7698118 2001-12-19 14:22 +0100  /86 rader/ Mattias _ <surre1@hotmail.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-19  17:40  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20208>
Ärende: ProFTPD - Problems in file globbing, gives segmentation fault.
------------------------------------------------------------
From: "Mattias _" <surre1@hotmail.com>
To: bugtraq@securityfocus.com
Message-ID: <F123FJMf8Tm3v640Za0000006ea@hotmail.com>

SUMMARY
=======
A problem in handling file globbing exists in the current version of ProFTPD
1.2.4 (but it’s fixed in the Candidate version: 1.2.5rc1). This
is very similar to the wu-ftpd bug (“ls ~{”) and occurs when you issue
the command: ls /////////// (11 or more ‘/’). I haven’t figured out if
it’s exploitable. That’s why I post it to you guys. :-)

AFFECTED VERSIONS
=================
ProFTPD 1.2.4
ProFTPD 1.2.2rc3
(Others may be affected as well.)

SYSTEMS
=======
This is tested on Slackware 8.

IMPACT
======
The ftpd-child dies with signal 11 (SEGV), but the server stays up.
The question is if it’s possible to do something nasty with this!?

DETAILS
=======
The Segmentation Fault occurs when the server tries to free a
unallocated memory with a free()-function and it could be a heap
corruption vulnerability. It’s in the file lib/glibc-glob.c in function
void globfree (pglob) the SEGV occurs.

Here is how I tested it.
Login as ftp(anonymous) and issue the command:
ftp> ls ///////////
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
421 Service not available, remote server has closed connection
ftp>

And the debug messages reads (proftpd -n -d 5):
dispatching PRE_CMD command 'LIST ///////////' to mod_core
dispatching CMD command 'LIST ///////////' to mod_ls
active data connection opened - local : 127.0.0.1:20
active data connection opened - remote : 127.0.0.1:1286
in dir_check_full(): path = '/', fullpath = '/home/ftp/'.
ProFTPD terminating (signal 11)

VENDOR RESPONSE
===============
This problem has been reported to ProFTPD Bug Tracking System. It has
also been reported to security@proftpd.org where they asked me to wait
posting this until they release version 1.2.5rc1.

SOLUTION
========
Upgrade to version 1.2.5rc1.

REFERENCES
==========
ProFTPD (Get the latest version)
http://www.proftpd.org

ProFTPD Bug Tracking System (Where it was first reported):
http://bugs.proftpd.org/show_bug.cgi?id=1426

Information about the wu-ftpd problem:
http://www.corest.com

COMMENTS
========
This is my first post to Bugtraq, be nice to me...

Regards,
Mattias

surre1@hotmail.com


_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com
(7698118) /Mattias _ <surre1@hotmail.com>/----------
Kommentar i text 7699079 av Edsel Adap <edsel@adap.org>
Kommentar i text 7700549 av Markus Kovero <amdk62@saunalahti.fi>
Kommentar i text 7700634 av Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Kommentar i text 7706259 av Moritz Grimm <gtgbr@gmx.net>
7699079 2001-12-19 11:25 -0500  /25 rader/ Edsel Adap <edsel@adap.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-19  20:42  av Brevbäraren
Extern mottagare: Mattias _ <surre1@hotmail.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20211>
Kommentar till text 7698118 av Mattias _ <surre1@hotmail.com>
Ärende: Re: ProFTPD - Problems in file globbing, gives segmentation fault.
------------------------------------------------------------
From: Edsel Adap <edsel@adap.org>
To: Mattias _ <surre1@hotmail.com>
Cc: bugtraq@securityfocus.com
Message-ID: <20011219112559.D7038@adap.org>

On Wed, Dec 19, 2001 at 02:22:40PM +0100, Mattias _ wrote:
> 1.2.4 (but it’s fixed in the Candidate version: 1.2.5rc1). This
> is very similar to the wu-ftpd bug (“ls ~{”) and occurs when you issue
> the command: ls /////////// (11 or more ‘/’). I haven’t figured out if
> it’s exploitable. That’s why I post it to you guys. :-)
> 
> AFFECTED VERSIONS
> =================
> ProFTPD 1.2.4
> ProFTPD 1.2.2rc3
> (Others may be affected as well.)
> 
> SYSTEMS
> =======
> This is tested on Slackware 8.

I tested this on Debian 2.2 with proftpd 1.2.0pre10 and it doesn't
seem to be vulnerable.
(7699079) /Edsel Adap <edsel@adap.org>/---(Ombruten)
Kommentar i text 7700448 av Rink Springer <rink@rink.nu>
7700448 2001-12-19 18:50 +0100  /34 rader/ Rink Springer <rink@rink.nu>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-20  00:22  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20217>
Kommentar till text 7699079 av Edsel Adap <edsel@adap.org>
Ärende: Re: ProFTPD - Problems in file globbing, gives segmentation fault.
------------------------------------------------------------
From: "Rink Springer" <rink@rink.nu>
To: <bugtraq@securityfocus.com>
Message-ID: <000d01c188b5$a8078dd0$0400000a@aurum>

ProFTPd 1.2.4 on FreeBSD 4.4-RELEASE gives this in /var/log/messages:

----
Dec 19 17:49:16 thallium proftpd
Dec 19 17:49:16 thallium in free():
Dec 19 17:49:16 thallium warning:
Dec 19 17:49:16 thallium junk pointer, too high to make sense.
----

Repeated a douzen times... the FTP daemon does not crash, however.

--Rink

> On Wed, Dec 19, 2001 at 02:22:40PM +0100, Mattias _ wrote:
> > 1.2.4 (but it's fixed in the Candidate version: 1.2.5rc1). This
> > is very similar to the wu-ftpd bug ("ls ~{") and occurs when you issue
> > the command: ls /////////// (11 or more '/'). I haven't figured out if
> > it's exploitable. That's why I post it to you guys. :-)
> > 
> > AFFECTED VERSIONS
> > =================
> > ProFTPD 1.2.4
> > ProFTPD 1.2.2rc3
> > (Others may be affected as well.)
> > 
> > SYSTEMS
> > =======
> > This is tested on Slackware 8.
(7700448) /Rink Springer <rink@rink.nu>/------------
7700549 2001-12-19 19:45 +0200  /36 rader/ Markus Kovero <amdk62@saunalahti.fi>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-20  00:47  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20219>
Kommentar till text 7698118 av Mattias _ <surre1@hotmail.com>
Ärende: Re: ProFTPD - Problems in file globbing, gives segmentation fault.
------------------------------------------------------------
From: "Markus Kovero" <amdk62@saunalahti.fi>
To: <bugtraq@securityfocus.com>
Message-ID: <006d01c188b4$e49b5340$0100a8c0@genesis>


> SUMMARY
> =======
> A problem in handling file globbing exists in the current version of
ProFTPD
> 1.2.4 (but it's fixed in the Candidate version: 1.2.5rc1). This
> is very similar to the wu-ftpd bug ("ls ~{") and occurs when you issue
> the command: ls /////////// (11 or more '/'). I haven't figured out if
> it's exploitable. That's why I post it to you guys. :-)
> ....
Connected to localhost.
220 ProFTPD 1.2.4 Server (Debian) [XXXX]
Name (localhost:muikku):
331 Password required for muikku.
Password:
230 User muikku logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ///////////
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
421 Service not available, remote server has closed connection

Dec 19 19:43:51 nl proftpd[5774]: XXXX (localhost[127.0.0.1]) -
ProFTPD terminating (signal 11)

nice :o
(7700549) /Markus Kovero <amdk62@saunalahti.fi>/(Ombruten)
7700634 2001-12-19 20:47 +0100  /18 rader/ Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-20  01:17  av Brevbäraren
Extern mottagare: Mattias _ <surre1@hotmail.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20220>
Kommentar till text 7698118 av Mattias _ <surre1@hotmail.com>
Ärende: Re: ProFTPD - Problems in file globbing, gives segmentation fault.
------------------------------------------------------------
From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
To: "Mattias _" <surre1@hotmail.com>
Cc: bugtraq@securityfocus.com
Message-ID: <200112191947.fBJJlAk16519@mailhost.freebsd.lublin.pl>

On Wednesday 19 December 2001 14:22, you wrote:
> The ftpd-child dies with signal 11 (SEGV), but the server stays up.
> The question is if it’s possible to do something nasty with this!?

I've played about 2 hours with it. Looks like, there is no way to
modify  pointer passed to free(), it always points to beginning of
'Out of memory'  string.

--  * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL:
PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP:
D48684904685DF43EA93AFA13BE170BF *
(7700634) /Przemyslaw Frasunek <venglin@freebsd.lublin.pl>/(Ombruten)
7706259 2001-12-20 03:36 +0100  /88 rader/ Moritz Grimm <gtgbr@gmx.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-21  02:46  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20240>
Kommentar till text 7698118 av Mattias _ <surre1@hotmail.com>
Ärende: Re: ProFTPD - Problems in file globbing, gives segmentation fault.
------------------------------------------------------------
From: Moritz Grimm <gtgbr@gmx.net>
To: bugtraq@securityfocus.com
Message-ID: <3C214EB3.920FBA4B@gmx.net>

Mattias _ wrote:
> AFFECTED VERSIONS
> =================
> ProFTPD 1.2.4
> ProFTPD 1.2.2rc3
> (Others may be affected as well.)
> 
> SYSTEMS
> =======
> This is tested on Slackware 8.
> 
> IMPACT
> ======
> The ftpd-child dies with signal 11 (SEGV), but the server stays up.
> The question is if it’s possible to do something nasty with this!?

I'm running ProFTPD 1.2.2 under OpenBSD 2.8.

The following happened when I tried it locally:

<snip>
Connected to localhost.
220 FTP Server ready.
Name (localhost:maxx): 
331 Password required for maxx.
Password:
230 User maxx logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ////////////////////////////
500 EPSV not understood.
227 Entering Passive Mode (127,0,0,1,134,172).
150 Opening ASCII mode data connection for file list

^C
receive aborted
waiting for remote to finish abort.
421 Service not available, remote server has closed connection.
</snip>

The logs show the following many times:

Dec 20 01:27:13 phoenix proftpd in free(): warning: modified (chunk-)
pointer.
Dec 20 01:27:13 phoenix proftpd in free(): warning: junk pointer, too
high to make sense.
Dec 20 01:27:13 phoenix proftpd in free(): warning: junk pointer, too
low to make sense.

Both server and child didn't die. After getting disconnected, the
child process was still there and I had to kill -9 it. While it was
running, the computer showed symptoms of 100% CPU usage. Everything
became pretty slow, but not unusable (no real DoS). After killing the
child, everything went back to normal.

I wasn't able to remotely reproduce this behavior. Here's what
happened when using the Win2000 command line ftp from another box:

<snip>
230 Anonymous access granted, restrictions apply.
ftp> ls ////////////////////////////
200 PORT command successful.
150 Opening BINARY mode data connection for file list.
/////////////////////////////uploads
/////////////////////////////welcome.msg
/////////////////////////////pub
/////////////////////////////tmp
226 Transfer complete.
FTP: 148 Bytes empfangen in 0,07Sekunden 2,11KB/s
</snip>

This time, nothing weird happened.

I hope this is of any use for you.


Moritz

-- 
_______________________________________________________________________
"They who would give up an essential liberty for temporary security,
deserve   neither   liberty   or   security"  -  Benjamin   Franklin
(7706259) /Moritz Grimm <gtgbr@gmx.net>/--(Ombruten)