From owner-freebsd-security  Mon Oct  2 14:25:36 2000
Delivered-To: freebsd-security@freebsd.org
Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2])
	by hub.freebsd.org (Postfix) with ESMTP id 3C0B437B503
	for <security@FreeBSD.ORG>; Mon,  2 Oct 2000 14:25:31 -0700 (PDT)
Received: from bsdie.rwsystems.net([209.197.223.2]) (2472 bytes) by bsdie.rwsystems.net
	via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp
	(sender: <jwyatt@rwsystems.net>) 
	id <m13gClh-000CE5C@bsdie.rwsystems.net>
	for <security@FreeBSD.ORG>; Mon, 2 Oct 2000 16:05:01 -0500 (CDT)
	(Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25)
Date: Mon, 2 Oct 2000 16:05:00 -0500 (CDT)
From: James Wyatt <jwyatt@rwsystems.net>
To: Brett Glass <brett@lariat.org>
Cc: Alex Charalabidis <alex@wnm.net>,
	"Chris D . Faulhaber" <jedgar@fxp.org>, security@FreeBSD.ORG
Subject: Re: ftpd bug in FreeBSD through at least 3.4
In-Reply-To: <4.3.2.7.2.20001002125825.00de8f00@localhost>
Message-ID: <Pine.BSF.4.10.10010021601340.43354-100000@bsdie.rwsystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: QUOTED-PRINTABLE
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 2 Oct 2000, Brett Glass wrote:
> At 12:51 PM 10/2/2000, Alex Charalabidis wrote:
> >Yes it does. It was posted to bugtraq as a proftpd bug on 25 Jul 00 by
> >Carlos Eduardo Gorges <carlos@VT.COM.BR>. I confirmed the bug existed on
> >our 6.00LS too (and promptly forgot :P). As far as I know, there have be=
en=20
> >no exploits and it's not even a DoS since the parent process is=20
> >unaffected. The default FreeBSD ftp client crashes before the server=20
> >process does, so you can only see the problem with a client on a differe=
nt
> >OS (oddly enough, the MS-DOS 7 client seems to be the only one that
> >creates no problems at all).
>=20
> Interesting. It appears that my earlier tests were not conclusive because=
=20
> there were problems in both the server AND the client. Thank you for
> pointing this out!

There are no survivors... (^_^)

> Let's try testing the server with the MS-DOS 7 client, so that any proble=
ms=20
> with the FreeBSD FTP client are not a factor.
>=20
> I am now using the MS-DOS 7 client and connecting to a FreeBSD 4.1+ serve=
r=20
> (running FreeBSD 4.1-20000916-STABLE). Here's what I see from the client =
side:
>=20
> ftp> quote %s%s%s%s%s
> 500 '+H|X++_YX++|=B6QUOTE %s%s%s%s%s(null)%s%s%s%s%s': command not unders=
tood.
>=20
> This means that while the FreeBSD FTP client crashed (and generated the s=
egfault
> message), the server did not crash. However, there's still junk in the me=
ssage
> sent back by the server, which indicates that I may be getting at the sta=
ck
> here.

Let me get this straight: A DOS executable survived better than a FreeBSD
one? It also let you hurt the server more? Thanks for testing folks.

Does everyone see the irony in this or is it just me? - Jy@



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message