Bugtraq mailing list archives
Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1
From: Nic Bellamy <nic () BELLAMY CO NZ>
Date: Wed, 26 Jul 2000 13:37:40 +1200
On Tue, 25 Jul 2000, Carlos Eduardo Gorges wrote:
All involve parse of characters for example, connects in a proftpd host and ftp> quote %999s
What you'll find is that your ftp client is interpreting the format string, and sending about 1,000 spaces to the FTP server. Try doing "quote %p" and you'll see that is truly the case, as you'll get a response similar to "500 0X8059008 not understood." You can crash it in exactly the same way with a simple "echo ' ' | nc ftp.server.dom 21".
the children stops in segfail : -)
It segfaults when it tries to deference a NULL pointer, due to cmd_loop() trying to dispatch_cmd() without checking that there actually *was* a command. As far as I can tell, there's no exploit potential in this. The patch following this message solves it for me, but may not be the correct way of fixing it. Due to the nature of this bug, it's not going to hurt to wait for an official fix. MacGuyver, the ProFTPd maintainer, has been CC'd this message. Regards, Nic. -- Nic Bellamy <nic () bellamy co nz> Bellamy Consulting Limited. DDI: +64-9-631-7901 Mobile: +64-21-251-8954 Internet Software & Security Consulting -- http://www.bellamy.co.nz/ -- --- proftpd-1.2.0rc1.orig/src/main.c Wed Jul 12 02:02:56 2000 +++ proftpd-1.2.0rc1/src/main.c Wed Jul 26 13:19:42 2000 @@ -1033,8 +1033,12 @@ cmd_rec *cmd; cmd = make_cmd(permanent_pool,cp); - if(cmd) { - dispatch_cmd(cmd); + if (cmd) { + if (cmd->argv[0]) { + dispatch_cmd(cmd); + } else { + send_response("500","No command specified."); + } destroy_pool(cmd->pool); } }
Current thread:
- BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1 Carlos Eduardo Gorges (Jul 25)
- Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1 Daniel Jacobowitz (Jul 26)
- Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1 Rodrigo Barbosa (aka morcego) (Jul 26)
- Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1 Nic Bellamy (Jul 26)
- Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1 MacGyver (Jul 27)