Bugtraq mailing list archives
Re: Solaris ftpd D.O.S.
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Tue, 20 Jan 1998 22:15:06 +0100
When the in.ftpd was left in this "hung" state, I did a "truss -p", which revealed that ftpd keeps on read(2)ing zero bytes from the network socket in a tight loop, hence the CPU time consumed. The most plausible scenario (without any kind of access to the source code) is that the client telnet, when receiving SIGINT/QUIT, creates an "exception" condition in the receiving socket, which is not examined as it should by ftpd. The next kill is bogus, you might just as well shut down the telnet connection (^]-close - tried it out successfully). It just creates an EOF condition on ftpd's input, which is not handled appropriately. The whole thing is that telnet is able to relay the INT/QUIT signals whereas the ftp client is not. Such bugs may exist in all TELNET- based protocol servers.
The simple truth is that the Solaris FTP server tries to be clever about handlign telnet options in the FTP command channel; unfortunately, the code has a bad bug, as you have noticed. Casper
Current thread:
- Re: GCC 2.7.? /tmp files Michael Douglass (Jan 15)
- MC shell scripts Micha? Zalewski (Jan 17)
- Re: GCC 2.7.? /tmp files Theo de Raadt (Jan 18)
- Re: GCC 2.7.? /tmp files Perry E. Metzger (Jan 18)
- Solaris ftpd D.O.S. Stanley Stasiak (Jan 19)
- Buffer overflow in Yapp Conferencing System... satan (Jan 20)
- Re: Solaris ftpd D.O.S. Aggelos P. Varvitsiotis (Jan 20)
- Re: Solaris ftpd D.O.S. Casper Dik (Jan 20)
- SNI-23: SSH - Vulnerability in ssh-agent Secure Networks Inc. (Jan 20)
- How to recover private keys for various Microsoft products Aleph One (Jan 20)
- HP-UX CUE, CUD and LAND vulnerabilities Aleph One (Jan 21)
- Re: Xserver stack smashed -- wrapper John Goerzen (Jan 21)
- Re: Xserver stack smashed -- wrapper Pavel Kankovsky (Jan 21)