linux, säkerhet

8203219 2002-03-26 07:14 +1100  /15 rader/ Joe Dollard <joed@devel.livenote.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-27  00:33  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21596>
Ärende: DoS in debian (potato) proftpd
------------------------------------------------------------
From: Joe Dollard <joed@devel.livenote.com>
To: bugtraq@securityfocus.com
Message-ID: <20020326071431.A17363@devel.livenote.com>

Hi guys,
	The version of proftp that is in debian potato (1.2.0pre10 as reported by running 'proftpd -v ') is vulnerable to a glob DoS attack, as discovered on the 15th March 2001. You can verify this bug by logging in to a server running debian stable's proftpd and type "ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*".  This results with 100% of the CPU and memory resources being consumed (more info at http://proftpd.linux.co.uk/critbugs.html), 

A temporary workaround for this issue is to add DenyFilter \*.*/ into your proftp configuration file. 

I notifed security@debian.org on the 12th of February (2002) about
this problem and a discussion was entered into but no resolution
occurred.  I contacted security@debian.org again on the 21st of
FEbruary and didn't receive a reply.  After posting to
vuln-dev@securityfocus.com on the 1st of March, I was told on the 7th
of March that the package maintainer was working on a fix.  Now, over
a year after the bug has been discovered, and over 5 weeks since I
first contacted debian about it, no fix is in place in debian
potato. Hopefully posting here will speed things up a bit.

Regards,
Joe Dollard
(8203219) /Joe Dollard <joed@devel.livenote.com>/(Ombruten)
8209116 2002-03-27 00:37 +0100  /56 rader/ martin f krafft <madduck@madduck.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-27  23:55  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: debian security <debian-security@lists.debian.org>
Mottagare: Bugtraq (import) <21609>
Kommentar till text 8203219 av Joe Dollard <joed@devel.livenote.com>
Ärende: Re: DoS in debian (potato) proftpd
------------------------------------------------------------
From: martin f krafft <madduck@madduck.net>
To: bugtraq@securityfocus.com
Cc: debian security <debian-security@lists.debian.org>
Message-ID: <20020326233758.GA26028@fishbowl.madduck.net>

also sprach Joe Dollard <joed@devel.livenote.com> [2002.03.25.2114 +0100]:
> 	The version of proftp that is in debian potato (1.2.0pre10 as
> 	reported by running 'proftpd -v ') is vulnerable to a glob DoS
> 	attack, as discovered on the 15th March 2001. You can verify this
> 	bug by logging in to a server running debian stable's proftpd and
> 	type "ls
> 	*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*".
> 	This results with 100% of the CPU and memory resources being
> 	consumed (more info at http://proftpd.linux.co.uk/critbugs.html),

(please fix your line wraps!)

security.debian.org has proftpd_1.2.0pre10-2.0potato1 which does not
contain this bug, at least not on i386 systems:

fishbowl:~> ncftp lapse.home.madduck.net
NcFTP 3.1.2 (Jan 28, 2002) by Mike Gleason (ncftp@ncftp.com).
Connecting to 192.168.14.3
ProFTPD 1.2.0pre10 Server (Debian) [lapse.home.madduck.net]
Logging in...

Anonymous access granted, restrictions apply.
Logged in to localhost.
ncftp / > ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/.././fw1-4.1-sp3@
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../../fw1-4.1-sp3@
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../fw1-4.1-sp3@
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/.././fw1-4.1-sp4@
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../../fw1-4.1-sp4@
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../fw1-4.1-sp4@
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/.././fw1-4.1-sp5@
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../../fw1-4.1-sp5@
lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../lics/../fw1-4.1-sp5@

<and on for another screen full>

fishbowl:~> ssh lapse 'cat /etc/debian_version; uname -a'
2.2r5
Linux lapse 2.2.20 #1 Tue Feb 12 14:22:30 CET 2002 i486

regards,

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
 
"i'm always frank and earnest with women.
 uh, in new york i'm frank, and in chicago i'm ernest."
                                            -- the long kiss goodnight
(8209116) /martin f krafft <madduck@madduck.net>/---
Bilaga (application/pgp-signature) i text 8209117
8209117 2002-03-27 00:37 +0100  /10 rader/ martin f krafft <madduck@madduck.net>
Importerad: 2002-03-27  23:55  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: debian security <debian-security@lists.debian.org>
Mottagare: Bugtraq (import) <21610>
Bilaga (text/plain) till text 8209116
Ärende: Bilaga till: Re: DoS in debian (potato) proftpd
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjyhBlYACgkQIgvIgzMMSnXbqACgwSb1S5MDWeSsFYQ1pLk/q3zJ
eHwAn1Nr//l+Nwxf+Ydgf8k452FOqIKv
=gSY1
-----END PGP SIGNATURE-----
(8209117) /martin f krafft <madduck@madduck.net>/---