Date: Tue, 9 Sep 1997 09:42:54 -0500 From: Kenny Hanson <khanson@pdspc.com> To: "'Josef Karthauser'" <joe@pavilion.net> Cc: "FreeBSD Hackers (E-mail)" <freebsd-hackers@FreeBSD.ORG> Subject: RE: FTP compromise. Message-ID: <91DD7FDA88E4D011BED00000C0DD87E70BE975@pds-gateway.pdspc.com>
next in thread | raw e-mail | index | archive | help
I just successfully shot my cpu utilization up to 100% without any hopes of seeing it come down. I had to kill the ftp process before the system returned to a normal state. This is definitely D.O.S... anybody out there have any ideas on how to erradicate this? I ran this for 15 minutes before I had to stop because it is on a production server... > -----Original Message----- > From: Josef Karthauser [SMTP:joe@pavilion.net] > Sent: Tuesday, September 09, 1997 8:44 AM > To: security@FreeBSD.ORG > Subject: FTP compromise. > > ll versions) > > TESTED: BSDI 3.0 (all patches), FreeBSD 2.2.1 > > DATE: 15th Aug 1997 > > REPEAT BY: Log into a wu_ftp server (either anonymously or as a > user) > and issue the command... > > nlist > ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ > > ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ > > ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ > ../*/../*/../*/../*/../*../*../* > > DESCRIPTION: You can severly compromise the ftp servers > performance. > This command will create a HUGE directory listing, no > matter how many files/directories are in the current > directory (this is recursive). > > CONSEQUENCES: These vary. On my FreeBSD 2.2 box I was able to eat > up > all memory and swap memory until the kernel spewed > "out of swap space" errors and killed a few processes. > It also eats up all available CPU space (up to 99.22% > on my box). If repeated a few times you will no > longer use up swap space and the processor usage will > rocket and stay there for quite a while (hours). > Since > the ftpd program is still processing the command your > ftp session will not idle timeout. However, if you > do decide to kill your attacking ftp session, ftpd > will still process teh command and therefore, the > hosts > resources will take a beating. > > Basically, it looks like any user can severely drain > your systems resources - a kind of Denial of Service > attack. I was able to use up all remaining processor > time for two hours (would have gone on for much longer > only I got bored and kill it). > > CONTACT: You can email me at ener@shell.firehouse.net if you > want to discuss this problem further (or let me know > if it works on any other ftpd). > I found this today. Any comments? > > > BUG: wu_ftpd (all versions) > > TESTED: BSDI 3.0 (all patches), FreeBSD 2.2.1 > > DATE: 15th Aug 1997 > > REPEAT BY: Log into a wu_ftp server (either anonymously or as a > user) > and issue the command... > > nlist > ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ > > ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ > > ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ > ../*/../*/../*/../*/../*../*../* > > DESCRIPTION: You can severly compromise the ftp servers > performance. > This command will create a HUGE directory listing, no > matter how many files/directories are in the current > directory (this is recursive). > > CONSEQUENCES: These vary. On my FreeBSD 2.2 box I was able to eat > up > all memory and swap memory until the kernel spewed > "out of swap space" errors and killed a few processes. > It also eats up all available CPU space (up to 99.22% > on my box). If repeated a few times you will no > longer use up swap space and the processor usage will > rocket and stay there for quite a while (hours). > Since > the ftpd program is still processing the command your > ftp session will not idle timeout. However, if you > do decide to kill your attacking ftp session, ftpd > will still process teh command and therefore, the > hosts > resources will take a beating. > > Basically, it looks like any user can severely drain > your systems resources - a kind of Denial of Service > attack. I was able to use up all remaining processor > time for two hours (would have gone on for much longer > only I got bored and kill it). > > CONTACT: You can email me at ener@shell.firehouse.net if you > want to discuss this problem further (or let me know > if it works on any other ftpd). > > -- > Josef Karthauser > Technical Manager Email: joe@pavilion.net > Pavilion Internet plc. [Tel: +44 1273 607072 Fax: +44 1273 607073]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?91DD7FDA88E4D011BED00000C0DD87E70BE975>