+++ to secure your transactions use the Bitcoin Mixer Service +++

 

We need Your Support. Make a Donation now! or Buy Me A Coffee

Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple vendors FTP denial of service

From: Daniel Roesen <dr () BOFH DE>
Date: Thu, 15 Mar 2001 23:38:08 +0100
[NOTE to the fellow readership: "Frank DENIS (Jedi/Sector One)" is
the author of Pure-FTPD]

On Thu, Mar 15, 2001 at 09:34:09AM +0100, Frank DENIS (Jedi/Sector One) wrote:

- Proftpd built-in 'ls' command has a globbing bug that allows remote
denial-of-service.

  Here's a simple exploit, tested on the Proftpd site :


That's really great. Very convenient for you to run DoS attacks against
the main distribution site of ProFTPD.


- PureFTPd (any version) is not vulnerable. Result is "Simplified wildcard
expression to *" and the 'ls *' output.


It is not vulnerable to the simple attack, but to more "sophisticated"
attacks it is. 20 seconds spent looking into the source reveals:

from pure-ftpd-0.96/src/ls.c:

     /* try to defend against wildcard denial-of-service attack */
     doshack = strstr(arg, "/../");
     if (doshack) {
         /* first eliminate those at the start */
         if (doshack == arg) {
             while (strncmp(arg, "/../", 4) == 0) {
                 size_t cpa = strlen(arg + 4) + 1U;
                 memmove(arg, arg + 4, cpa);
             }
             doshack = strstr(arg, "/../");
         }
         /* next, eliminate /../ in the middle of the string */
         while (doshack) {
             char *nextcomponent = doshack + 4;
             size_t cpa;

             if (doshack != arg && *doshack == '/')
                 doshack--;
             while (doshack != arg && *doshack != '/')
                 doshack--;
             if (*doshack == '/')
                 doshack++;
             cpa = strlen(nextcomponent) + 1U;
             memmove(doshack, nextcomponent, cpa);
             doshack = strstr(arg, "/../");
         }
         addreply(0, "Simplified wildcard expression to %s", arg);
     }

So your defense is just removing "/../" sequences. That's not enough.

  ls .*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/

  ls */.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/

These lead exactly to the same problems ProFTPD has. You've only gone
half-way. Thanks to John Morrissey <jwm () horde net> for verifying this
on a test installation of Pure-FTPD.

BTW: Flood (Jesse Sipprell <jss () inflicted net>) found that you are using
unprotected calls to glob() all over the place and concludes that it
would be trivial to launch this attack against other FTP commands (DELE
etc.) against Pure-FTPD as well.

I guess you should re-think your Skill inventory on Sourceforge:
http://sourceforge.net/people/viewprofile.php?user_id=37669

Same with the statement "Unlike other popular FTP servers, it has no
known security flaw" on the Pure-FTPD homepage.

King for a day, fool for a lifetime, eh?


Maintainers of vulnerable servers have been warned of this bug.


Yes. 15 *minutes* before you sent this posting off to Bugtraq. I'm not
going into the usual discussion about how to handle security problems.
May the fellow readership judge for themselves how responsible your
behaviour was.

You may want to take a look at http://www.wiretrip.net/rfp/policy.html


For ProFTPD users: an official response with a workaround to the problem
is being released right now here to Bugtraq.


Daniel
ProFTPD RPM packaging maintainer
(droesen () entire-systems com for ProFTPD related email)
Previous By Date Next
Previous By Thread Next

Current thread:

We need Your Support. Make a Donation now! or