From owner-freebsd-bugs  Wed Aug 27 07:09:32 1997
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id HAA05353
          for bugs-outgoing; Wed, 27 Aug 1997 07:09:32 -0700 (PDT)
Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA05348
          for <freebsd-bugs@FreeBSD.ORG>; Wed, 27 Aug 1997 07:09:30 -0700 (PDT)
Received: from orion.webspan.net (orion.webspan.net [206.154.70.5])
          by mail.webspan.net (WEBSPAN/970608) with SMTP id KAA24147;
          Wed, 27 Aug 1997 10:09:28 -0400 (EDT)
Date: Wed, 27 Aug 1997 10:09:28 -0400 (EDT)
From: ENERGiZER <energizr@mail.webspan.net>
X-Sender: energizr@orion.webspan.net
To: freebsd-bugs@FreeBSD.ORG
cc: energizr@webspan.net
Subject: another ftpd bug (denial of service attack by stealing CPU)
In-Reply-To: <199708151242.IAA29995@station1.firehouse.net>
Message-ID: <Pine.BSF.3.95.970827094104.10914A-100000@orion.webspan.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


hi,

i reported this bug to BSDI weeks ago.  according to the developer i spoke
to the afffects this attack had on FreeBSD was worse than BSDI.  strictly,
this is not a FreeBSD bug but a problem with the ftpd bundled with
FreeBSD.  Hopefully you can get them to fix this as soon as possible, I'm
thinking of putting this one on my web page in a few weeks.  here's the
bug...

Description:
	ftp into a site (either anonymous or as a user), execute

		nlist ../*/../*/../*/../*/../*/../*/../*/../*/../*

	etc... as many ../*'s as you can do and exit (kill ftp).  You will
	leave a process running that will take all of the CPU available.
	Multiples are able to be started and eventually, I guess could
	lead to resource exhaustion.

Effects:
	Since ftpd is executed as root on FreeBSD there is no limit to the
	amount of resources ftpd can take up.  When i tried this on my
	FreeBSD 2.2.x box it ran out of swap (used over 256meg) and
	processor usage on that process shot up to 99.22%.

	what this command actually does is create a huge looping directory
	listing, so i guess ftpd tries to allocate memory for this listing
	but its very big =)

	hope you can get this one fixed, i reckon it will work on nearly
	all (if not all) unix ftpd's.

I hope this is of some help,

ENER.