Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability

[KF <dotslash () snosoft com>]

Is this the server dumping its core of is it your ftp client... gdb
/usr/bin/ftp core... 
it should tell you where the core came from. 
-KF 


smackenz wrote:
> Check this out (tested on a SUN & LINUX box):::
>
> Date:                   Tue Dec  4 21:11:07 GMT 2001
> Problem:                FTP Server Segfault and Core dump
> Issue:                  TESTED AND POSITIVE REMOTE
> Implications:           The ftp server is usually run with high system privileges.
>
> I am sure this is important.  I have managed to remotely dump core from an
> FTP connection to ProFTPD 1.2.2rc3 and a ProFTPD 1.2.0pre10 and the latest
> version of FTP on updates.redhat.com - using a very similar method reported
> in the CORE Security Advisory CORE-20011001 (the globbing problem in Wu-FTPD
> versions through 2.6.1)
>
> Sorry if this has been found before; but I did check to see if I
> could find a similar article on the web before I posted this (didn't find
> one).
>
> --------------------------------
> REPRODUCED ON UPDATES.REDHAT.COM
> --------------------------------
>
> Also I have just successfully reproduced this on one of redhat's servers,
> dumping core instantly, which suggests linux may have this bug as well.
>
> Shell output is below - shows core dumps::
> ---------------------------------------------
>
> [smackenz@mainframe smackenz]$ ftp xxxxxx local uni server xxxxxx
>
> Connected to xxxxxx no telling xxxxxx.
> 220 ProFTPD 1.2.2rc3 Server (ProFTPD Default Installation) [xxx Its a SUN box]
> 500 AUTH not understood.
> 500 AUTH not understood.
> KERBEROS_V4 rejected as an authentication type
> Name (xxxxxxxxxxxxxxx:smackenz):
> 331 Password required for smackenz.
> Password:
> 230 User smackenz logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> syst
> 215 UNIX Type: L8
>
> ftp> ls ~{
> 227 Entering Passive Mode (143,53,29,200,225,134).
> 150 Opening ASCII mode data connection for file list
> 226 Transfer complete.
> ftp>
> ftp> ls ls ~{
> Segmentation fault (core dumped)
> [smackenz@mainframe smackenz]$
> <connection killed>
>
> and again::
>
> Name (xxxxxxxxxxxxx:smackenz):
> 331 Password required for smackenz.
> Password:
> 230 User smackenz logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls dsjfnsdk ~{
> Segmentation fault (core dumped)
>
> <and more....>
>
> 150 Opening ASCII mode data connection for file list
> 226 Transfer complete.
> ftp>
> ftp> ls ls __
> output to local-file: __?
> 227 Entering Passive Mode (143,53,28,20,225,175).
> 150 Opening ASCII mode data connection for file list
> 226 Transfer complete.
> ftp> ls ls -+
> output to local-file: -+?
> 227 Entering Passive Mode (143,53,28,20,225,176).
> 150 Opening ASCII mode data connection for file list
> 226 Transfer complete.
> ftp> ls ls _+~
> output to local-file: _+~?
> 227 Entering Passive Mode (143,53,28,20,225,177).
> 150 Opening ASCII mode data connection for file list
> 226 Transfer complete.
> ftp> ls ls {
> output to local-file: {?
> 227 Entering Passive Mode (143,53,28,20,225,178).
> 150 Opening ASCII mode data connection for file list
> 226 Transfer complete.
> ftp> ls ls ~{
> Segmentation fault (core dumped)
>
> <closed connection>
>
> --------------------
> ProFTPD 1.2.0pre10 Server
> --------------------
> <again a local uni SUN server running a different pro-ftp version
>
> ftp> o
> (to) xxxxxxxxxxxxxx
> Connected to xxxxxxxxxxxxxxxx.
> 220 ProFTPD 1.2.0pre10 Server (University of xxxxxxxx FTP Server)
> 500 AUTH not understood.
> 500 AUTH not understood.
> KERBEROS_V4 rejected as an authentication type
> Name (xxxxxxxxxxx:smackenz):
> 331 Password required for smackenz.
> Password:
> 230 Access Granted for smackenz on xxxxxxxxx FTP Server
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> syst
> 215 UNIX Type: L8
> ftp> ls ls ~
> output to local-file: /home/smackenz?
> ftp>
> ftp> ls ls ~{
> Segmentation fault (core dumped)
> [smackenz@mainframe smackenz]$
>
> -----------------
> REDHAT
> -----------------
>
> [smackenz@mainframe smackenz]$ ftp updates.redhat.com
> Connected to updates.redhat.com.
> 220 Red Hat FTP server ready. All transfers are logged.
> 530 Please login with USER and PASS.
> 530 Please login with USER and PASS.
> KERBEROS_V4 rejected as an authentication type
> Name (updates.redhat.com:smackenz): anonymous
> 331 Please specify the password.
> Password: (used email address)
> 230-    THE SOFTWARE AVAILABLE FROM THIS SITE IS PROVIDED AND LICENSED
> 230-    "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR
> 230-    IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
> 230-    OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
> 230 Login successful. Have fun.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls ~{
> 227 Entering Passive Mode (63,240,14,70,48,7)
> 150 Here comes the directory listing.
> 226 Directory send OK.
> ftp> ls ls ~{
> Segmentation fault (core dumped)
> [smackenz@mainframe smackenz]$
>
> -------------------------------------------------------
>
> I think this could be quite important, but unfortunately I do not have the
> skills to audit the source code for an ftp server; so I'll leave that to the
> pro's.
>
> Scott Mackenzie