ProFTPD - Problems in file globbing, gives segmentation fault.

From: Mattias _ (surre1at_private)
Date: Wed Dec 19 2001 - 05:22:40 PST

Next message: Stephan Holtwisch: "MAGIC Enterprise Multiple Vulnerabilities"

Previous message: Brice Carlson: "FTPXQ default install read/write capabilities"
Next in thread: Edsel Adap: "Re: ProFTPD - Problems in file globbing, gives segmentation fault."
Reply: Edsel Adap: "Re: ProFTPD - Problems in file globbing, gives segmentation fault."
Reply: Markus Kovero: "Re: ProFTPD - Problems in file globbing, gives segmentation fault."
Reply: Przemyslaw Frasunek: "Re: ProFTPD - Problems in file globbing, gives segmentation fault."
Reply: Moritz Grimm: "Re: ProFTPD - Problems in file globbing, gives segmentation fault."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

SUMMARY
=======
A problem in handling file globbing exists in the current version of ProFTPD
1.2.4 (but it’s fixed in the Candidate version: 1.2.5rc1). This
is very similar to the wu-ftpd bug (“ls ~{”) and occurs when you issue
the command: ls /////////// (11 or more ‘/’). I haven’t figured out if
it’s exploitable. That’s why I post it to you guys. :-)

AFFECTED VERSIONS
=================
ProFTPD 1.2.4
ProFTPD 1.2.2rc3
(Others may be affected as well.)

SYSTEMS
=======
This is tested on Slackware 8.

IMPACT
======
The ftpd-child dies with signal 11 (SEGV), but the server stays up.
The question is if it’s possible to do something nasty with this!?

DETAILS
=======
The Segmentation Fault occurs when the server tries to free a
unallocated memory with a free()-function and it could be a heap
corruption vulnerability. It’s in the file lib/glibc-glob.c in function
void globfree (pglob) the SEGV occurs.

Here is how I tested it.
Login as ftp(anonymous) and issue the command:
ftp> ls ///////////
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
421 Service not available, remote server has closed connection
ftp>

And the debug messages reads (proftpd -n -d 5):
dispatching PRE_CMD command 'LIST ///////////' to mod_core
dispatching CMD command 'LIST ///////////' to mod_ls
active data connection opened - local : 127.0.0.1:20
active data connection opened - remote : 127.0.0.1:1286
in dir_check_full(): path = '/', fullpath = '/home/ftp/'.
ProFTPD terminating (signal 11)

VENDOR RESPONSE
===============
This problem has been reported to ProFTPD Bug Tracking System. It has
also been reported to securityat_private where they asked me to wait
posting this until they release version 1.2.5rc1.

SOLUTION
========
Upgrade to version 1.2.5rc1.

REFERENCES
==========
ProFTPD (Get the latest version)
http://www.proftpd.org

ProFTPD Bug Tracking System (Where it was first reported):
http://bugs.proftpd.org/show_bug.cgi?id=1426

Information about the wu-ftpd problem:
http://www.corest.com

COMMENTS
========
This is my first post to Bugtraq, be nice to me...

Regards,
Mattias

surre1at_private


_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

Next message: Stephan Holtwisch: "MAGIC Enterprise Multiple Vulnerabilities"
Previous message: Brice Carlson: "FTPXQ default install read/write capabilities"
Next in thread: Edsel Adap: "Re: ProFTPD - Problems in file globbing, gives segmentation fault."
Reply: Edsel Adap: "Re: ProFTPD - Problems in file globbing, gives segmentation fault."
Reply: Markus Kovero: "Re: ProFTPD - Problems in file globbing, gives segmentation fault."
Reply: Przemyslaw Frasunek: "Re: ProFTPD - Problems in file globbing, gives segmentation fault."
Reply: Moritz Grimm: "Re: ProFTPD - Problems in file globbing, gives segmentation fault."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 19 2001 - 08:17:29 PST