Date: Mon, 02 Oct 2000 13:28:39 -0600 From: Brett Glass <brett@lariat.org> To: Alex Charalabidis <alex@wnm.net> Cc: "Chris D . Faulhaber" <jedgar@fxp.org>, security@FreeBSD.ORG Subject: Re: ftpd bug in FreeBSD through at least 3.4 Message-ID: <4.3.2.7.2.20001002125825.00de8f00@localhost> In-Reply-To: <Pine.BSF.4.21.0010021340020.90099-100000@earth.wnm.net> References: <4.3.2.7.2.20001002123113.049344d0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:51 PM 10/2/2000, Alex Charalabidis wrote: >Yes it does. It was posted to bugtraq as a proftpd bug on 25 Jul 00 by >Carlos Eduardo Gorges <carlos@VT.COM.BR>. I confirmed the bug existed on >our 6.00LS too (and promptly forgot :P). As far as I know, there have been >no exploits and it's not even a DoS since the parent process is >unaffected. The default FreeBSD ftp client crashes before the server >process does, so you can only see the problem with a client on a different >OS (oddly enough, the MS-DOS 7 client seems to be the only one that >creates no problems at all). Interesting. It appears that my earlier tests were not conclusive because there were problems in both the server AND the client. Thank you for pointing this out! Let's try testing the server with the MS-DOS 7 client, so that any problems with the FreeBSD FTP client are not a factor. I am now using the MS-DOS 7 client and connecting to a FreeBSD 4.1+ server (running FreeBSD 4.1-20000916-STABLE). Here's what I see from the client side: ftp> quote %s%s%s%s%s 500 '+H|X++_YX++|¶QUOTE %s%s%s%s%s(null)%s%s%s%s%s': command not understood. This means that while the FreeBSD FTP client crashed (and generated the segfault message), the server did not crash. However, there's still junk in the message sent back by the server, which indicates that I may be getting at the stack here. What's more, when I do a ps -ax on the server, I see (user and host names changed): 19119 ?? Is 0:00.05 ftpd: host.com: user: \M-8H|\^Cx\M-C\M-8\M-`y\^Cx\M-C\M-8|\^Tquote %s%s%s%s%s(null)%s%s%s%s%s\ Oops! We've got a bit of weirdness on the server side too, though it did not crash. Can this be exploited? Now, let's send a command with more %s format directives to the server: ftp> quote %s%s%s%s%s%s%s%s%s%s (Nothing) The ftpd process on the server is alive but seems to be hung parsing the command. So, something is amiss, but to what extent it is exploitable I can't tell. It DOES happen even in 4.1, though. Haven't looked into why the FreeBSD clients from FreeBSD 3.4 and prior crashed. So, I cannot tell as yet whether a hostile server can do nasty things to them or not. --Brett --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20001002125825.00de8f00>