Red Hat Bugzilla – Bug 35978
gssftp can be segfaulted remotely, possibly exploitable
Last modified: 2007-03-26 23:43:32 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [de] (X11; U; Linux 2.2.19 i686)
kerberos-workstation includes kerberized ftp, gssftpd, which is not wu-ftpd
BSD ftp. This FTP is possibly vulnerable to the GLOB attacks as described
/Covert Labs Advisory recently. Also, plain "ls ~" gives you the FTP home
is considered bad (albeit highly predictable anyway on linux boxen)
Steps to Reproduce:
1. Enable gssftp with chckconfig to allow kerberized FTP connections
2. Login to the ftp server using anonymous FTP
3. Type "cd ~*"
Actual Results: 421 service not available.
gdb attached to ftpd shows it segfaulted.
Expected Results: Nothing
I am not 100% sure if this is exploitable, I didnt dig in that deep. Covert
exploitability under certain circumstances. Nevertheless, a remotely
is pretty bad.
Fortunately, the krb gssftp is probably not used widely.
*** Bug 37731 has been marked as a duplicate of this bug. ***
Folks, you have had this for a whole month now.
A week after my initial report here, this came up on BugTraq and was labeled
REMOTE EXPLOITABLE. A fix was provided in the Bugtraq posting.
Since #37731 you knew the BugTraq post (and thats been 3 weeks ago as well)
It is therefore reasonable to state what seems obvious, and set the bug to
krb5-1.2.2-5 has been released as an errata.