Date: Fri, 16 Mar 2001 08:12:33 -0500 (EST) From: "Michael Richards" <michael@fastmail.ca> To: freebsd-security@FreeBSD.ORG Cc: bright@wintelcom.net Subject: Re: Multiple vendors FTP denial of service Message-ID: <3AB21141.0000E1.28395@frodo.searchcanada.ca>
next in thread | raw e-mail | index | archive | help
Normally when I write code to sanatise a user entered path with glob
or .. in it I process the string to remove any directory name
succeeded by a '/..'
There is of course a problem with this generalised optimisation.
/nonexistant/../existant/ succeeds where it shouldn't.
However, when you apply it to a glob, it is implied that '*/..' must
exist. In this case, I believe it is valid to remove any iteration
of '*/..' from the string. This may still, however leave a crafty
combination of '?' to cause the same problem.
-Michael
>> Actually I think this highly depends on HOW MANY files and
>> directories FTPD can access.
>>
>> I didn't see any damage with a jailed FTPD with 1 directoy and 2
>> files.
>
> The only reason you didn't see a problem was because you had
> only one directory.
>
> The DoS works via a simple mechanism.
>
> if you have a dir with two directories in it 'a' and 'b'
>
> */../ -> a/.. b/..
> */../*/.. -> a/../a/.. a/../b/.. b/../a/.. b/../b/..
>
> basically for each ../*/ you do a power N where N is the number
> of directories.
_________________________________________________________________
http://fastmail.ca/ - Fast Free Web Email for Canadians
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AB21141.0000E1.28395>