Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1

From: martin f krafft (madduck@madduck.net)
Date: 03/29/02


Date: Fri, 29 Mar 2002 22:40:02 +0100
From: martin f krafft <madduck@madduck.net>
To: bugtraq@securityfocus.com, debian security <debian-security@lists.debian.org>


dear bugtraq'ers,

i must confess that the information i provided wrt the acclaimed DoS
exploit in Debian potato's proftpd package (1.2.0pre10-2.0potato1) was
not fully accurate. the package *does in fact contain a buggy daemon*
despite having been fixed, according to the changelog:

  proftpd (1.2.0pre10-2.0potato1) stable; urgency=high

    * Non-Maintainer upload.
--->* Applied patch against string format buffer attack.
  [...]

here's the result of my research:

the ftproot, against which i tested the daemon when i replied to the
original bugtraq post, was way too small to cause the server to break
a sweat on the recursion attack

  ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*

i now tested the daemon against a new ftproot, 20Gb in size with
a total of 6588 directories, and it does in fact appear to hang,
consuming memory in the excess of 100Mb, and loitering the processor
queue.

nevertheless, the proftpd parent process happily served another 99
sessions at no noticeable speed degradation. and, after 23 minutes,
the berserk proftpd process returned and surrendered the resources
(the ftp session had timed out after 5 minutes already).

the suggested temporary fix is to add the option

  DenyFilter \*.*/

to /etc/proftpd.conf. however, despite common believe, Debian's
proftpd package 1.2.0pre10-2.0potato1 *does not* contain this option
and is thus vulnerable to the extent that this is a severe
vulnerability.

i don't think it's necessary to discuss this; the daemon as packaged
by debian is buggy and that has to be fixed. but i hope i was able to
give you some more information on the extent of the exploit. i will
do my best to push a fixed package into the APT archive at
security.debian.org as soon as possible.

regards,

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
  
"with sufficient thrust, pigs fly just fine. however, this is not
 necessarily a good idea. it is hard to be sure where they are going to
 land, and it could be dangerous sitting under them as they fly
 overhead."
                                                           -- rfc 1925




Relevant Pages

  • Re: automatically restarting dying daemons?
    ... but what happens when the daemon that's to receive the flare ... Because the Debian package system is a lot more sophisticated ...
    (Debian-User)
  • Re: install daemon without starting it
    ... Debian should at least make clear whether a daemon was configured to ... communicated on a per package basis. ... configuration) by installing a package. ...
    (Debian-User)
  • Re: install daemon without starting it
    ... at least ask while installing if such daemon is to be started ... The argument is that if the user did not want the daemon started, ... priority (I insatlled the package, ... I expect Debian packages to ship daemons with sane ...
    (Debian-User)
  • Re: the best Linux for me
    ... I've ben using debian on my desktop for about 8 years, ... What's Debian's package / distro system called? ... cl-clx-sbcl - An X11 Common Lisp client library for SBCL ... You can also see how out of date my unstable install ...
    (comp.lang.lisp)
  • Re: what version?
    ... > handling of RedHat package management had been jumbled by an architect who ... Debian, Gentoo, etc. ... As I mentioned earlier, Debian-compatible installation media (including ... the stable-branch archive, because he felt it was in particularly good ...
    (comp.os.linux.setup)