Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1

[Daniel Jacobowitz <drow () FALSE ORG>]

On Tue, Jul 25, 2000 at 04:11:16PM -0300, Carlos Eduardo Gorges wrote:
> Hi all,
>
> I found several bugs in all the versions of proftp ( tested in proftp
> 1.2.0pre6, proftp 1.2.0pre10 and proftp 1.2.0rc1 ).
>
> All involve parse of characters
> for example,
> connects in a proftpd host and
>
> ftp> quote %999s
>
> voyala !
> the children stops in segfail : -)

<sigh>

<irony> First, I'd like to thank you for doing the respectable and
social thing and notifying the vendors and author before posting to
BUGTRAQ</irony>.  Remember when people had common decency and did that,
allowing us to get fixes deployed before people had a chance to panic?


We've been through this before.  That is not quite as simple as it
appears.   Witness (server text indented for clarity):

drow:~% nc -v 0 21
 0: inverse host lookup failed: Unknown host
 (UNKNOWN) [0.0.0.0] 21 (ftp) open
 220 ProFTPD 1.2.0pre9 Server (ProFTPD) [hostname]
USER ftp
 331 Anonymous login ok, send your complete e-mail address as password.
PASS dan@
 230-Welcome, archive user ftp@hostname !
 230-
 230-The local time is: Tue Jul 25 15:19:50 2000
 230-
 230-This is an experimental FTP server.  If have any unusual problems,
 230-please report them via e-mail to <root@hostname>.
 230-
 230 Anonymous access granted, restrictions apply.
%999s
 500 %999S not understood.

Vs:
drow@quaketop:~% socksify ftp hostname
Connected to hostname.
220 ProFTPD 1.2.0pre9 Server (ProFTPD) [hostname]
Name (hostname:drow): ftp
331 Anonymous login ok, send your complete e-mail address as password.
Password:
230-Welcome, archive user ftp@hostname !
230-
230-The local time is: Tue Jul 25 15:23:07 2000
230-
230-This is an experimental FTP server.  If have any unusual problems,
230-please report them via e-mail to <root@hostname>.
230-
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote %999s
421 Service not available, remote server has closed connection

What's the difference, you ask?  FTP is vulnerable to mishandling %
characters also.  The format string gets expanded by the client.  This
is something different than a format string bug.

In fact, from my examination, it appears to be a bug of a whole
different class - a "paper bag" bug.  A command of " " works just as
well.  If the command is entirely (or far enough for ProFTPd to discard
the rest of it for safety, about 512 chars) blank, then make_cmd will
set newcmd->argv[0] to null, and dispatch_cmd will try to dereference
it.

Embarrassing, maybe, but NOT A SECURITY HOLE.

Let's repeat that to get it perfectly clear: To the best of my ability
to tell, this is NOT A SECURITY HOLE IN PROFTPD.  It's not even a
denial of service, since only the forked child crashes.  It produces
disturbing warnings in proftpd's log, but nothing more harmful than
that.

Dan

/--------------------------------\  /--------------------------------\
|       Daniel Jacobowitz        |__|        SCS Class of 2002       |
|   Debian GNU/Linux Developer    __    Carnegie Mellon University   |
|         dan () debian org         |  |       dmj+ () andrew cmu edu      |
\--------------------------------/  \--------------------------------/

Attachment: _bin
Description: