# harden your servers ladies & gentlemen !

## kernelOfTruth

 *Quote:*   

> Topic :	Multiple Vendors libc/glob(3) resource exhaustion (+0day remote ftpd-anon)
> 
>   SecurityAlert : 7822
> 
>   CVE : CVE-2010-2632
> ...

 

http://securityreason.com/securityalert/7822

----------

## Letharion

Hopefully

```
Date:

- - Dis.: 06.11.2009

- - Pub.: 07.10.2010
```

means that the problem is long since fixed in glibc?

----------

## kernelOfTruth

 *Letharion wrote:*   

> Hopefully
> 
> ```
> Date:
> 
> ...

 

are you sure ?

 *Quote:*   

> The NetBSD developers have released a separate advisory about the problem and advise server operators not to offer (S)FTP or to retrieve the corrected code from the CVS repository and recompile. No other vendor has, so far, released an official report suggesting patches or workarounds.

 

http://www.h-online.com/open/news/item/Flaw-in-libc-implementation-threatens-FTP-servers-1103319.html

----------

## Etal

I couldn't reproduce this with vsftpd (compex exressions like "stat */*" don't return anything), so at least my ftp server is safe.

----------

## kernelOfTruth

 *Etal wrote:*   

> I couldn't reproduce this with vsftpd (compex exressions like "stat */*" don't return anything), so at least my ftp server is safe.

 

you run hardened ?

FYI: there's a bug-report now at b.g.o.:

--------------------------------------------------------

edit:

OK - there's another one:

https://bugs.gentoo.org/show_bug.cgi?id=340061

----------

## Etal

No, it probably just does not use glob.

```
$ telnet xxxxx 21

Trying XX.XX.XX.XX...

Connected to xxxxx.

Escape character is '^]'.

220 (vsFTPd 2.3.2)

user ftp

331 Please specify the password.

pass hello

230 Login successful.

stat */*

213-Status follows:

213 End of status
```

You can try it on ftp://ftp.redhat.com (which supposedly runs vsftpd) and compare it to ftp.openbsd.org (which doesn't)  :Razz: 

----------

