CVE-2015-5917

Vulnerability

The glob implementation in tnftpd (formerly lukemftpd), as used in Apple OS X before 10.11, contains a resource exhaustion vulnerability. A remote attacker can send a STAT command containing a crafted glob pattern, such as multiple instances of {..,..,..}/*, which triggers excessive memory consumption. This issue is related to the glob(3) function and the GLOB_BRACE|GLOB_LIMIT flags. The vulnerability affects tnftpd versions prior to 20130322, and Apple OS X versions before 10.11 (El Capitan) [1][2].

Exploitation

An attacker does not require authentication; they only need network access to the FTP server. By issuing a STAT command with a specially crafted pattern (e.g., repeated brace expansions like {a,b,c}/*), the server's glob processing consumes excessive memory. The attack can be performed remotely over the FTP control channel. A proof-of-concept was demonstrated in 2010, and a video shows a Mac Mini with 10GB RAM being exhausted in about 30 minutes [2].

Impact

Successful exploitation leads to denial of service: the FTP daemon consumes all available memory, causing it to crash or become unresponsive. This can disrupt legitimate FTP services on the affected system. No code execution or data compromise is achieved; the impact is limited to availability [1][2].

Mitigation

Apple addressed this vulnerability in OS X El Capitan v10.11, released on September 30, 2015 [1]. Users should upgrade to OS X 10.11 or later. For systems that cannot be upgraded, no official workaround is provided; however, disabling the FTP service or restricting access to trusted networks may reduce exposure. The tnftpd project fixed the issue in version 20130322, but Apple's bundled version was not updated until OS X 10.11 [2].