<<< Date Index >>>     <<< Thread Index >>>

Re: iDEFENSE Security Advisory 02.25.05: WU-FTPD File Globbing Denial of Service Vulnerability



On Fri, 25 Feb 2005, iDEFENSE Labs wrote:

 > WU-FTPD File Globbing Denial of Service Vulnerability
 >
 > [...]
 >
 > Remote exploitation of an input validation vulnerability in version
 > 2.6.2 of WU-FPTD could allow for a denial of service of the system by
 > resource exhaustion.
 >
 > The vulnerability specifically exists in the wu_fnmatch() function in
 > wu_fnmatch.c. When a pattern containing a '*' character is supplied as
 > input, the function calls itself recursively on a smaller substring. By
 > supplying a string which contains a large number of '*' characters, the
 > system will take a long time to return the results, during which time it
 > will be using a large amount of CPU time.

This is only partially correct. The error is in the function glob() in
glob.c, not in wu_fnmatch(), which contains code to treat sequences
of * characters as a single *:

        case '*':
            c = *pattern;
            while (c == '*')
                c = *++pattern;


The same can be done in glob:

*** glob.c.~1~  2001-11-29 18:01:38.000000000 +0100
--- glob.c      2005-02-27 01:08:14.219711901 +0100
***************
*** 437,442 ****
--- 437,444 ----
            continue;

        case '*':
+           while (*p == '*')
+               p++;
            if (!*p)
                return (1);
            if (*p == '/') {


With this change, a command like

    dir ***********************************.*

is treated like "dir *.*" and does not cause a time cosuming recursion.

  Rainer Schöpf