Bugtraq mailing list archives

bizzare ftp stuff...

From: tfs () vampire science gmu edu (Tim Scanlon)
Date: Thu, 3 Nov 1994 17:53:57 -0500 (EST)


        I just discovered (out of curiosity) some rather bizzare behavior
out of ftp that could at a minimum end up serve to create an ugly denial
of service attack...

        Basicly, I was curious to see what the hell would happen if I
telneted to the ftp port & mucked around with the connection. Found some
intresting things too. 

        First thing I found out is that I could sit there and make my
connection display bizzare stuff, as the ftpd displays command state
stuff even before it does anything with user or pass, and does stuff
with chuid & (potentialy) with chroot.
This sort of thing is possible:
root       497   0.0  1.6 1.62M  328K ?  S     0:00 -fusion: connected: `fuckin
strange` (ftpd)

        It'll display command names etc. etc. But, it get's better...

I logged in, by using "user" & "pass" with non-breaking spaces to feed
the right stuff to the daemon, breaking spaces are interpreted as separate
lines, so you get "user not understood" junk if you don't use them. 
After that the intresting stuff started... I found naturaly I couldn't do
a "list" because it couldn't form a data connection, normal enough there...

        Then I set PASV mode, and it got intresting. Once I did that, I tried
to do a "list" and things just sort of hung... So, I escaped from my telnet,
killed the connection & figured "hmm oh well, that was non-substantive".
        This is when I got a surprise though... I then ran a ps, and came up
with this:
tfs        497   0.0  1.9 1.55M  392K ?  S     0:00 -fusion: tfs: list (ftpd)
tfs        575   0.0  0.9  800K  184K ?  S     0:00 /bin/ls -lgA on: tfs: list 

They seem to linger at least as long as it takes for the tcp connection
to close off... That can take a while...

        Obviously, it'd be damn easy to script out something to take advantage
of this behavior & rapidly spawn 80 bazzilion processes that'd just hang 
there. Not only that, but you'd get 2 for the price of 1 to boot.

        This is bizzare enough to where I'm rather glad I have ftp wrapped.
In reality, it doesn't seem like a huge problem, but on the other hand, it
seems to be enough of a a potential problem to set me wondering if any
other bizzare stuff is lurking in ftpd.

        Tim

Current thread:

Re: udp packet storms Mike Raffety (Oct 31)
- Re: udp packet storms Perry E. Metzger (Oct 31)
  - Re: udp packet storms Darren Reed (Nov 01)
- Re: udp packet storms Steve Simmons (Nov 01)
  - Re: udp packet storms Perry E. Metzger (Nov 01)
  - Re: udp packet storms Tim Newsham (Nov 01)
  - Re: udp packet storms Pete Shipley (Nov 03)
  - bizzare ftp stuff... Tim Scanlon (Nov 03)
- <Possible follow-ups>
- Re: udp packet storms Perry E. Metzger (Oct 31)
- Re: udp packet storms Charles Howes (Oct 31)
- Re: udp packet storms Mike Raffety (Nov 01)
  - Re: udp packet storms David A. Wagner (Nov 01)
    - Re: udp packet storms - ping death Charles Howes (Nov 02)
    - Re: udp packet storms - ping death David A. Wagner (Nov 02)
    - Re: udp packet storms - ping death Karl Strickland (Nov 03)
    - Re: udp packet storms - ping death Perry E. Metzger (Nov 02)
    - Re: udp packet storms - ping death Michael Neuman (Nov 02)
    - Re: udp packet storms - ping death Perry E. Metzger (Nov 03)

(Thread continues...)