Bugtraq mailing list archives
bizzare ftp stuff...
From: tfs () vampire science gmu edu (Tim Scanlon)
Date: Thu, 3 Nov 1994 17:53:57 -0500 (EST)
I just discovered (out of curiosity) some rather bizzare behavior out of ftp that could at a minimum end up serve to create an ugly denial of service attack... Basicly, I was curious to see what the hell would happen if I telneted to the ftp port & mucked around with the connection. Found some intresting things too. First thing I found out is that I could sit there and make my connection display bizzare stuff, as the ftpd displays command state stuff even before it does anything with user or pass, and does stuff with chuid & (potentialy) with chroot. This sort of thing is possible: root 497 0.0 1.6 1.62M 328K ? S 0:00 -fusion: connected: `fuckin strange` (ftpd) It'll display command names etc. etc. But, it get's better... I logged in, by using "user" & "pass" with non-breaking spaces to feed the right stuff to the daemon, breaking spaces are interpreted as separate lines, so you get "user not understood" junk if you don't use them. After that the intresting stuff started... I found naturaly I couldn't do a "list" because it couldn't form a data connection, normal enough there... Then I set PASV mode, and it got intresting. Once I did that, I tried to do a "list" and things just sort of hung... So, I escaped from my telnet, killed the connection & figured "hmm oh well, that was non-substantive". This is when I got a surprise though... I then ran a ps, and came up with this: tfs 497 0.0 1.9 1.55M 392K ? S 0:00 -fusion: tfs: list (ftpd) tfs 575 0.0 0.9 800K 184K ? S 0:00 /bin/ls -lgA on: tfs: list They seem to linger at least as long as it takes for the tcp connection to close off... That can take a while... Obviously, it'd be damn easy to script out something to take advantage of this behavior & rapidly spawn 80 bazzilion processes that'd just hang there. Not only that, but you'd get 2 for the price of 1 to boot. This is bizzare enough to where I'm rather glad I have ftp wrapped. In reality, it doesn't seem like a huge problem, but on the other hand, it seems to be enough of a a potential problem to set me wondering if any other bizzare stuff is lurking in ftpd. Tim
Current thread:
- Re: udp packet storms Mike Raffety (Oct 31)
- Re: udp packet storms Perry E. Metzger (Oct 31)
- Re: udp packet storms Darren Reed (Nov 01)
- Re: udp packet storms Steve Simmons (Nov 01)
- Re: udp packet storms Perry E. Metzger (Nov 01)
- Re: udp packet storms Tim Newsham (Nov 01)
- Re: udp packet storms Pete Shipley (Nov 03)
- bizzare ftp stuff... Tim Scanlon (Nov 03)
- <Possible follow-ups>
- Re: udp packet storms Perry E. Metzger (Oct 31)
- Re: udp packet storms Charles Howes (Oct 31)
- Re: udp packet storms Mike Raffety (Nov 01)
- Re: udp packet storms David A. Wagner (Nov 01)
- Re: udp packet storms - ping death Charles Howes (Nov 02)
- Re: udp packet storms - ping death David A. Wagner (Nov 02)
- Re: udp packet storms - ping death Karl Strickland (Nov 03)
- Re: udp packet storms - ping death Perry E. Metzger (Nov 02)
- Re: udp packet storms - ping death Michael Neuman (Nov 02)
- Re: udp packet storms - ping death Perry E. Metzger (Nov 03)
- Re: udp packet storms David A. Wagner (Nov 01)
- Re: udp packet storms Perry E. Metzger (Oct 31)