Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: iDEFENSE Security Advisory 02.25.05: WU-FTPD File Globbing Denial of

from [Rainer Schöpf] Network Security [Permanent Link]
Subject: Re: iDEFENSE Security Advisory 02.25.05: WU-FTPD File Globbing Denial of Service Vulnerability
Date: Sun, 27 Feb 2005 01:12:46 +0100 (CET) 
On Fri, 25 Feb 2005, iDEFENSE Labs wrote:


WU-FTPD File Globbing Denial of Service Vulnerability

[...]

Remote exploitation of an input validation vulnerability in version
2.6.2 of WU-FPTD could allow for a denial of service of the system by
resource exhaustion.

The vulnerability specifically exists in the wu_fnmatch() function in
wu_fnmatch.c. When a pattern containing a '*' character is supplied as
input, the function calls itself recursively on a smaller substring. By
supplying a string which contains a large number of '*' characters, the
system will take a long time to return the results, during which time it
will be using a large amount of CPU time.


This is only partially correct. The error is in the function glob() in
glob.c, not in wu_fnmatch(), which contains code to treat sequences
of * characters as a single *:

        case '*':
            c = *pattern;
            while (c == '*')
                c = *++pattern;


The same can be done in glob:

*** glob.c.~1~  2001-11-29 18:01:38.000000000 +0100
--- glob.c      2005-02-27 01:08:14.219711901 +0100
***************
*** 437,442 ****
--- 437,444 ----
            continue;

        case '*':
+           while (*p == '*')
+               p++;
            if (!*p)
                return (1);
            if (*p == '/') {


With this change, a command like

    dir ***********************************.*

is treated like "dir *.*" and does not cause a time cosuming recursion.

  Rainer Schöpf
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  WASC-Articles: 'The Insecure Indexing Vulnerability - Attacks Against Local Search Engines' By Amit Klein, robert
Next by Date:  [Full-Disclosure] [ GLSA 200502-31 ] uim: Privilege escalation vulnerability, Sune Kloppenborg Jeppesen
Previous by Thread:  Re: iDEFENSE Security Advisory 02.25.05: WU-FTPD File Globbing Denial of Service Vulnerability, Stan Bubrouski
Next by Thread:  CIS WebServer Directory Traversal Bug, CorryL
Indexes:  [Date] [Thread] [Top] [All Lists]