Bugtraq mailing list archives
Re: Memory leakage in ProFTPd leads to remote DoS (SIZE FTP); (Exploit Code)
From: Wojciech Purczynski <wp () ELZABSOFT PL>
Date: Wed, 10 Jan 2001 09:54:38 +0100
" ProFTPd has memory leakage bug when it executes the SIZE FTP command. By calling the FTP command SIZE 5000 times it possible to cause ProFTPd to consume over 300kB of memory. Exploiting this bug with more SIZE commands gives us simple DoS attack. Anonymous access is sufficient to use SIZE commands and to exploit this bug."
This memory leakage occurs only if proftpd is improperly installed and /usr/local/var/proftpd directory does not exist or is not writable for proftpd. If proftpd is installed from RPM package this directory is /var/run/proftpd. The bug is in log_open_run() function in src/log.c file. The functions tries to open run-time scoreboard file in this directory for most (every?) command. Each time it allocates memory for scoreboard file name not freeing it leading to memory leakage. This time proftpd developers confirmed this bug. While playing with proftpd I discovered another memory leakage. The memory leakage may be exploited by entering many ,,USER nonexistentuser'' commands before login. No FTP access in needed in order to exploit this DoS. 10000 USER commands causes proftpd to consume about 1,7MB. No patch is currently available to fix this bug. I use proftpd-1.2.0rc2 on RH 6.2. Confirmed also on 1.2.0pre10. Cheers, wp +--------------------------------------------------------------------+ | Wojciech Purczynski wp () elzabsoft pl http://www.elzabsoft.pl/~wp | | GSM: +48604432981 Linux Administrator SMS: wp-sms () elzabsoft pl | +------ Public GnuPG Key: http://www.elzabsoft.pl/~wp/gpg.asc ------+
Current thread:
- Memory leakage in ProFTPd leads to remote DoS (SIZE FTP); (Exploit Code) JeT Li (Jan 09)
- Re: Memory leakage in ProFTPd leads to remote DoS (SIZE FTP); (Exploit Code) Wojciech Purczynski (Jan 10)