Vulnerability Development mailing list archives
Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability
From: KF <dotslash () snosoft com>
Date: Tue, 04 Dec 2001 18:25:29 -0500
Is this the server dumping its core of is it your ftp client... gdb /usr/bin/ftp core... it should tell you where the core came from. -KF smackenz wrote:
Check this out (tested on a SUN & LINUX box)::: Date: Tue Dec 4 21:11:07 GMT 2001 Problem: FTP Server Segfault and Core dump Issue: TESTED AND POSITIVE REMOTE Implications: The ftp server is usually run with high system privileges. I am sure this is important. I have managed to remotely dump core from an FTP connection to ProFTPD 1.2.2rc3 and a ProFTPD 1.2.0pre10 and the latest version of FTP on updates.redhat.com - using a very similar method reported in the CORE Security Advisory CORE-20011001 (the globbing problem in Wu-FTPD versions through 2.6.1) Sorry if this has been found before; but I did check to see if I could find a similar article on the web before I posted this (didn't find one). -------------------------------- REPRODUCED ON UPDATES.REDHAT.COM -------------------------------- Also I have just successfully reproduced this on one of redhat's servers, dumping core instantly, which suggests linux may have this bug as well. Shell output is below - shows core dumps:: --------------------------------------------- [smackenz@mainframe smackenz]$ ftp xxxxxx local uni server xxxxxx Connected to xxxxxx no telling xxxxxx. 220 ProFTPD 1.2.2rc3 Server (ProFTPD Default Installation) [xxx Its a SUN box] 500 AUTH not understood. 500 AUTH not understood. KERBEROS_V4 rejected as an authentication type Name (xxxxxxxxxxxxxxx:smackenz): 331 Password required for smackenz. Password: 230 User smackenz logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> syst 215 UNIX Type: L8 ftp> ls ~{ 227 Entering Passive Mode (143,53,29,200,225,134). 150 Opening ASCII mode data connection for file list 226 Transfer complete. ftp> ftp> ls ls ~{ Segmentation fault (core dumped) [smackenz@mainframe smackenz]$ <connection killed> and again:: Name (xxxxxxxxxxxxx:smackenz): 331 Password required for smackenz. Password: 230 User smackenz logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls dsjfnsdk ~{ Segmentation fault (core dumped) <and more....> 150 Opening ASCII mode data connection for file list 226 Transfer complete. ftp> ftp> ls ls __ output to local-file: __? 227 Entering Passive Mode (143,53,28,20,225,175). 150 Opening ASCII mode data connection for file list 226 Transfer complete. ftp> ls ls -+ output to local-file: -+? 227 Entering Passive Mode (143,53,28,20,225,176). 150 Opening ASCII mode data connection for file list 226 Transfer complete. ftp> ls ls _+~ output to local-file: _+~? 227 Entering Passive Mode (143,53,28,20,225,177). 150 Opening ASCII mode data connection for file list 226 Transfer complete. ftp> ls ls { output to local-file: {? 227 Entering Passive Mode (143,53,28,20,225,178). 150 Opening ASCII mode data connection for file list 226 Transfer complete. ftp> ls ls ~{ Segmentation fault (core dumped) <closed connection> -------------------- ProFTPD 1.2.0pre10 Server -------------------- <again a local uni SUN server running a different pro-ftp version ftp> o (to) xxxxxxxxxxxxxx Connected to xxxxxxxxxxxxxxxx. 220 ProFTPD 1.2.0pre10 Server (University of xxxxxxxx FTP Server) 500 AUTH not understood. 500 AUTH not understood. KERBEROS_V4 rejected as an authentication type Name (xxxxxxxxxxx:smackenz): 331 Password required for smackenz. Password: 230 Access Granted for smackenz on xxxxxxxxx FTP Server Remote system type is UNIX. Using binary mode to transfer files. ftp> syst 215 UNIX Type: L8 ftp> ls ls ~ output to local-file: /home/smackenz? ftp> ftp> ls ls ~{ Segmentation fault (core dumped) [smackenz@mainframe smackenz]$ ----------------- REDHAT ----------------- [smackenz@mainframe smackenz]$ ftp updates.redhat.com Connected to updates.redhat.com. 220 Red Hat FTP server ready. All transfers are logged. 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (updates.redhat.com:smackenz): anonymous 331 Please specify the password. Password: (used email address) 230- THE SOFTWARE AVAILABLE FROM THIS SITE IS PROVIDED AND LICENSED 230- "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR 230- IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 230- OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 230 Login successful. Have fun. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls ~{ 227 Entering Passive Mode (63,240,14,70,48,7) 150 Here comes the directory listing. 226 Directory send OK. ftp> ls ls ~{ Segmentation fault (core dumped) [smackenz@mainframe smackenz]$ ------------------------------------------------------- I think this could be quite important, but unfortunately I do not have the skills to audit the source code for an ftp server; so I'll leave that to the pro's. Scott Mackenzie
Current thread:
- ProFTPD 1.2.2rc3 Remote Server Vulnerability smackenz (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability KF (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability Alex Butcher (vuln-dev) (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability scott (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability ARAI Yuu (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability (-> ftp client buffer overflow) Ciprian Csordas (Dec 05)
- <Possible follow-ups>
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability U dong-houn (Dec 05)