DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1

To: bugtraq@securityfocus.com, vuln-dev@securityfocus.com, debian security <debian-security@lists.debian.org>
Cc: martin f krafft <madduck@madduck.net>, alun@texis.com
Subject: DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
From: reaktor@hushmail.com
Date: Wed, 3 Apr 2002 21:46:59 -0800
Message-id: <[🔎] 200204040546.g345kxS54101@mailserver4.hushmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello All,

I can confirm that the ls strings dos' slackware 8.0. Causes shell process of that user (user or root) to chew up the cpu until the shell terminates on sig 11.

Works on any shell the user is using, csh, ksh, bash

Tested on:
Linux 2.2.19 #93 Thu Jun 21 01:09:03 PDT 2001 i586 unknown
SunOS 5.8 Generic_108528-12 sun4u sparc SUNW,Ultra-Enterprise

Not Vuln:
OpenBSD 3.0 GENERIC#94 i386

Needs more investigation.

Gilbert

At 03:40 PM 3/29/2002, martin f krafft wrote:
> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*

...

> DenyFilter \*.*/

Just as a quick question, why not deny the string "/../" (you may have to
deny the regex "/\.\./", depending how the filter in question works)?

As far as I can tell, it's the ability to embed "/../" into a path that is
at the root of this, far more than the ability to embed wildcards. I can't
think of a situation in which "/../" should appear in a user-supplied path,
except after a string of repeated "../"s.

The workaround suggested by Mr Krafft would disable some useful
functionality - one large user of mine, for instance, was keen to have my
own software evaluate wildcards in the body of the path, which Mr Krafft's
workaround disables completely. They even paid for the privilege (not
enough, but they paid ;-))

So, let's see, a regex that would deny "/../", except as part of a string
of such...

One bash would be "[^/.].*/\.\./" - matching "/../" if it's after any
character other than '/' or '.'. Doubtless someone can come up with
something better.

Alun.
~~~~

- --
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.

Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAjyr6acVHHJlYWt0b3JAaHVzaG1haWwuY29tAAoJEJajR/iRqwen8mkA
oKWAhCudyOHNoO0TfIeYih8gNz+LAJwNhnWkwhJz0GVeZ4sAuxTE9JP5PA==
=Sgqo
-----END PGP SIGNATURE-----

--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
  - From: Chip McClure <vhm3@hades.gigguardian.com>

Prev by Date: Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
Next by Date: ssh allowing password logins even though its disabled
Previous by thread: Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
Next by thread: Re: DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
Index(es):
- Date
- Thread