Re: ProFTPD 1.2.0 Memory leakage - denial of service

[Michal Zalewski <lcamtuf () DIONE IDS PL>]

On Wed, 20 Dec 2000, Piotr Zurawski wrote:

> This is sample code to demonstrate effects of memory leak in ProFTPD
> daemon. As far as I know all available versions up to date
> (19.12.2000) are vulnerable to this.

Heheh....

        for(loop=0;loop<HOWMANY;loop++)
        {
        sprintf(snd, "SIZE /dadasjasojdasj/adhjaodhahasohasaoihroaha");
        write(fd, snd, strlen(snd));
        }

You are not sending newline characters at the end of each line. In fact,
you are sending really huge one-line command (this line will be broken
into separate lines on the other side, but only the first line will start
with "SIZE ..." command in most cases).

Btw. you might want to test such code against other services, IIRC some
services are vulnerable to very-long-input-line DoS (by memory exhaustion)
as long as they are not implementing reasonable timeouts and limits.

--
_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=