Bugtraq mailing list archives
Re: iDEFENSE Security Advisory 02.25.05: WU-FTPD File Globbing Denial of Service Vulnerability
From: Rainer Schöpf <rainer.schoepf () proteosys com>
Date: Sun, 27 Feb 2005 01:12:46 +0100 (CET)
On Fri, 25 Feb 2005, iDEFENSE Labs wrote:
WU-FTPD File Globbing Denial of Service Vulnerability [...] Remote exploitation of an input validation vulnerability in version 2.6.2 of WU-FPTD could allow for a denial of service of the system by resource exhaustion. The vulnerability specifically exists in the wu_fnmatch() function in wu_fnmatch.c. When a pattern containing a '*' character is supplied as input, the function calls itself recursively on a smaller substring. By supplying a string which contains a large number of '*' characters, the system will take a long time to return the results, during which time it will be using a large amount of CPU time.
This is only partially correct. The error is in the function glob() in glob.c, not in wu_fnmatch(), which contains code to treat sequences of * characters as a single *: case '*': c = *pattern; while (c == '*') c = *++pattern; The same can be done in glob: *** glob.c.~1~ 2001-11-29 18:01:38.000000000 +0100 --- glob.c 2005-02-27 01:08:14.219711901 +0100 *************** *** 437,442 **** --- 437,444 ---- continue; case '*': + while (*p == '*') + p++; if (!*p) return (1); if (*p == '/') { With this change, a command like dir ***********************************.* is treated like "dir *.*" and does not cause a time cosuming recursion. Rainer Schöpf
Current thread:
- Re: iDEFENSE Security Advisory 02.25.05: WU-FTPD File Globbing Denial of Service Vulnerability Rainer Schöpf (Feb 28)