Date: Fri, 16 Mar 2001 06:17:48 -0800 (PST) From: "tjk@tksoft.com" <tjk@tksoft.com> To: bright@wintelcom.net (Alfred Perlstein) Cc: apina@infolink.com.br (Antonio Carlos Pina), freebsd-security@FreeBSD.ORG Subject: Re: Multiple vendors FTP denial of service (fwd) Message-ID: <200103161417.GAA17664@smtp3.tksoft.com> In-Reply-To: <20010315155234.G29888@fw.wintelcom.net> from "Alfred Perlstein" at Mar 15, 2001 03:52:34 PM
next in thread | previous in thread | raw e-mail | index | archive | help
One solution I can think of is to use a hash table for interpreting the glob results, and count duplicate listings of directories/files. Then truncate the results if the duplicates exceed x times valid keys in the hash (or report an error, or both.) I don't know if there is a set of hash routines available, but if not, one could use a tree (tsearch) to accomplish the same. All this depends on the file listings being first converted to the shortest path to the file. I.e. "/etc/../etc/yadayada.txt" would become "/etc/yadayada.txt" before being added to the list. I presume this is already done. The other solution is to always reduce the original path to its shortest form, to avoid recursive listings of directories. Sounds a simpler and faster approach. If only someone's got foolproof logic to accomplish this. Removing certain strings might work. Sounds like frustrating extra work, but since there is a problem, what else are you going to do? Troy > > * Antonio Carlos Pina <apina@infolink.com.br> [010315 15:17] wrote: > > Hello, > > > > Actually I think this highly depends on HOW MANY files and > > directories FTPD can access. > > > > I didn't see any damage with a jailed FTPD with 1 directoy and 2 > > files. > > The only reason you didn't see a problem was because you had > only one directory. > > The DoS works via a simple mechanism. > > if you have a dir with two directories in it 'a' and 'b' > > */../ -> a/.. b/.. > */../*/.. -> a/../a/.. a/../b/.. b/../a/.. b/../b/.. > > basically for each ../*/ you do a power N where N is the number > of directories. > > How could this be fixed? I think it's somewhat simple, > have glob() maintain a truncated version of paths and > make sure that any collisions are detected. > > Of course this is only speculation since I haven't looked > at the code. > > -- > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103161417.GAA17664>