Bugtraq mailing list archives

Re: Solaris ftpd D.O.S.

From: casper () HOLLAND SUN COM (Casper Dik)
Date: Tue, 20 Jan 1998 22:15:06 +0100

When the in.ftpd was left in this "hung" state, I did a "truss -p",
which revealed that ftpd keeps on read(2)ing zero bytes from the
network socket in a tight loop, hence the CPU time consumed. The
most plausible scenario (without any kind of access to the source
code) is that the client telnet, when receiving SIGINT/QUIT, creates
an "exception" condition in the receiving socket, which is not
examined as it should by ftpd. The next kill is bogus, you might
just as well shut down the telnet connection (^]-close - tried it
out successfully). It just creates an EOF condition on ftpd's input,
which is not handled appropriately.

The whole thing is that telnet is able to relay the INT/QUIT signals
whereas the ftp client is not. Such bugs may exist in all TELNET-
based protocol servers.



The simple truth is that the Solaris FTP server tries to be clever about
handlign telnet options in the FTP command channel; unfortunately, the
code has a bad bug, as you have noticed.

Casper

Current thread:

Re: GCC 2.7.? /tmp files Michael Douglass (Jan 15)
- MC shell scripts Micha? Zalewski (Jan 17)
- Re: GCC 2.7.? /tmp files Theo de Raadt (Jan 18)
  - Re: GCC 2.7.? /tmp files Perry E. Metzger (Jan 18)
- Solaris ftpd D.O.S. Stanley Stasiak (Jan 19)
  - Buffer overflow in Yapp Conferencing System... satan (Jan 20)
  - Re: Solaris ftpd D.O.S. Aggelos P. Varvitsiotis (Jan 20)
    - Re: Solaris ftpd D.O.S. Casper Dik (Jan 20)
    - SNI-23: SSH - Vulnerability in ssh-agent Secure Networks Inc. (Jan 20)
    - How to recover private keys for various Microsoft products Aleph One (Jan 20)
    - HP-UX CUE, CUD and LAND vulnerabilities Aleph One (Jan 21)
    - Re: Xserver stack smashed -- wrapper John Goerzen (Jan 21)
    - Re: Xserver stack smashed -- wrapper Pavel Kankovsky (Jan 21)