Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability (-> ftp client buffer overflow)

[Ciprian Csordas <security.focus () wye cjb net>]

        Hello,

  This is a ftp client problem for sure.
I confirm that the ftp client in Mandrake Linux 8.1 receives SIGSEGV
using the "ls ls ~{" sequence:


=====================================================================
[wye@wye wye]$ gdb `which ftp`
GNU gdb 20010625
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-mandrake-linux"...(no debugging symbols
found)...
(gdb) r ftp.xxxxx.xxx
Starting program: /usr/bin/ftp ftp.xxxxx.xxx
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
Connected to ftp.xxxxx.xxx.
220 xxxxx.xxxxx.xxx FTP server (Version wu-2.6.1-0.6x.21) ready.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (ftp.xxxxx.xxxls:wye): ftp
331 Guest login ok, send your complete e-mail address as password.
Password:
230 - [...snip...]
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ls ~{
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x401b3780 in strcmp () from /lib/libc.so.6
(gdb) quit
The program is running.  Exit anyway? (y or n) y
[wye@wye wye]$ uname -a
Linux wye.xxxxx.xxx 2.4.8-12mdk #1 Fri Aug 24 16:18:19 CEST 2001 i686
unknown
=========================================================================

        I am not sure if this can be exploited (probably not), but for sure
something IS WRONG. Unfortunatelly, I don't have the time for it ...

Using ncftp nothing weird happens:

====================================================================
[wye@wye wye]$ ncftp ftp.xxxxx.xxx
NcFTP 3.0.4 (October 25, 2001) by Mike Gleason (ncftp () ncftp com).
Connecting to ftp.xxxxx.xxxxx(xxx.xxx.xxx.xxx)...
xxxxxx.xxxxxx.xxx FTP server (Version wu-2.6.1-0.6x.21) ready.
Logging in...

[...snip...]

Guest login ok, access restrictions apply.
Logged in to ftp.xxxxx.xxx.
ncftp / > ls ls ~{
List failed.
==============================================

This seams Ok for me.


        C ya,
                Wye <post456456233 () wye cjb net>


On Wed, 2001-12-05 at 03:17, ARAI Yuu wrote:
> Hello,
>
> > I think this could be quite important, but unfortunately I do not have the
> > skills to audit the source code for an ftp server; so I'll leave that to the
> > pro's.
>
> I don't know whether this is related to your issue or not, I noticed
> that /usr/bin/ftp on Solaris will fail when a user send a request as
> "get ~{" in last week. This is just a bug of the client-side, not
> a vulnerability on the server-side.
>
> Reproduction:
> =============
> $ uname -a
> SunOS puppet 5.7 Generic_106542-18 i86pc i386 i86pc
> $ ftp localhost
> Connected to localhost.
> 220 ProFTPD 1.2.4 Server (ProFTPD Default Installation) [puppet]
> Name (localhost:arai): arai
> 331 Password required for arai.
> Password:
> 230 User arai logged in.
> ftp> get ~{
> Segmentation Fault - core dumped
> <snip>
> # file ./core/core.ftp.25184
> ./core/core.ftp.25184:  ELF 32-bit LSB core file 80386 Version 1, from 'ftp'
> #
>
>
> And I confirmed "ls ls ~{" will cause same SIGSEGV.
>
> ================
> $ ftp localhost
> Connected to localhost.
> 220 ProFTPD 1.2.4 Server (ProFTPD Default Installation) [puppet]
> Name (localhost:arai): arai
> 331 Password required for arai.
> Password:
> 230 User arai logged in.
> ftp> ls ls ~{
> Segmentation Fault - core dumped
> <snip>
> # file ./core/core.ftp.25194
> ./core/core.ftp.25194:  ELF 32-bit LSB core file 80386 Version 1, from 'ftp'
>
>
> Regards,
> -----------------------------------------------
> ARAI Yuu <y.arai () lac co jp>
> Network Security Specialist / LAC Computer Security Laboratory
> http://www.lac.co.jp/security/