Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1

From: martin f krafft (madduckat_private)
Date: Fri Mar 29 2002 - 13:40:02 PST

Next message: Over_G: "Vulnerability in my guest book"

Previous message: Nicolas Gregoire: "Re: KPMG-2002006: Lotus Domino Physical Path Revealed"
In reply to: martin f krafft: "Re: DoS in debian (potato) proftpd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

dear bugtraq'ers,

i must confess that the information i provided wrt the acclaimed DoS
exploit in Debian potato's proftpd package (1.2.0pre10-2.0potato1) was
not fully accurate. the package *does in fact contain a buggy daemon*
despite having been fixed, according to the changelog:

  proftpd (1.2.0pre10-2.0potato1) stable; urgency=high

    * Non-Maintainer upload.
--->* Applied patch against string format buffer attack.
  [...]

here's the result of my research:

the ftproot, against which i tested the daemon when i replied to the
original bugtraq post, was way too small to cause the server to break
a sweat on the recursion attack

  ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*

i now tested the daemon against a new ftproot, 20Gb in size with
a total of 6588 directories, and it does in fact appear to hang,
consuming memory in the excess of 100Mb, and loitering the processor
queue.

nevertheless, the proftpd parent process happily served another 99
sessions at no noticeable speed degradation. and, after 23 minutes,
the berserk proftpd process returned and surrendered the resources
(the ftp session had timed out after 5 minutes already).

the suggested temporary fix is to add the option

  DenyFilter \*.*/

to /etc/proftpd.conf. however, despite common believe, Debian's
proftpd package 1.2.0pre10-2.0potato1 *does not* contain this option
and is thus vulnerable to the extent that this is a severe
vulnerability.

i don't think it's necessary to discuss this; the daemon as packaged
by debian is buggy and that has to be fixed. but i hope i was able to
give you some more information on the extent of the exploit. i will
do my best to push a fixed package into the APT archive at
security.debian.org as soon as possible.

regards,

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
  
"with sufficient thrust, pigs fly just fine. however, this is not
 necessarily a good idea. it is hard to be sure where they are going to
 land, and it could be dangerous sitting under them as they fly
 overhead."
                                                           -- rfc 1925

application/pgp-signature attachment: stored

Next message: Over_G: "Vulnerability in my guest book"
Previous message: Nicolas Gregoire: "Re: KPMG-2002006: Lotus Domino Physical Path Revealed"
In reply to: martin f krafft: "Re: DoS in debian (potato) proftpd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 18:23:46 PST