Bugtraq mailing list archives

Re: ftpd: the advisory version

From: djb () CR YP TO (D. J. Bernstein)
Date: Mon, 10 Jul 2000 20:11:00 -0000


1. Surely there are other people still wondering about proftpd. Can an
attacker take over proftpd 1.2.0pre10? CERT seems to say yes, but the
maintainer says ``relatively minor.'' What's the deal?

2. I agree that setproctitle() is rather pointless. My comments were
about all functions with printf()-type format strings. Typical strings
should fail as format strings.

3. I've added a section to http://cr.yp.to/ftp/security.html on use of
PASV in existing clients. If you have any updates, let me know. Please
include version numbers.

4. I have been unable to verify the rumor of PASV-ignorant servers. Can
anyone show me some IP addresses of such servers? Every PASV failure
that I've tracked down turned out to be a firewall misconfiguration.

5. Several people asked about preventing memory leaks. The trick is a
new type of variable that either equals 0 or points to a dynamically
allocated region of memory. The deallocation routine frees the region if
the variable is nonzero, then sets the variable to 0. The allocation
routine first calls the deallocation routine.

For most programs, these variables are all in the data segment (static).
You can put them into the heap segment (dynamically allocated), in which
case the allocation routine that makes space for the variables is
required to set them to 0, and the deallocation routine is required to
recursively deallocate the variables. This safely handles any dynamic
allocation tree, with no need for garbage collection.

---Dan

Current thread:

Re: ftpd: the advisory version, (continued)
- Re: ftpd: the advisory version Tom Perrine (Jul 02)
- Conclusion to recent working WuFTPD Exploits Eric Hines (Jul 05)
- Re: ftpd: the advisory version Carson Gaspar (Jun 30)
  - Re: ftpd: the advisory version Mike Gleason (Jul 02)
  - [RHSA-2000:016-03] Multiple local imwheel vulnerabilities bugzilla () REDHAT COM (Jul 03)
  - Re: ftpd: the advisory version monti (Jul 05)
    - Re: ftpd: the advisory version D. J. Bernstein (Jul 06)
    - Re: ftpd: the advisory version monti (Jul 07)
    - Re: ftpd: the advisory version Mikael Olsson (Jul 07)
    - Re: ftpd: the advisory version David Maxwell (Jul 07)
    - Re: ftpd: the advisory version D. J. Bernstein (Jul 10)
    - Re: ftpd: the advisory version Richard Rager (Jul 11)
    - Infosec.20000712.worldclient.2.1 Rikard Carlsson (Jul 12)
    - ANNOUNCE Apache::ASP v1.95 - Security Hole Fixed J C (Jul 10)
    - Novell Border Manger - Anyone can pose as an authenticated user Coward, Anonymous (Jul 07)
  - [RHSA-2000:042-01] BitchX denial of service vulnerability bugzilla () REDHAT COM (Jul 06)
- Re: ftpd: the advisory version Taneli Huuskonen (Jul 01)
- Re: ftpd: the advisory version D. J. Bernstein (Jul 01)
- Re: ftpd: the advisory version Ron DuFresne (Jul 03)
- Re: ftpd: the advisory version Steven M. Bellovin (Jul 05)