[23584] in bugtraq
Re: ProFTPD - Problems in file globbing, gives segmentation fault.
daemon@ATHENA.MIT.EDU (Moritz Grimm)
Thu Dec 20 20:45:07 2001
Message-ID: <3C214EB3.920FBA4B@gmx.net>
Date: Thu, 20 Dec 2001 03:36:35 +0100
From: Moritz Grimm <gtgbr@gmx.net>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Mattias _ wrote:
> AFFECTED VERSIONS
> =================
> ProFTPD 1.2.4
> ProFTPD 1.2.2rc3
> (Others may be affected as well.)
>
> SYSTEMS
> =======
> This is tested on Slackware 8.
>
> IMPACT
> ======
> The ftpd-child dies with signal 11 (SEGV), but the server stays up.
> The question is if it’s possible to do something nasty with this!?
I'm running ProFTPD 1.2.2 under OpenBSD 2.8.
The following happened when I tried it locally:
<snip>
Connected to localhost.
220 FTP Server ready.
Name (localhost:maxx):
331 Password required for maxx.
Password:
230 User maxx logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ////////////////////////////
500 EPSV not understood.
227 Entering Passive Mode (127,0,0,1,134,172).
150 Opening ASCII mode data connection for file list
^C
receive aborted
waiting for remote to finish abort.
421 Service not available, remote server has closed connection.
</snip>
The logs show the following many times:
Dec 20 01:27:13 phoenix proftpd in free(): warning: modified (chunk-)
pointer.
Dec 20 01:27:13 phoenix proftpd in free(): warning: junk pointer, too
high to make sense.
Dec 20 01:27:13 phoenix proftpd in free(): warning: junk pointer, too
low to make sense.
Both server and child didn't die. After getting disconnected, the child
process was still there and I had to kill -9 it. While it was running,
the computer showed symptoms of 100% CPU usage. Everything became pretty
slow, but not unusable (no real DoS). After killing the child,
everything went back to normal.
I wasn't able to remotely reproduce this behavior. Here's what happened
when using the Win2000 command line ftp from another box:
<snip>
230 Anonymous access granted, restrictions apply.
ftp> ls ////////////////////////////
200 PORT command successful.
150 Opening BINARY mode data connection for file list.
/////////////////////////////uploads
/////////////////////////////welcome.msg
/////////////////////////////pub
/////////////////////////////tmp
226 Transfer complete.
FTP: 148 Bytes empfangen in 0,07Sekunden 2,11KB/s
</snip>
This time, nothing weird happened.
I hope this is of any use for you.
Moritz
--
_______________________________________________________________________
"They who would give up an essential liberty for temporary security,
deserve neither liberty or security" - Benjamin Franklin
