[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: proftpd bug or not?

also sprach Noah Meyerhans <noahm@debian.org> [2002.03.29.2149 +0100]:
> No, it is in fact not fixed.  We are still vulnerable.  I have confirmed
> this myself with the proftpd packages from security.debian.org.
> If you don't believe me, try it...

i did. and it wasn't vulnerable. i will try again right now...

lapse:/tmp# ls /etc/proftpd.conf
ls: /etc/proftpd.conf: No such file or directory
lapse:/tmp# dpkg -i proftpd_1.2.0pre10-2.0potato1_i386.deb
lapse:/tmp# dpkg -l proftpd | grep ^ii
ii  proftpd        1.2.0pre10-2.0 Versatile, virtual-hosting FTP
lapse:/tmp# grep -i Filter /etc/proftpd.conf
lapse:/tmp# ncftp localhost
[... snip ...]

okay, i'll spare you the details, here's the results i've come up

my ftproot, which i originally tested against, was way too small. i've
now created an ftproot with 20Gb of data and a very complex directory
hierarchy, and in fact, proftpd will go to consume a lot of resources.

however, this is far from a DoS, i think. the parent instance of
proftpd very happily handles new logins speedily, and contrary to my
expectations, the spawned proftpd, handling the cracker connection is
not even accessing the disk. it just hangs there and consumes

i will let this thing run for some time and see if it ever finishes.

nevertheless, the proftpd deb found at
*does not* contain a DenyFilter as you suggested. so in fact, this is
not really patched if you can consider it a security hole.

but even if not, it's annoying and *should* be banned. i'll post
a followup to bugtraq...

martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
prepBut nI vrbLike adjHungarian! qWhat's artThe adjBig nProblem?
                                               -- alec flett @netscape

Attachment: pgpM5ZIgstKpK.pgp
Description: PGP signature

Reply to: