Bugtraq mailing list archives
Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1
From: Daniel Jacobowitz <drow () FALSE ORG>
Date: Tue, 25 Jul 2000 15:58:56 -0700
On Tue, Jul 25, 2000 at 04:11:16PM -0300, Carlos Eduardo Gorges wrote:
Hi all, I found several bugs in all the versions of proftp ( tested in proftp 1.2.0pre6, proftp 1.2.0pre10 and proftp 1.2.0rc1 ). All involve parse of characters for example, connects in a proftpd host and ftp> quote %999s voyala ! the children stops in segfail : -)
<sigh> <irony> First, I'd like to thank you for doing the respectable and social thing and notifying the vendors and author before posting to BUGTRAQ</irony>. Remember when people had common decency and did that, allowing us to get fixes deployed before people had a chance to panic? We've been through this before. That is not quite as simple as it appears. Witness (server text indented for clarity): drow:~% nc -v 0 21 0: inverse host lookup failed: Unknown host (UNKNOWN) [0.0.0.0] 21 (ftp) open 220 ProFTPD 1.2.0pre9 Server (ProFTPD) [hostname] USER ftp 331 Anonymous login ok, send your complete e-mail address as password. PASS dan@ 230-Welcome, archive user ftp@hostname ! 230- 230-The local time is: Tue Jul 25 15:19:50 2000 230- 230-This is an experimental FTP server. If have any unusual problems, 230-please report them via e-mail to <root@hostname>. 230- 230 Anonymous access granted, restrictions apply. %999s 500 %999S not understood. Vs: drow@quaketop:~% socksify ftp hostname Connected to hostname. 220 ProFTPD 1.2.0pre9 Server (ProFTPD) [hostname] Name (hostname:drow): ftp 331 Anonymous login ok, send your complete e-mail address as password. Password: 230-Welcome, archive user ftp@hostname ! 230- 230-The local time is: Tue Jul 25 15:23:07 2000 230- 230-This is an experimental FTP server. If have any unusual problems, 230-please report them via e-mail to <root@hostname>. 230- 230 Anonymous access granted, restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> quote %999s 421 Service not available, remote server has closed connection What's the difference, you ask? FTP is vulnerable to mishandling % characters also. The format string gets expanded by the client. This is something different than a format string bug. In fact, from my examination, it appears to be a bug of a whole different class - a "paper bag" bug. A command of " " works just as well. If the command is entirely (or far enough for ProFTPd to discard the rest of it for safety, about 512 chars) blank, then make_cmd will set newcmd->argv[0] to null, and dispatch_cmd will try to dereference it. Embarrassing, maybe, but NOT A SECURITY HOLE. Let's repeat that to get it perfectly clear: To the best of my ability to tell, this is NOT A SECURITY HOLE IN PROFTPD. It's not even a denial of service, since only the forked child crashes. It produces disturbing warnings in proftpd's log, but nothing more harmful than that. Dan /--------------------------------\ /--------------------------------\ | Daniel Jacobowitz |__| SCS Class of 2002 | | Debian GNU/Linux Developer __ Carnegie Mellon University | | dan () debian org | | dmj+ () andrew cmu edu | \--------------------------------/ \--------------------------------/
Attachment:
_bin
Description:
Current thread:
- BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1 Carlos Eduardo Gorges (Jul 25)
- Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1 Daniel Jacobowitz (Jul 26)
- Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1 Rodrigo Barbosa (aka morcego) (Jul 26)
- Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1 Nic Bellamy (Jul 26)
- Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1 MacGyver (Jul 27)