OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mattias _ (surre1hotmail.com)
Date: Wed Dec 19 2001 - 07:22:40 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    SUMMARY
    =======
    A problem in handling file globbing exists in the current version of ProFTPD
    1.2.4 (but it’s fixed in the Candidate version: 1.2.5rc1). This
    is very similar to the wu-ftpd bug (“ls ~{”) and occurs when you issue
    the command: ls /////////// (11 or more ‘/’). I haven’t figured out if
    it’s exploitable. That’s why I post it to you guys. :-)

    AFFECTED VERSIONS
    =================
    ProFTPD 1.2.4
    ProFTPD 1.2.2rc3
    (Others may be affected as well.)

    SYSTEMS
    =======
    This is tested on Slackware 8.

    IMPACT
    ======
    The ftpd-child dies with signal 11 (SEGV), but the server stays up.
    The question is if it’s possible to do something nasty with this!?

    DETAILS
    =======
    The Segmentation Fault occurs when the server tries to free a
    unallocated memory with a free()-function and it could be a heap
    corruption vulnerability. It’s in the file lib/glibc-glob.c in function
    void globfree (pglob) the SEGV occurs.

    Here is how I tested it.
    Login as ftp(anonymous) and issue the command:
    ftp> ls ///////////
    200 PORT command successful.
    150 Opening ASCII mode data connection for file list.
    421 Service not available, remote server has closed connection
    ftp>

    And the debug messages reads (proftpd -n -d 5):
    dispatching PRE_CMD command 'LIST ///////////' to mod_core
    dispatching CMD command 'LIST ///////////' to mod_ls
    active data connection opened - local : 127.0.0.1:20
    active data connection opened - remote : 127.0.0.1:1286
    in dir_check_full(): path = '/', fullpath = '/home/ftp/'.
    ProFTPD terminating (signal 11)

    VENDOR RESPONSE
    ===============
    This problem has been reported to ProFTPD Bug Tracking System. It has
    also been reported to securityproftpd.org where they asked me to wait
    posting this until they release version 1.2.5rc1.

    SOLUTION
    ========
    Upgrade to version 1.2.5rc1.

    REFERENCES
    ==========
    ProFTPD (Get the latest version)
    http://www.proftpd.org

    ProFTPD Bug Tracking System (Where it was first reported):
    http://bugs.proftpd.org/show_bug.cgi?id=1426

    Information about the wu-ftpd problem:
    http://www.corest.com

    COMMENTS
    ========
    This is my first post to Bugtraq, be nice to me...

    Regards,
    Mattias

    surre1hotmail.com

    _________________________________________________________________
    Join the world’s largest e-mail service with MSN Hotmail.
    http://www.hotmail.com