Re: Memory leakage in ProFTPd leads to remote DoS (SIZE FTP); (Exploit Code)

[Wojciech Purczynski <wp () ELZABSOFT PL>]

> " ProFTPd has memory leakage bug when it executes the SIZE FTP command. By
> calling the FTP command SIZE 5000 times it possible to cause ProFTPd to
> consume over 300kB of memory. Exploiting this bug with more SIZE commands
> gives us simple DoS attack. Anonymous access is sufficient to use SIZE
> commands and to exploit this bug."

This memory leakage occurs only if proftpd is improperly installed and
/usr/local/var/proftpd directory does not exist or is not writable for
proftpd. If proftpd is installed from RPM package this directory is
/var/run/proftpd. The bug is in log_open_run() function in src/log.c file.
The functions tries to open run-time scoreboard file in this directory for
most (every?) command. Each time it allocates memory for scoreboard file
name not freeing it leading to memory leakage. This time proftpd
developers confirmed this bug.

While playing with proftpd I discovered another memory leakage. The memory
leakage may be exploited by entering many ,,USER nonexistentuser''
commands before login. No FTP access in needed in order to exploit this
DoS. 10000 USER commands causes proftpd to consume about 1,7MB. No patch
is currently available to fix this bug.

I use proftpd-1.2.0rc2 on RH 6.2. Confirmed also on 1.2.0pre10.

Cheers,
wp

+--------------------------------------------------------------------+
| Wojciech Purczynski   wp () elzabsoft pl  http://www.elzabsoft.pl/~wp |
| GSM: +48604432981   Linux Administrator   SMS: wp-sms () elzabsoft pl |
+------ Public GnuPG Key:  http://www.elzabsoft.pl/~wp/gpg.asc ------+