FTP flaw makes servers insecure

by Todd R. Weiss

April 17, 2001 —

Security analysts have issued warnings about a software flaw that they said could allow intruders to gain unauthorized access to remote file transfer protocol (FTP) servers.

In an advisory issued last week, Network Associates' PGP Security division said the problem is related to the "globbing" command used in Unix shells. The command essentially acts as a path name generator, allowing users to search for multiple file names by entering shorthand commands that are then used by the software to search for common patterns.

Santa Clara, Calif.-based PGP said its Computer Vulnerability Emergency Response Team found a flaw that allows the pattern expansion done through the glob function to instead be directed to cause various buffer overflows in FTP servers -- a capability that could enable malicious attackers to gain root-level privileges.

The problem is said to usually affect only FTP servers that give remote users the ability to create directories on the system hosting the FTP daemon. That will likely restrict the vulnerability's threat, said Greg Shipley, security services director at consulting firm Neohapsis in Chicago.

"In addition to the threat of data loss or attacks against private networks, many Web server administrators rely on FTP to post content to their Web servers," said Jim Magdych, manager of the emergency response team at PGP. "These vulnerabilities could offer an easy avenue of approach for an attacker intent on defacing Websites."

The CERT Coordination Center at Carnegie Mellon University in Pittsburgh also posted a notice on its Web site about the FTP flaw. The buffer management flaw could let intruders execute arbitrary code on an FTP server and "may be confused with a related denial-of-service problem," CERT said.

PGP said that until patches are available, remote intrusions can be prevented by ensuring that no directories exist that can be written to by an anonymous FTP user. BSD and Irix users should also be sure that none of their FTP directories have names with more than eight characters, the company said. However, PGP noted, neither of those precautions will stop local users.

Computerworld