[18283] in bugtraq
Re: ProFTPD 1.2.0 Memory leakage - denial of service
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Thu Dec 21 14:24:44 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.30.0012211725510.15053-100000@dione.ids.pl>
Date: Thu, 21 Dec 2000 17:29:43 +0100
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: Piotr Zurawski <szur@IX.RENET.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001220163854.A15670@ix.renet.pl>
On Wed, 20 Dec 2000, Piotr Zurawski wrote:
> This is sample code to demonstrate effects of memory leak in ProFTPD
> daemon. As far as I know all available versions up to date
> (19.12.2000) are vulnerable to this.
Heheh....
for(loop=0;loop<HOWMANY;loop++)
{
sprintf(snd, "SIZE /dadasjasojdasj/adhjaodhahasohasaoihroaha");
write(fd, snd, strlen(snd));
}
You are not sending newline characters at the end of each line. In fact,
you are sending really huge one-line command (this line will be broken
into separate lines on the other side, but only the first line will start
with "SIZE ..." command in most cases).
Btw. you might want to test such code against other services, IIRC some
services are vulnerable to very-long-input-line DoS (by memory exhaustion)
as long as they are not implementing reasonable timeouts and limits.
--
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=
