|
Bugtraq
mailing list archives
Re: iDEFENSE Security Advisory 02.25.05: WU-FTPD File Globbing Denial of Service Vulnerability
From: Rainer Schöpf <rainer.schoepf () proteosys com>
Date: Sun, 27 Feb 2005 01:12:46 +0100 (CET)
On Fri, 25 Feb 2005, iDEFENSE Labs wrote:
WU-FTPD File Globbing Denial of Service Vulnerability
[...]
Remote exploitation of an input validation vulnerability in version
2.6.2 of WU-FPTD could allow for a denial of service of the system by
resource exhaustion.
The vulnerability specifically exists in the wu_fnmatch() function in
wu_fnmatch.c. When a pattern containing a '*' character is supplied as
input, the function calls itself recursively on a smaller substring. By
supplying a string which contains a large number of '*' characters, the
system will take a long time to return the results, during which time it
will be using a large amount of CPU time.
This is only partially correct. The error is in the function glob() in
glob.c, not in wu_fnmatch(), which contains code to treat sequences
of * characters as a single *:
case '*':
c = *pattern;
while (c == '*')
c = *++pattern;
The same can be done in glob:
*** glob.c.~1~ 2001-11-29 18:01:38.000000000 +0100
--- glob.c 2005-02-27 01:08:14.219711901 +0100
***************
*** 437,442 ****
--- 437,444 ----
continue;
case '*':
+ while (*p == '*')
+ p++;
if (!*p)
return (1);
if (*p == '/') {
With this change, a command like
dir ***********************************.*
is treated like "dir *.*" and does not cause a time cosuming recursion.
Rainer Schöpf
 By Date 
By Thread
Current thread:
- Re: iDEFENSE Security Advisory 02.25.05: WU-FTPD File Globbing Denial of Service Vulnerability Rainer Schöpf (Feb 28)
|
Intro
