From owner-freebsd-security  Tue Sep  9 10:42:29 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id KAA22822
          for security-outgoing; Tue, 9 Sep 1997 10:42:29 -0700 (PDT)
Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA22809
          for <security@FreeBSD.ORG>; Tue, 9 Sep 1997 10:42:25 -0700 (PDT)
Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id UAA19350; Tue, 9 Sep 1997 20:12:38 +0200
Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10])
	by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id TAA04601;
	Tue, 9 Sep 1997 19:49:02 +0200 (CEST)
Received: (from regnauld@localhost)
	by deepo.prosa.dk (8.8.5/8.8.5/prosa-1.1) id TAA01220;
	Tue, 9 Sep 1997 19:41:22 +0200 (CEST)
Message-ID: <19970909194121.10288@deepo.prosa.dk>
Date: Tue, 9 Sep 1997 19:41:21 +0200
From: Philippe Regnauld <regnauld@deepo.prosa.dk>
To: Josef Karthauser <joe@pavilion.net>
Cc: security@FreeBSD.ORG
Subject: Re: FTP compromise.
References: <19970909144346.54450@pavilion.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Description: Main Body
X-Mailer: Mutt 0.69
In-Reply-To: <19970909144346.54450@pavilion.net>; from Josef Karthauser on Tue, Sep 09, 1997 at 02:43:46PM +0100
X-Operating-System: FreeBSD 2.2.1-RELEASE i386
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Josef Karthauser writes:
> ll versions)
> 
> TESTED:         BSDI 3.0 (all patches), FreeBSD 2.2.1
> 
> DATE:           15th Aug 1997
> 
> REPEAT BY:      Log into a wu_ftp server (either anonymously or as a user)
>                 and issue the command...
>                 
>                 nlist ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/
>                 ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/
>                 ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/
>                 ../*/../*/../*/../*/../*../*../*

	Behaves differently depending on client.

	stock ftp in -current (as of 28/07) makes ftpd eat 45% cpu, but
	no noticeable memory footprint increase.
	Killling ftp (the client) solves the problem.

	With ncftp2, I get ftpd at 10-12% cpu, in a biowait loop, and
	constant seeking on the disks. Killing ftpD is the only way out.


-- 
                                                              -- Phil

-[ Philippe Regnauld  /  Systems Administrator  /  regnauld@deepo.prosa.dk ]-
-[ Location.: +55.4N +11.3E        PGP Key: finger regnauld@hotel.prosa.dk ]-