendors have integrated the globbing feature directly into their products, with an option in the configuration settings for it to be disabled.
Arciemowicz said that OpenBSD 4.7, NetBSD 5.0.2, FreeBSD 7.3 / 8.1, Oracle Sun Solaris 10 and GNU Libc (glibc) are affected. The FTP servers at ftp.openbsd.org, ftp.netbsd.org, ftp.freebsd.org, ftp.adobe.com (which uses OpenBSD), ftp.hp.com and ftp.sun.com are, therefore, also said to be vulnerable. The security specialist has released an exploit to demonstrate the problem.
The NetBSD developers have released a separate advisory about the problem and advise server operators not to offer (S)FTP or to retrieve the corrected code from the CVS repository and recompile. No other vendor has, so far, released an official report suggesting patches or workarounds.