Vulnerability Development mailing list archives
Re: DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
From: Chip McClure <vhm3 () hades gigguardian com>
Date: Thu, 4 Apr 2002 09:06:13 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Also tested, and vulnerable on: FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002 murray () builder freebsdmall com:/usr/src/sys/compile/GENERIC i386 Tested using the shells bash, csh, ksh, zsh. Chip - ----- Chip McClure Sr. Unix Administrator GigGuardian, Inc. http://www.gigguardian.com/ - ----- On Wed, 3 Apr 2002 reaktor () hushmail com wrote:
Hello All, I can confirm that the ls strings dos' slackware 8.0. Causes shell process of that user (user or root) to chew up the cpu until the shell terminates on sig 11. Works on any shell the user is using, csh, ksh, bash Tested on: Linux 2.2.19 #93 Thu Jun 21 01:09:03 PDT 2001 i586 unknown SunOS 5.8 Generic_108528-12 sun4u sparc SUNW,Ultra-Enterprise Not Vuln: OpenBSD 3.0 GENERIC#94 i386 Needs more investigation. Gilbert At 03:40 PM 3/29/2002, martin f krafft wrote:ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*...DenyFilter \*.*/Just as a quick question, why not deny the string "/../" (you may have to deny the regex "/\.\./", depending how the filter in question works)? As far as I can tell, it's the ability to embed "/../" into a path that is at the root of this, far more than the ability to embed wildcards. I can't think of a situation in which "/../" should appear in a user-supplied path, except after a string of repeated "../"s. The workaround suggested by Mr Krafft would disable some useful functionality - one large user of mine, for instance, was keen to have my own software evaluate wildcards in the body of the path, which Mr Krafft's workaround disables completely. They even paid for the privilege (not enough, but they paid ;-)) So, let's see, a regex that would deny "/../", except as part of a string of such... One bash would be "[^/.].*/\.\./" - matching "/../" if it's after any character other than '/' or '.'. Doubtless someone can come up with something better. Alun. ~~~~ -- Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at 1602 Harvest Moon Place | http://www.wftpd.com or email alun () texis com Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT. Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople ------------ Output from pgp ------------ Pretty Good Privacy(tm) Version 6.5.8 Internal development version only - not for general release. (c) 1999 Network Associates Inc. Export of this software may be restricted by the U.S. government. File is signed. signature not checked. Signature made 2002/04/04 05:51 GMT key does not meet validity threshold. WARNING: Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "(KeyID: 0x91AB07A7)". wiping file pgptemp.$00pattern is: 0xffffffff pattern is: 0x666 pattern is: 0xddd pattern is: 0x333 pattern is: 0x111 pattern is: 0xbbb pattern is: 0xfff pattern is: 0x999 pattern is: 0xffffffff pattern is: 0x6db pattern is: 0xccc pattern is: 0x492 pattern is: 0xdb6 pattern is: 0xffffffff pattern is: 0x249 pattern is: 0x777 pattern is: 0xaaa pattern is: 0xeee pattern is: 0x555 pattern is: 0x444 pattern is: 0x888 pattern is: 0xb6d pattern is: 0x0 pattern is: 0x222 pattern is: 0x924 pattern is: 0xffffffff wiping file pgptemp.$01pattern is: 0xffffffff pattern is: 0x777 pattern is: 0x222 pattern is: 0x6db pattern is: 0xbbb pattern is: 0xb6d pattern is: 0x666 pattern is: 0x333 pattern is: 0xffffffff pattern is: 0xccc pattern is: 0x924 pattern is: 0xeee pattern is: 0xaaa pattern is: 0xffffffff pattern is: 0xddd pattern is: 0xfff pattern is: 0x999 pattern is: 0x888 pattern is: 0x0 pattern is: 0xdb6 pattern is: 0x444 pattern is: 0x249 pattern is: 0x492 pattern is: 0x555 pattern is: 0x111 pattern is: 0xffffffff
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBPKyICZuKtP8CSC69EQImIACfZE5iDHm4ug5FRhiq6jPqrL1VKrgAoIbU y58V4TmV1Du3rS1tas+lYUpu =dU2C -----END PGP SIGNATURE-----
Current thread:
- DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1 reaktor (Apr 04)
- Re: DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1 Chip McClure (Apr 04)
- Re: DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1 Kurt Seifried (Apr 04)
- Re: DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1 Sean Davis (Apr 04)
- Re: DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1 Chip McClure (Apr 04)