10:39 Vulnerability in the standard function glob () as a threat to ftpservers | |
| Site SecurityReason has detected a dangerous error in the implementation of a library function glob () from the standard library C (libc) on multiple platforms. This function is used to list files whose names satisfy the specified pattern. The mistake is that the restriction on the issuance of a function defined variable GLOB_LIMIT, does not apply in the case of incorrect paths in the job template. These incorrect values ??can be, for example, «*/../*/../* foo »or «{..,..,..}/*/{..,..,..}/* bar . In this call to glob () can exhaust all available memory process. Particular danger this poses to the error (S) FTP-servers, especially with anonymous permissions. Obviously, the request for listing of files with the above mask leads to an early denial of service FTP-server. Vulnerabilities exposed by the latest data, at least the following operating systems: OpenBSD 4.7, NetBSD 5.0.2, FreeBSD 7.3/8.1, Oracle / Sun Solaris 10 as well as all versions of Linux with GLIBC. The vulnerability has eliminated only in NetBSD; companies and communities involved in the development of the above (except NetBSD) operating systems, yet provide no information why the vulnerability is classified as a "0-day». It is also reported that vsftpd is not affected by the vulnerability. Want to try a vulnerability in the action I propose to type in the bash console command like ls ../../*/../*/*/../../*/*/*/* You can exploit, for example, from PHP: php-r 'print glob ("../../*/../*/*/../../*/*/* /*");' or Python python-c 'import glob; glob.glob ("../../*/../*/*/../../* /*/*/*")' from any other language, refers to this function. The original report on the vulnerability here: securityreason.com/securityalert/7822 | |
|
| |
| Total comments: 0 | |