Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1

[Nic Bellamy <nic () BELLAMY CO NZ>]

On Tue, 25 Jul 2000, Carlos Eduardo Gorges wrote:

> All involve parse of characters
> for example,
> connects in a proftpd host and
>
> ftp> quote %999s

What you'll find is that your ftp client is interpreting the format
string, and sending about 1,000 spaces to the FTP server. Try doing "quote
%p" and you'll see that is truly the case, as you'll get a response
similar to "500 0X8059008 not understood."

You can crash it in exactly the same way with a simple "echo ' ' | nc
ftp.server.dom 21".

> the children stops in segfail : -)

It segfaults when it tries to deference a NULL pointer, due to cmd_loop()
trying to dispatch_cmd() without checking that there actually *was* a
command. As far as I can tell, there's no exploit potential in this.

The patch following this message solves it for me, but may not be the
correct way of fixing it. Due to the nature of this bug, it's not going to
hurt to wait for an official fix.

MacGuyver, the ProFTPd maintainer, has been CC'd this message.

Regards,
        Nic.

-- Nic Bellamy <nic () bellamy co nz>
   Bellamy Consulting Limited. DDI: +64-9-631-7901 Mobile: +64-21-251-8954
   Internet Software & Security Consulting -- http://www.bellamy.co.nz/ --

--- proftpd-1.2.0rc1.orig/src/main.c    Wed Jul 12 02:02:56 2000
+++ proftpd-1.2.0rc1/src/main.c Wed Jul 26 13:19:42 2000
@@ -1033,8 +1033,12 @@
       cmd_rec *cmd;

       cmd = make_cmd(permanent_pool,cp);
-      if(cmd) {
-        dispatch_cmd(cmd);
+      if (cmd) {
+        if (cmd->argv[0]) {
+          dispatch_cmd(cmd);
+        } else {
+          send_response("500","No command specified.");
+        }
         destroy_pool(cmd->pool);
       }
     }