Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1

To: bugtraq@securityfocus.com, debian security <debian-security@lists.debian.org>
Subject: Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
From: martin f krafft <madduck@madduck.net>
Date: Fri, 29 Mar 2002 22:40:02 +0100
Message-id: <[🔎] 20020329214002.GA31795@fishbowl.madduck.net>
Mail-followup-to: bugtraq@securityfocus.com, debian security <debian-security@lists.debian.org>
In-reply-to: <[🔎] 20020326233758.GA26028@fishbowl.madduck.net>
References: <20020326071431.A17363@devel.livenote.com> <[🔎] 20020326233758.GA26028@fishbowl.madduck.net>

dear bugtraq'ers,

i must confess that the information i provided wrt the acclaimed DoS
exploit in Debian potato's proftpd package (1.2.0pre10-2.0potato1) was
not fully accurate. the package *does in fact contain a buggy daemon*
despite having been fixed, according to the changelog:

  proftpd (1.2.0pre10-2.0potato1) stable; urgency=high

    * Non-Maintainer upload.
--->* Applied patch against string format buffer attack.
  [...]

here's the result of my research:

the ftproot, against which i tested the daemon when i replied to the
original bugtraq post, was way too small to cause the server to break
a sweat on the recursion attack

  ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*

i now tested the daemon against a new ftproot, 20Gb in size with
a total of 6588 directories, and it does in fact appear to hang,
consuming memory in the excess of 100Mb, and loitering the processor
queue.

nevertheless, the proftpd parent process happily served another 99
sessions at no noticeable speed degradation. and, after 23 minutes,
the berserk proftpd process returned and surrendered the resources
(the ftp session had timed out after 5 minutes already).

the suggested temporary fix is to add the option

  DenyFilter \*.*/

to /etc/proftpd.conf. however, despite common believe, Debian's
proftpd package 1.2.0pre10-2.0potato1 *does not* contain this option
and is thus vulnerable to the extent that this is a severe
vulnerability.

i don't think it's necessary to discuss this; the daemon as packaged
by debian is buggy and that has to be fixed. but i hope i was able to
give you some more information on the extent of the exploit. i will
do my best to push a fixed package into the APT archive at
security.debian.org as soon as possible.

regards,

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
"with sufficient thrust, pigs fly just fine. however, this is not
 necessarily a good idea. it is hard to be sure where they are going to
 land, and it could be dangerous sitting under them as they fly
 overhead."
                                                           -- rfc 1925

Attachment: pgpPHocTheUmB.pgp
Description: PGP signature

Reply to:

References:
- Re: DoS in debian (potato) proftpd
  - From: martin f krafft <madduck@madduck.net>

Prev by Date: Re: proftpd bug or not?
Next by Date: on potato's proftpd
Previous by thread: Re: DoS in debian (potato) proftpd
Next by thread: Visonic release NEXT Duo digital detector
Index(es):
- Date
- Thread