Weekly Edition
Return to the Security page
| |||||||||||||
Flaw in libc implementation threatens FTP servers (The H)
Anybody running an anonymous FTP server may want to have a look at this
article in The H about a newly-disclosed denial of service problem.
"The problem exists because GLOB_LIMIT, a feature added in 2001 to
limit the amount of memory used by the glob() function is
ineffective. Globbing, as it is called, calls on the glob() function to
match wildcard patterns when generating a list of matching file
names. Because GLOB_LIMIT is not effective, it potentially allows a
system's main memory to be flooded when processing certain patterns and
this may, depending on the hardware used, cause the system to become very
slow, cease to respond or even crash as a result."
(Log in to post comments)
Flaw in libc implementation threatens FTP servers (The H) Posted Oct 7, 2010 18:32 UTC (Thu) by nevyn (subscriber, #33129) [Link]
Or just read:
/usr/share/doc/vsftpd-*/SECURITY/TRUST
...specifically the bits about how the author hasn't audited glob/fnmatch/etc. and has no intention of auditing them ... and so doesn't call them.
I guess some people might be using other ftpd's, where the authors haven't thought about what historical attacks meant ... sucks to be them.
vsftpd Posted Oct 7, 2010 22:38 UTC (Thu) by rfunk (subscriber, #4054) [Link]
Yes, in my survey of FTP server software a few years ago, vsftpd was one of a very small number (OpenBSD ftpd and DJB's oddball server also come to mind) that looked like they really paid attention to security.
The continued popularity of ProFTPd has befuddled me ever since.
vsftpd Posted Oct 8, 2010 2:05 UTC (Fri) by ccurtis (guest, #49713) [Link] You state that OpenBSD's was among the few FTP servers paying attention to security, but from the article:Arciemowicz said that OpenBSD 4.7, NetBSD 5.0.2, FreeBSD 7.3 / 8.1, Oracle Sun Solaris 10 and GNU Libc (glibc) are affected. The FTP servers at ftp.openbsd.org, ftp.netbsd.org, ftp.freebsd.org, ftp.adobe.com (which uses OpenBSD), ftp.hp.com and ftp.sun.com are, therefore, also said to be vulnerable. The security specialist has released an exploit to demonstrate the problem.OpenBSD is just as vulnerable as any of the other OSes. Do you believe that this particular OS/FTPd combination is not susecptable?
vsftpd Posted Oct 8, 2010 11:17 UTC (Fri) by rfunk (subscriber, #4054) [Link]
I didn't say OpenBSD was immune. I said it came to mind as one of a small number that pay attention to security.
As I implied, I chose vsftpd.
vsftpd Posted Oct 8, 2010 5:05 UTC (Fri) by jengelh (subscriber, #33263) [Link]
For lack of features in vsftpd, or so it seems. proftpd had this apache-style config layout, and thus probably also apache-like <Directory> ACLs. In vsftpd you get to use POSIX ACLs.
But even more strange than proftpds continued use is glftpd's continued use in other circles.
vsftpd Posted Oct 8, 2010 11:23 UTC (Fri) by gat3way (guest, #47864) [Link]
proftpd allows users to limit or disable globbing and vulnerabilities like that one are very well-documented in the manual:
http://www.proftpd.org/docs/howto/Globbing.html
So please stop your clueless proftpd ranting.
Flaw in libc implementation threatens FTP servers (The H) Posted Oct 7, 2010 21:43 UTC (Thu) by jwb (guest, #15467) [Link]
Existence of FTP threatens FTP servers.
Flaw in libc implementation threatens FTP servers (The H) Posted Oct 11, 2010 13:08 UTC (Mon) by njwhite (subscriber, #51848) [Link]
"Arciemowicz said that OpenBSD 4.7, NetBSD 5.0.2, FreeBSD 7.3 / 8.1, Oracle Sun Solaris 10 and GNU Libc (glibc) are affected."
Don't these use different libcs? Why should more than one libc implementation get this wrong in the same way? I'm having trouble finding more info on this, but the above seems odd to me.
|
|||||||||||||