OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Wojciech Purczynski (wpELZABSOFT.PL)
Date: Wed Jan 10 2001 - 02:54:38 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > " ProFTPd has memory leakage bug when it executes the SIZE FTP command. By
    > calling the FTP command SIZE 5000 times it possible to cause ProFTPd to
    > consume over 300kB of memory. Exploiting this bug with more SIZE commands
    > gives us simple DoS attack. Anonymous access is sufficient to use SIZE
    > commands and to exploit this bug."

    This memory leakage occurs only if proftpd is improperly installed and
    /usr/local/var/proftpd directory does not exist or is not writable for
    proftpd. If proftpd is installed from RPM package this directory is
    /var/run/proftpd. The bug is in log_open_run() function in src/log.c file.
    The functions tries to open run-time scoreboard file in this directory for
    most (every?) command. Each time it allocates memory for scoreboard file
    name not freeing it leading to memory leakage. This time proftpd
    developers confirmed this bug.

    While playing with proftpd I discovered another memory leakage. The memory
    leakage may be exploited by entering many ,,USER nonexistentuser''
    commands before login. No FTP access in needed in order to exploit this
    DoS. 10000 USER commands causes proftpd to consume about 1,7MB. No patch
    is currently available to fix this bug.

    I use proftpd-1.2.0rc2 on RH 6.2. Confirmed also on 1.2.0pre10.

    Cheers,
    wp

    +--------------------------------------------------------------------+
    | Wojciech Purczynski wpelzabsoft.pl http://www.elzabsoft.pl/~wp |
    | GSM: +48604432981 Linux Administrator SMS: wp-smselzabsoft.pl |
    +------ Public GnuPG Key: http://www.elzabsoft.pl/~wp/gpg.asc ------+