From owner-freebsd-security Fri Mar 16 5:13: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 0019437B718 for ; Fri, 16 Mar 2001 05:13:06 -0800 (PST) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 1B68120AE; Fri, 16 Mar 2001 08:12:33 -0500 (EST) MIME-Version: 1.0 Message-Id: <3AB21141.0000E1.28395@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_XOKA015BHVCNTT4D7TH0" To: freebsd-security@FreeBSD.ORG Subject: Re: Multiple vendors FTP denial of service Cc: bright@wintelcom.net From: "Michael Richards" X-Fastmail-IP: 24.43.130.237 Date: Fri, 16 Mar 2001 08:12:33 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------Boundary-00=_XOKA015BHVCNTT4D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit Normally when I write code to sanatise a user entered path with glob or .. in it I process the string to remove any directory name succeeded by a '/..' There is of course a problem with this generalised optimisation. /nonexistant/../existant/ succeeds where it shouldn't. However, when you apply it to a glob, it is implied that '*/..' must exist. In this case, I believe it is valid to remove any iteration of '*/..' from the string. This may still, however leave a crafty combination of '?' to cause the same problem. -Michael >> Actually I think this highly depends on HOW MANY files and >> directories FTPD can access. >> >> I didn't see any damage with a jailed FTPD with 1 directoy and 2 >> files. > > The only reason you didn't see a problem was because you had > only one directory. > > The DoS works via a simple mechanism. > > if you have a dir with two directories in it 'a' and 'b' > > */../ -> a/.. b/.. > */../*/.. -> a/../a/.. a/../b/.. b/../a/.. b/../b/.. > > basically for each ../*/ you do a power N where N is the number > of directories. _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_XOKA015BHVCNTT4D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message