[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] glibc glob bug: remote root exploit possible



Topic
=====
A buffer overflow in the glob function of the glibc library exists. Since
this function is called, e.g., by the ftp daemon this bug can lead to a
remote root exploit.
It is strongly advised to upgrade immediately.

Problem Description
===================
The glibc glob() function allows programs to search for path names matching
specific patterns according the rules used by the shell. Glibc also implements
the globfree() function which free()'s memory used earlier by other glob()
matches. The glob function itself may encounter errors when handling strings
ending with the "{" character. By carefully crafting user input to programs
such as the ftp daemon that use the glob and the globfree functions it is
possible to corrupt the memory space of the program. By carefully crafting
user input to such daemons it is possible to corrupt memory space of the
process. Ultimately the result of this would be an ability to execute
arbitrary commands with the privileges of the server process, in most cases
root.

Affected Systems
================
All versions of glibc, hence all Linux distributions.

Remark
======
The exploitation of this bug is much harder, if ftp access is switched
off. This is strongly recommended anyway: use scp or sftp instead.
If you are running an anonymous ftp server, you must upgrade immediately:
you are vulnerable to a remote root exploit. If you are providing ftp
access to your users but not anonymous ftp access, then your are vulnerable
to a local root exploit.
Switching off ftp access does not solve the glibc problem, but can provide
a temporary solution until new glibc packages are provided for your
distribution.

Solution
========
Upgrade to a patched version of glibc for your distribution.

RedHat 6.x
----------
rpm -Fvh glibc-2.1.3-23.i386.rpm \
         glibc-devel-2.1.3-23.i386.rpm \
         glibc-profile-2.1.3-23.i386.rpm \
         nscd-2.1.3-23.i386.rpm

RedHat 7.0
----------
(<arch> is either i386 or i686)
rpm -Fvh glibc-2.2.4-18.7.0.3.<arch>.rpm \
         glibc-devel-2.2.4-18.7.0.3.i386.rpm \
         glibc-profile-2.2.4-18.7.0.3.i386.rpm \
         glibc-common-2.2.4-18.7.0.3.i386.rpm \
         nscd-2.2.4-18.7.0.3.i386.rpm

RedHat 7.1, 7.2
---------------
(<arch> is either i386 or i686)
rpm -Fvh glibc-2.2.4-19.3.<arch>.rpm \
         glibc-devel-2.2.4-19.3.i386.rpm \
         glibc-profile-2.2.4-19.3.i386.rpm \
         glibc-common-2.2.4-19.3.i386.rpm \
         nscd-2.2.4-19.3.i386.rpm

Mandrake 7.1
------------
rpm -Fvh glibc-2.1.3-19.1mdk.i586.rpm \
         glibc-devel-2.1.3-19.1mdk.i586.rpm \
         glibc-profile-2.1.3-19.1mdk.i586.rpm \
         nscd-2.1.3-19.1mdk.i586.rpm

Mandrake 7.2
------------
rpm -Fvh glibc-2.1.3-19.2mdk.i586.rpm \
         glibc-devel-2.1.3-19.2mdk.i586.rpm \
         glibc-profile-2.1.3-19.2mdk.i586.rpm \
         nscd-2.1.3-19.2mdk.i586.rpm

Mandrake 8.0
------------
rpm -Fvh glibc-2.2.2-6.1mdk.i586.rpm \
         glibc-devel-2.2.2-6.1mdk.i586.rpm \
         glibc-profile-2.2.2-6.1mdk.i586.rpm \
         ldconfig-2.2.2-6.1mdk.i586.rpm \
         nscd-2.2.2-6.1mdk.i586.rpm

Mandrake 8.1
------------
rpm -Fvh glibc-2.2.4-9.1mdk.i586.rpm \
         glibc-devel-2.2.4-9.1mdk.i586.rpm \
         glibc-profile-2.2.4-9.1mdk.i586.rpm \
         ldconfig-2.2.4-9.1mdk.i586.rpm \
         nscd-2.2.4-9.1mdk.i586.rpm