From owner-freebsd-security  Tue Sep  9 06:44:28 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id GAA09382
          for security-outgoing; Tue, 9 Sep 1997 06:44:28 -0700 (PDT)
Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id GAA09377
          for <security@freebsd.org>; Tue, 9 Sep 1997 06:44:22 -0700 (PDT)
Received: (from joe@localhost)
	by florence.pavilion.net (8.8.7/8.8.7) id OAA29388;
	Tue, 9 Sep 1997 14:43:47 +0100 (BST)
Message-ID: <19970909144346.54450@pavilion.net>
Date: Tue, 9 Sep 1997 14:43:46 +0100
From: Josef Karthauser <joe@pavilion.net>
To: security@freebsd.org
Subject: FTP compromise.
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.81
X-NCC-RegID: uk.pavilion
Sender: owner-freebsd-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

ll versions)

TESTED:         BSDI 3.0 (all patches), FreeBSD 2.2.1

DATE:           15th Aug 1997

REPEAT BY:      Log into a wu_ftp server (either anonymously or as a user)
                and issue the command...
                
                nlist ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/
                ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/
                ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/
                ../*/../*/../*/../*/../*../*../*

DESCRIPTION:    You can severly compromise the ftp servers performance.
                This command will create a HUGE directory listing, no
                matter how many files/directories are in the current 
                directory (this is recursive).

CONSEQUENCES:   These vary.  On my FreeBSD 2.2 box I was able to eat up
                all memory and swap memory until the kernel spewed
                "out of swap space" errors and killed a few processes.
                It also eats up all available CPU space (up to 99.22%
                on my box).  If repeated a few times you will no
                longer use up swap space and the processor usage will
                rocket and stay there for quite a while (hours).  Since
                the ftpd program is still processing the command your
                ftp session will not idle timeout.  However, if you
                do decide to kill your attacking ftp session, ftpd
                will still process teh command and therefore, the hosts
                resources will take a beating.

                Basically, it looks like any user can severely drain
                your systems resources - a kind of Denial of Service
                attack.  I was able to use up all remaining processor
                time for two hours (would have gone on for much longer
                only I got bored and kill it).

CONTACT:        You can email me at ener@shell.firehouse.net if you
                want to discuss this problem further (or let me know
                if it works on any other ftpd).
I found this today.  Any comments?


BUG:            wu_ftpd (all versions)

TESTED:         BSDI 3.0 (all patches), FreeBSD 2.2.1

DATE:           15th Aug 1997

REPEAT BY:      Log into a wu_ftp server (either anonymously or as a user)
                and issue the command...
                
                nlist ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/
                ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/
                ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/
                ../*/../*/../*/../*/../*../*../*

DESCRIPTION:    You can severly compromise the ftp servers performance.
                This command will create a HUGE directory listing, no
                matter how many files/directories are in the current 
                directory (this is recursive).

CONSEQUENCES:   These vary.  On my FreeBSD 2.2 box I was able to eat up
                all memory and swap memory until the kernel spewed
                "out of swap space" errors and killed a few processes.
                It also eats up all available CPU space (up to 99.22%
                on my box).  If repeated a few times you will no
                longer use up swap space and the processor usage will
                rocket and stay there for quite a while (hours).  Since
                the ftpd program is still processing the command your
                ftp session will not idle timeout.  However, if you
                do decide to kill your attacking ftp session, ftpd
                will still process teh command and therefore, the hosts
                resources will take a beating.

                Basically, it looks like any user can severely drain
                your systems resources - a kind of Denial of Service
                attack.  I was able to use up all remaining processor
                time for two hours (would have gone on for much longer
                only I got bored and kill it).

CONTACT:        You can email me at ener@shell.firehouse.net if you
                want to discuss this problem further (or let me know
                if it works on any other ftpd).

-- 
Josef Karthauser        
Technical Manager       Email: joe@pavilion.net
Pavilion Internet plc.  [Tel: +44 1273 607072  Fax: +44 1273 607073]