[15966] in bugtraq
Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1
daemon@ATHENA.MIT.EDU (Daniel Jacobowitz)
Wed Jul 26 14:50:20 2000
Mail-Followup-To: Daniel Jacobowitz <drow@false.org>,
Carlos Eduardo Gorges <carlos@VT.COM.BR>,
BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="zYM0uCDKw75PZbzx"
Content-Disposition: inline
Message-Id: <20000725155856.A14538@drow.them.org>
Date: Tue, 25 Jul 2000 15:58:56 -0700
Reply-To: Daniel Jacobowitz <drow@FALSE.ORG>
From: Daniel Jacobowitz <drow@FALSE.ORG>
X-To: Carlos Eduardo Gorges <carlos@VT.COM.BR>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <00072516114600.09191@quarks.techlinux>; from carlos@VT.COM.BR on
Tue, Jul 25, 2000 at 04:11:16PM -0300
--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Jul 25, 2000 at 04:11:16PM -0300, Carlos Eduardo Gorges wrote:
> Hi all,
>=20
> I found several bugs in all the versions of proftp ( tested in proftp
> 1.2.0pre6, proftp 1.2.0pre10 and proftp 1.2.0rc1 ).
>=20
> All involve parse of characters
> for example,
> connects in a proftpd host and
>=20
> ftp> quote %999s
>=20
> voyala !
> the children stops in segfail : -)
<sigh>
<irony> First, I'd like to thank you for doing the respectable and
social thing and notifying the vendors and author before posting to
BUGTRAQ</irony>. Remember when people had common decency and did that,
allowing us to get fixes deployed before people had a chance to panic?
We've been through this before. That is not quite as simple as it
appears. Witness (server text indented for clarity):
drow:~% nc -v 0 21
0: inverse host lookup failed: Unknown host
(UNKNOWN) [0.0.0.0] 21 (ftp) open
220 ProFTPD 1.2.0pre9 Server (ProFTPD) [hostname]
USER ftp
331 Anonymous login ok, send your complete e-mail address as password.
PASS dan@
230-Welcome, archive user ftp@hostname !
230-
230-The local time is: Tue Jul 25 15:19:50 2000
230-
230-This is an experimental FTP server. If have any unusual problems,
230-please report them via e-mail to <root@hostname>.
230-
230 Anonymous access granted, restrictions apply.
%999s
500 %999S not understood.
Vs:
drow@quaketop:~% socksify ftp hostname
Connected to hostname.
220 ProFTPD 1.2.0pre9 Server (ProFTPD) [hostname]
Name (hostname:drow): ftp
331 Anonymous login ok, send your complete e-mail address as password.
Password:
230-Welcome, archive user ftp@hostname !
230-
230-The local time is: Tue Jul 25 15:23:07 2000
230-
230-This is an experimental FTP server. If have any unusual problems,
230-please report them via e-mail to <root@hostname>.
230-
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote %999s
421 Service not available, remote server has closed connection
What's the difference, you ask? FTP is vulnerable to mishandling %
characters also. The format string gets expanded by the client. This
is something different than a format string bug.
In fact, from my examination, it appears to be a bug of a whole
different class - a "paper bag" bug. A command of " " works just as
well. If the command is entirely (or far enough for ProFTPd to discard
the rest of it for safety, about 512 chars) blank, then make_cmd will
set newcmd->argv[0] to null, and dispatch_cmd will try to dereference
it.
Embarrassing, maybe, but NOT A SECURITY HOLE.
Let's repeat that to get it perfectly clear: To the best of my ability
to tell, this is NOT A SECURITY HOLE IN PROFTPD. It's not even a
denial of service, since only the forked child crashes. It produces
disturbing warnings in proftpd's log, but nothing more harmful than
that.
Dan
/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| SCS Class of 2002 |
| Debian GNU/Linux Developer __ Carnegie Mellon University |
| dan@debian.org | | dmj+@andrew.cmu.edu |
\--------------------------------/ \--------------------------------/
--zYM0uCDKw75PZbzx
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5fhuwbgOPXuCjg3cRAiRMAKCY0NrcIsFdtICHE0FATzSWxzT7dQCgr1qj
CDdVyuYQDywz//hcZU5Xqrw=
=JrUn
-----END PGP SIGNATURE-----
--zYM0uCDKw75PZbzx--
