CVE-2011-0418 in Pure-FTPdinfo

Summary

by MITRE

The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, does not properly expand expressions containing curly brackets, which allows remote authenticated users to cause a denial of service (memory consumption) via a crafted FTP STAT command.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/02/2024

The vulnerability identified as CVE-2011-0418 represents a critical denial of service flaw in the glob pattern expansion functionality of Pure-FTPd and NetBSD libc implementations. This issue affects versions prior to 1.0.32 in Pure-FTPd and NetBSD 5.1, where the glob implementation fails to properly handle expressions containing curly brackets. The flaw specifically manifests when processing crafted FTP STAT commands that contain malformed glob patterns, leading to excessive memory consumption and ultimately system resource exhaustion. The vulnerability operates at the core of file system pattern matching mechanisms, where the system attempts to expand wildcard expressions but encounters malformed input that causes infinite loops or excessive memory allocation during the expansion process.

The technical exploitation of this vulnerability occurs through authenticated FTP sessions where attackers can submit carefully crafted STAT commands containing curly bracket expressions that trigger the faulty glob expansion routine. When the system processes these malformed patterns, the glob implementation enters into recursive or iterative expansion loops that consume increasing amounts of memory without proper bounds checking or termination conditions. This behavior directly maps to CWE-121, which describes buffer overflow conditions, and CWE-400, which covers resource exhaustion vulnerabilities. The vulnerability demonstrates poor input validation and inadequate bounds checking in the glob pattern processing code, where the system fails to properly sanitize or limit the expansion of user-supplied patterns containing special characters like curly brackets.

From an operational impact perspective, this vulnerability enables authenticated remote attackers to consume excessive system resources and potentially cause complete system denial of service. The memory consumption grows rapidly as the system attempts to expand the malformed glob patterns, leading to system instability, application crashes, and service unavailability for legitimate users. The attack requires only authenticated access to the FTP service, making it particularly dangerous in environments where FTP services are widely accessible or where credential compromise is possible through other attack vectors. This vulnerability directly aligns with ATT&CK technique T1499.004, which covers network denial of service attacks, and represents a classic example of how seemingly benign input processing can become a significant security risk when proper validation and resource management are absent.

The recommended mitigation strategies include immediate patching of affected Pure-FTPd versions to 1.0.32 or later, where the glob expansion logic has been properly fixed to handle malformed patterns and prevent excessive memory consumption. System administrators should also implement network-level monitoring to detect unusual memory usage patterns or repeated STAT command executions that might indicate exploitation attempts. Additional protective measures include implementing rate limiting on FTP commands, restricting FTP access to trusted networks, and ensuring proper input validation at all levels of the application stack. The fix typically involves implementing proper bounds checking in the glob expansion routine, adding maximum recursion depth limits, and ensuring that pattern expansion terminates correctly even when encountering malformed input. Organizations should also consider implementing intrusion detection systems that can identify and alert on suspicious FTP command patterns that match the vulnerability characteristics.

Reservation

01/11/2011

Disclosure

05/24/2011

Moderation

accepted

Entry

VDB-57510

CPE

ready

Exploit

Download

EPSS

0.07255

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!