[24855] in bugtraq
Re: DoS in debian (potato) proftpd
daemon@ATHENA.MIT.EDU (martin f krafft)
Wed Mar 27 17:55:51 2002
Date: Wed, 27 Mar 2002 00:37:59 +0100
From: martin f krafft <madduck@madduck.net>
To: bugtraq@securityfocus.com
Cc: debian security <debian-security@lists.debian.org>
Message-ID: <20020326233758.GA26028@fishbowl.madduck.net>
Mail-Followup-To: bugtraq@securityfocus.com,
debian security <debian-security@lists.debian.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9"
Content-Disposition: inline
In-Reply-To: <20020326071431.A17363@devel.livenote.com>
--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
also sprach Joe Dollard <joed@devel.livenote.com> [2002.03.25.2114 +0100]:
> The version of proftp that is in debian potato (1.2.0pre10 as
> reported by running 'proftpd -v ') is vulnerable to a glob DoS
> attack, as discovered on the 15th March 2001. You can verify this
> bug by logging in to a server running debian stable's proftpd and
> type "ls
> */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*".
> This results with 100% of the CPU and memory resources being
> consumed (more info at http://proftpd.linux.co.uk/critbugs.html),
(please fix your line wraps!)
security.debian.org has proftpd_1.2.0pre10-2.0potato1 which does not
contain this bug, at least not on i386 systems:
fishbowl:~> ncftp lapse.home.madduck.net
NcFTP 3.1.2 (Jan 28, 2002) by Mike Gleason (ncftp@ncftp.com).
Connecting to 192.168.14.3
ProFTPD 1.2.0pre10 Server (Debian) [lapse.home.madduck.net]
Logging in...
Anonymous access granted, restrictions apply.
Logged in to localhost.
ncftp / > ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lic=
s/../lics/../lics/.././fw1-4.1-sp3@
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lic=
s/../lics/../lics/../../fw1-4.1-sp3@
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lic=
s/../lics/../lics/../fw1-4.1-sp3@
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lic=
s/../lics/../lics/.././fw1-4.1-sp4@
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lic=
s/../lics/../lics/../../fw1-4.1-sp4@
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lic=
s/../lics/../lics/../fw1-4.1-sp4@
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lic=
s/../lics/../lics/.././fw1-4.1-sp5@
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lic=
s/../lics/../lics/../../fw1-4.1-sp5@
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lic=
s/../lics/../lics/../fw1-4.1-sp5@
<and on for another screen full>
fishbowl:~> ssh lapse 'cat /etc/debian_version; uname -a'
2.2r5
Linux lapse 2.2.20 #1 Tue Feb 12 14:22:30 CET 2002 i486
regards,
--=20
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
=20
"i'm always frank and earnest with women.
uh, in new york i'm frank, and in chicago i'm ernest."
-- the long kiss goodnight
--PEIAKu/WMn1b1Hv9
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjyhBlYACgkQIgvIgzMMSnXbqACgwSb1S5MDWeSsFYQ1pLk/q3zJ
eHwAn1Nr//l+Nwxf+Ydgf8k452FOqIKv
=gSY1
-----END PGP SIGNATURE-----
--PEIAKu/WMn1b1Hv9--
