Vulnerability Development mailing list archives
Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability
From: "Alex Butcher (vuln-dev)" <vulndev () cocoa demon co uk>
Date: Tue, 4 Dec 2001 22:42:37 +0000 (GMT)
On Tue, 4 Dec 2001, smackenz wrote:
Check this out (tested on a SUN & LINUX box)::: Date: Tue Dec 4 21:11:07 GMT 2001 Problem: FTP Server Segfault and Core dump Issue: TESTED AND POSITIVE REMOTE Implications: The ftp server is usually run with high system privileges. I am sure this is important. I have managed to remotely dump core from an FTP connection to ProFTPD 1.2.2rc3 and a ProFTPD 1.2.0pre10 and the latest version of FTP on updates.redhat.com - using a very similar method reported in the CORE Security Advisory CORE-20011001 (the globbing problem in Wu-FTPD versions through 2.6.1) Sorry if this has been found before; but I did check to see if I could find a similar article on the web before I posted this (didn't find one). -------------------------------- REPRODUCED ON UPDATES.REDHAT.COM -------------------------------- Also I have just successfully reproduced this on one of redhat's servers, dumping core instantly, which suggests linux may have this bug as well. Shell output is below - shows core dumps:: --------------------------------------------- [smackenz@mainframe smackenz]$ ftp xxxxxx local uni server xxxxxx Connected to xxxxxx no telling xxxxxx. 220 ProFTPD 1.2.2rc3 Server (ProFTPD Default Installation) [xxx Its a SUN box] 500 AUTH not understood. 500 AUTH not understood. KERBEROS_V4 rejected as an authentication type Name (xxxxxxxxxxxxxxx:smackenz): 331 Password required for smackenz. Password: 230 User smackenz logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> syst 215 UNIX Type: L8 ftp> ls ~{ 227 Entering Passive Mode (143,53,29,200,225,134). 150 Opening ASCII mode data connection for file list 226 Transfer complete. ftp> ftp> ls ls ~{ Segmentation fault (core dumped) [smackenz@mainframe smackenz]$ <connection killed>
Err.... pardon me if I'm wrong, but I think that's your FTP *client* that's dumping core... doesn't appear to work the same way here.
Scott Mackenzie
Best Regards, Alex. -- Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com Berkshire, UK Is *your* company hiring UNIX/Security/Pen. testing folks? PGP/GnuPG ID:0x271fd950 http://www.cocoa.demon.co.uk/cv/
Current thread:
- ProFTPD 1.2.2rc3 Remote Server Vulnerability smackenz (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability KF (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability Alex Butcher (vuln-dev) (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability scott (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability ARAI Yuu (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability (-> ftp client buffer overflow) Ciprian Csordas (Dec 05)
- <Possible follow-ups>
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability U dong-houn (Dec 05)