Vulnerability Development mailing list archives

Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability

From: "Alex Butcher (vuln-dev)" <vulndev () cocoa demon co uk>
Date: Tue, 4 Dec 2001 22:42:37 +0000 (GMT)

On Tue, 4 Dec 2001, smackenz wrote:

Check this out (tested on a SUN & LINUX box):::

Date:                 Tue Dec  4 21:11:07 GMT 2001
Problem:              FTP Server Segfault and Core dump
Issue:                        TESTED AND POSITIVE REMOTE
Implications:         The ftp server is usually run with high system privileges.


I am sure this is important.  I have managed to remotely dump core from an 
FTP connection to ProFTPD 1.2.2rc3 and a ProFTPD 1.2.0pre10 and the latest 
version of FTP on updates.redhat.com - using a very similar method reported 
in the CORE Security Advisory CORE-20011001 (the globbing problem in Wu-FTPD 
versions through 2.6.1)

Sorry if this has been found before; but I did check to see if I 
could find a similar article on the web before I posted this (didn't find 
one).


--------------------------------
REPRODUCED ON UPDATES.REDHAT.COM
--------------------------------

Also I have just successfully reproduced this on one of redhat's servers, 
dumping core instantly, which suggests linux may have this bug as well.


Shell output is below - shows core dumps::
---------------------------------------------

[smackenz@mainframe smackenz]$ ftp xxxxxx local uni server xxxxxx

Connected to xxxxxx no telling xxxxxx.
220 ProFTPD 1.2.2rc3 Server (ProFTPD Default Installation) [xxx Its a SUN box]
500 AUTH not understood.
500 AUTH not understood.
KERBEROS_V4 rejected as an authentication type
Name (xxxxxxxxxxxxxxx:smackenz): 
331 Password required for smackenz.
Password:
230 User smackenz logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> syst
215 UNIX Type: L8

ftp> ls ~{
227 Entering Passive Mode (143,53,29,200,225,134).
150 Opening ASCII mode data connection for file list
226 Transfer complete.
ftp>
ftp> ls ls ~{
Segmentation fault (core dumped)
[smackenz@mainframe smackenz]$ 
<connection killed>


Err.... pardon me if I'm wrong, but I think that's your FTP *client* 
that's dumping core... doesn't appear to work the same way here.

Scott Mackenzie


Best Regards,
Alex.
-- 
Alex Butcher         Brainbench MVP for Internet Security: www.brainbench.com
Berkshire, UK      Is *your* company hiring UNIX/Security/Pen. testing folks?
PGP/GnuPG ID:0x271fd950                      http://www.cocoa.demon.co.uk/cv/

Current thread:

ProFTPD 1.2.2rc3 Remote Server Vulnerability smackenz (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability KF (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability Alex Butcher (vuln-dev) (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability scott (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability ARAI Yuu (Dec 04)
  - Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability (-> ftp client buffer overflow) Ciprian Csordas (Dec 05)
- <Possible follow-ups>
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability U dong-houn (Dec 05)