Re: DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1

To: reaktor@hushmail.com
Cc: bugtraq@securityfocus.com, <vuln-dev@securityfocus.com>, debian security <debian-security@lists.debian.org>, martin f krafft <madduck@madduck.net>, <alun@texis.com>
Subject: Re: DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
From: Chip McClure <vhm3@hades.gigguardian.com>
Date: Thu, 4 Apr 2002 09:06:13 -0800 (PST)
Message-id: <[🔎] 20020404090440.C47976-100000@hades.gigguardian.com>
In-reply-to: <[🔎] 200204040546.g345kxS54101@mailserver4.hushmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Also tested, and vulnerable on:

FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002
murray@builder.freebsdmall.com:/usr/src/sys/compile/GENERIC  i386

Tested using the shells bash, csh, ksh, zsh.

Chip

- -----
Chip McClure
Sr. Unix Administrator
GigGuardian, Inc.

http://www.gigguardian.com/
- -----

On Wed, 3 Apr 2002 reaktor@hushmail.com wrote:

>
> Hello All,
>
> I can confirm that the ls strings dos' slackware 8.0. Causes shell process of that user (user or root) to chew up the cpu until the shell terminates on sig 11.
>
> Works on any shell the user is using, csh, ksh, bash
>
> Tested on:
> Linux 2.2.19 #93 Thu Jun 21 01:09:03 PDT 2001 i586 unknown
> SunOS 5.8 Generic_108528-12 sun4u sparc SUNW,Ultra-Enterprise
>
> Not Vuln:
> OpenBSD 3.0 GENERIC#94 i386
>
> Needs more investigation.
>
> Gilbert
>
>
> At 03:40 PM 3/29/2002, martin f krafft wrote:
> >   ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
>
> ...
>
> >   DenyFilter \*.*/
>
> Just as a quick question, why not deny the string "/../" (you may have to
> deny the regex "/\.\./", depending how the filter in question works)?
>
> As far as I can tell, it's the ability to embed "/../" into a path that is
> at the root of this, far more than the ability to embed wildcards.  I can't
> think of a situation in which "/../" should appear in a user-supplied path,
> except after a string of repeated "../"s.
>
> The workaround suggested by Mr Krafft would disable some useful
> functionality - one large user of mine, for instance, was keen to have my
> own software evaluate wildcards in the body of the path, which Mr Krafft's
> workaround disables completely.  They even paid for the privilege (not
> enough, but they paid ;-))
>
> So, let's see, a regex that would deny "/../", except as part of a string
> of such...
>
> One bash would be "[^/.].*/\.\./" - matching "/../" if it's after any
> character other than '/' or '.'.  Doubtless someone can come up with
> something better.
>
> Alun.
> ~~~~
>
> --
> Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
> 1602 Harvest Moon Place   | http://www.wftpd.com or email alun@texis.com
> Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
> Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.
>
>
> Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
> HushMail Secure Email http://www.hushmail.com/
> HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
> Hush Business - security for your Business http://www.hush.com/
> Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/
>
> Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
>
> ------------ Output from pgp ------------
> Pretty Good Privacy(tm) Version 6.5.8
> Internal development version only - not for general release.
> (c) 1999 Network Associates Inc.
> Export of this software may be restricted by the U.S. government.
> File is signed.  signature not checked.
> Signature made 2002/04/04 05:51 GMT
> key does not meet validity threshold.
> WARNING:  Because this public key is not certified with a trusted
> signature, it is not known with high confidence that this public key
> actually belongs to: "(KeyID: 0x91AB07A7)".
> wiping file pgptemp.$00pattern is: 0xffffffff
> pattern is: 0x666
> pattern is: 0xddd
> pattern is: 0x333
> pattern is: 0x111
> pattern is: 0xbbb
> pattern is: 0xfff
> pattern is: 0x999
> pattern is: 0xffffffff
> pattern is: 0x6db
> pattern is: 0xccc
> pattern is: 0x492
> pattern is: 0xdb6
> pattern is: 0xffffffff
> pattern is: 0x249
> pattern is: 0x777
> pattern is: 0xaaa
> pattern is: 0xeee
> pattern is: 0x555
> pattern is: 0x444
> pattern is: 0x888
> pattern is: 0xb6d
> pattern is: 0x0
> pattern is: 0x222
> pattern is: 0x924
> pattern is: 0xffffffff
> wiping file pgptemp.$01pattern is: 0xffffffff
> pattern is: 0x777
> pattern is: 0x222
> pattern is: 0x6db
> pattern is: 0xbbb
> pattern is: 0xb6d
> pattern is: 0x666
> pattern is: 0x333
> pattern is: 0xffffffff
> pattern is: 0xccc
> pattern is: 0x924
> pattern is: 0xeee
> pattern is: 0xaaa
> pattern is: 0xffffffff
> pattern is: 0xddd
> pattern is: 0xfff
> pattern is: 0x999
> pattern is: 0x888
> pattern is: 0x0
> pattern is: 0xdb6
> pattern is: 0x444
> pattern is: 0x249
> pattern is: 0x492
> pattern is: 0x555
> pattern is: 0x111
> pattern is: 0xffffffff
>
>

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBPKyICZuKtP8CSC69EQImIACfZE5iDHm4ug5FRhiq6jPqrL1VKrgAoIbU
y58V4TmV1Du3rS1tas+lYUpu
=dU2C
-----END PGP SIGNATURE-----



-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
  - From: "Kurt Seifried" <bugtraq@seifried.org>

References:
- DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
  - From: reaktor@hushmail.com

Prev by Date: Re: A question about some network services
Next by Date: Re: A question about some network services
Previous by thread: DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
Next by thread: Re: DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
Index(es):
- Date
- Thread