From owner-freebsd-security Thu Mar 15 15:52:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 7CC1D37B718 for ; Thu, 15 Mar 2001 15:52:36 -0800 (PST) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f2FNqYY22370; Thu, 15 Mar 2001 15:52:34 -0800 (PST) Date: Thu, 15 Mar 2001 15:52:34 -0800 From: Alfred Perlstein To: Antonio Carlos Pina Cc: freebsd-security@FreeBSD.ORG Subject: Re: Multiple vendors FTP denial of service (fwd) Message-ID: <20010315155234.G29888@fw.wintelcom.net> References: <3ab14d6c.31f.0@infolink.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ab14d6c.31f.0@infolink.com.br>; from apina@infolink.com.br on Thu, Mar 15, 2001 at 08:17:00PM -0500 X-all-your-base: are belong to us. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Antonio Carlos Pina [010315 15:17] wrote: > Hello, > > Actually I think this highly depends on HOW MANY files and > directories FTPD can access. > > I didn't see any damage with a jailed FTPD with 1 directoy and 2 > files. The only reason you didn't see a problem was because you had only one directory. The DoS works via a simple mechanism. if you have a dir with two directories in it 'a' and 'b' */../ -> a/.. b/.. */../*/.. -> a/../a/.. a/../b/.. b/../a/.. b/../b/.. basically for each ../*/ you do a power N where N is the number of directories. How could this be fixed? I think it's somewhat simple, have glob() maintain a truncated version of paths and make sure that any collisions are detected. Of course this is only speculation since I haven't looked at the code. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message