From owner-freebsd-security Fri Mar 16 6:31: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from gyw.com (gyw.com [209.55.67.177]) by hub.freebsd.org (Postfix) with ESMTP id 90AEE37B719 for ; Fri, 16 Mar 2001 06:30:59 -0800 (PST) (envelope-from tjk@tksoft.com) Received: from smtp3.tksoft.com (smtp3.tksoft.com [192.168.50.56] (may be forged)) by gyw.com (8.8.8/8.8.8) with ESMTP id GAA26051; Fri, 16 Mar 2001 06:47:31 -0800 Received: (from tjk@tksoft.com) by smtp3.tksoft.com (8.8.8/8.8.8) id GAA17664; Fri, 16 Mar 2001 06:17:49 -0800 From: "tjk@tksoft.com" Message-Id: <200103161417.GAA17664@smtp3.tksoft.com> Subject: Re: Multiple vendors FTP denial of service (fwd) To: bright@wintelcom.net (Alfred Perlstein) Date: Fri, 16 Mar 2001 06:17:48 -0800 (PST) Cc: apina@infolink.com.br (Antonio Carlos Pina), freebsd-security@FreeBSD.ORG In-Reply-To: <20010315155234.G29888@fw.wintelcom.net> from "Alfred Perlstein" at Mar 15, 2001 03:52:34 PM X-Info: None MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One solution I can think of is to use a hash table for interpreting the glob results, and count duplicate listings of directories/files. Then truncate the results if the duplicates exceed x times valid keys in the hash (or report an error, or both.) I don't know if there is a set of hash routines available, but if not, one could use a tree (tsearch) to accomplish the same. All this depends on the file listings being first converted to the shortest path to the file. I.e. "/etc/../etc/yadayada.txt" would become "/etc/yadayada.txt" before being added to the list. I presume this is already done. The other solution is to always reduce the original path to its shortest form, to avoid recursive listings of directories. Sounds a simpler and faster approach. If only someone's got foolproof logic to accomplish this. Removing certain strings might work. Sounds like frustrating extra work, but since there is a problem, what else are you going to do? Troy > > * Antonio Carlos Pina [010315 15:17] wrote: > > Hello, > > > > Actually I think this highly depends on HOW MANY files and > > directories FTPD can access. > > > > I didn't see any damage with a jailed FTPD with 1 directoy and 2 > > files. > > The only reason you didn't see a problem was because you had > only one directory. > > The DoS works via a simple mechanism. > > if you have a dir with two directories in it 'a' and 'b' > > */../ -> a/.. b/.. > */../*/.. -> a/../a/.. a/../b/.. b/../a/.. b/../b/.. > > basically for each ../*/ you do a power N where N is the number > of directories. > > How could this be fixed? I think it's somewhat simple, > have glob() maintain a truncated version of paths and > make sure that any collisions are detected. > > Of course this is only speculation since I haven't looked > at the code. > > -- > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message