Bugtraq mailing list archives
Re: Multiple vendors FTP denial of service
From: Daniel Roesen <dr () BOFH DE>
Date: Thu, 15 Mar 2001 23:38:08 +0100
[NOTE to the fellow readership: "Frank DENIS (Jedi/Sector One)" is the author of Pure-FTPD] On Thu, Mar 15, 2001 at 09:34:09AM +0100, Frank DENIS (Jedi/Sector One) wrote:
- Proftpd built-in 'ls' command has a globbing bug that allows remote denial-of-service. Here's a simple exploit, tested on the Proftpd site :
That's really great. Very convenient for you to run DoS attacks against the main distribution site of ProFTPD.
- PureFTPd (any version) is not vulnerable. Result is "Simplified wildcard expression to *" and the 'ls *' output.
It is not vulnerable to the simple attack, but to more "sophisticated" attacks it is. 20 seconds spent looking into the source reveals: from pure-ftpd-0.96/src/ls.c: /* try to defend against wildcard denial-of-service attack */ doshack = strstr(arg, "/../"); if (doshack) { /* first eliminate those at the start */ if (doshack == arg) { while (strncmp(arg, "/../", 4) == 0) { size_t cpa = strlen(arg + 4) + 1U; memmove(arg, arg + 4, cpa); } doshack = strstr(arg, "/../"); } /* next, eliminate /../ in the middle of the string */ while (doshack) { char *nextcomponent = doshack + 4; size_t cpa; if (doshack != arg && *doshack == '/') doshack--; while (doshack != arg && *doshack != '/') doshack--; if (*doshack == '/') doshack++; cpa = strlen(nextcomponent) + 1U; memmove(doshack, nextcomponent, cpa); doshack = strstr(arg, "/../"); } addreply(0, "Simplified wildcard expression to %s", arg); } So your defense is just removing "/../" sequences. That's not enough. ls .*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/ ls */.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/ These lead exactly to the same problems ProFTPD has. You've only gone half-way. Thanks to John Morrissey <jwm () horde net> for verifying this on a test installation of Pure-FTPD. BTW: Flood (Jesse Sipprell <jss () inflicted net>) found that you are using unprotected calls to glob() all over the place and concludes that it would be trivial to launch this attack against other FTP commands (DELE etc.) against Pure-FTPD as well. I guess you should re-think your Skill inventory on Sourceforge: http://sourceforge.net/people/viewprofile.php?user_id=37669 Same with the statement "Unlike other popular FTP servers, it has no known security flaw" on the Pure-FTPD homepage. King for a day, fool for a lifetime, eh?
Maintainers of vulnerable servers have been warned of this bug.
Yes. 15 *minutes* before you sent this posting off to Bugtraq. I'm not going into the usual discussion about how to handle security problems. May the fellow readership judge for themselves how responsible your behaviour was. You may want to take a look at http://www.wiretrip.net/rfp/policy.html For ProFTPD users: an official response with a workaround to the problem is being released right now here to Bugtraq. Daniel ProFTPD RPM packaging maintainer (droesen () entire-systems com for ProFTPD related email)
Current thread:
- Multiple vendors FTP denial of service Frank DENIS (Jedi/Sector One) (Mar 15)
- Re: Multiple vendors FTP denial of service Jeff Dafoe (Mar 16)
- Re: Multiple vendors FTP denial of service jedi (Mar 16)
- Re: Multiple vendors FTP denial of service Daniel Roesen (Mar 16)
- Re: Multiple vendors FTP denial of service Elias Levy (Mar 16)
- Re: Multiple vendors FTP denial of service Elias Levy (Mar 19)
- Bash memory exhaustion (was Re: Multiple vendors FTP denial of service) Nick Lamb (Mar 20)
- Re: Multiple vendors FTP denial of service The Flying Hamster (Mar 21)
- Re: Multiple vendors FTP denial of service Elias Levy (Mar 19)
- Re: Multiple vendors FTP denial of service Mike Gleason (Mar 16)
- Re: Multiple vendors FTP denial of service Crist Clark (Mar 19)
- Re: Multiple vendors FTP denial of service JT (Mar 19)
- Re: Multiple vendors FTP denial of service D. J. Bernstein (Mar 19)
- Re: Multiple vendors FTP denial of service jedi (Mar 20)
- Re: Multiple vendors FTP denial of service Pawel Wilk (Mar 20)
(Thread continues...)
- Re: Multiple vendors FTP denial of service Jeff Dafoe (Mar 16)