Vulnerability Development mailing list archives
Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability (-> ftp client buffer overflow)
From: Ciprian Csordas <security.focus () wye cjb net>
Date: 05 Dec 2001 13:31:25 +0200
Hello, This is a ftp client problem for sure. I confirm that the ftp client in Mandrake Linux 8.1 receives SIGSEGV using the "ls ls ~{" sequence: ===================================================================== [wye@wye wye]$ gdb `which ftp` GNU gdb 20010625 Copyright 2001 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-mandrake-linux"...(no debugging symbols found)... (gdb) r ftp.xxxxx.xxx Starting program: /usr/bin/ftp ftp.xxxxx.xxx (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... Connected to ftp.xxxxx.xxx. 220 xxxxx.xxxxx.xxx FTP server (Version wu-2.6.1-0.6x.21) ready. 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (ftp.xxxxx.xxxls:wye): ftp 331 Guest login ok, send your complete e-mail address as password. Password: 230 - [...snip...] 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls ls ~{ (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x401b3780 in strcmp () from /lib/libc.so.6 (gdb) quit The program is running. Exit anyway? (y or n) y [wye@wye wye]$ uname -a Linux wye.xxxxx.xxx 2.4.8-12mdk #1 Fri Aug 24 16:18:19 CEST 2001 i686 unknown ========================================================================= I am not sure if this can be exploited (probably not), but for sure something IS WRONG. Unfortunatelly, I don't have the time for it ... Using ncftp nothing weird happens: ==================================================================== [wye@wye wye]$ ncftp ftp.xxxxx.xxx NcFTP 3.0.4 (October 25, 2001) by Mike Gleason (ncftp () ncftp com). Connecting to ftp.xxxxx.xxxxx(xxx.xxx.xxx.xxx)... xxxxxx.xxxxxx.xxx FTP server (Version wu-2.6.1-0.6x.21) ready. Logging in... [...snip...] Guest login ok, access restrictions apply. Logged in to ftp.xxxxx.xxx. ncftp / > ls ls ~{ List failed. ============================================== This seams Ok for me. C ya, Wye <post456456233 () wye cjb net> On Wed, 2001-12-05 at 03:17, ARAI Yuu wrote:
Hello,I think this could be quite important, but unfortunately I do not have the skills to audit the source code for an ftp server; so I'll leave that to the pro's.I don't know whether this is related to your issue or not, I noticed that /usr/bin/ftp on Solaris will fail when a user send a request as "get ~{" in last week. This is just a bug of the client-side, not a vulnerability on the server-side. Reproduction: ============= $ uname -a SunOS puppet 5.7 Generic_106542-18 i86pc i386 i86pc $ ftp localhost Connected to localhost. 220 ProFTPD 1.2.4 Server (ProFTPD Default Installation) [puppet] Name (localhost:arai): arai 331 Password required for arai. Password: 230 User arai logged in. ftp> get ~{ Segmentation Fault - core dumped <snip> # file ./core/core.ftp.25184 ./core/core.ftp.25184: ELF 32-bit LSB core file 80386 Version 1, from 'ftp' # And I confirmed "ls ls ~{" will cause same SIGSEGV. ================ $ ftp localhost Connected to localhost. 220 ProFTPD 1.2.4 Server (ProFTPD Default Installation) [puppet] Name (localhost:arai): arai 331 Password required for arai. Password: 230 User arai logged in. ftp> ls ls ~{ Segmentation Fault - core dumped <snip> # file ./core/core.ftp.25194 ./core/core.ftp.25194: ELF 32-bit LSB core file 80386 Version 1, from 'ftp' Regards, ----------------------------------------------- ARAI Yuu <y.arai () lac co jp> Network Security Specialist / LAC Computer Security Laboratory http://www.lac.co.jp/security/
Current thread:
- ProFTPD 1.2.2rc3 Remote Server Vulnerability smackenz (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability KF (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability Alex Butcher (vuln-dev) (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability scott (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability ARAI Yuu (Dec 04)
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability (-> ftp client buffer overflow) Ciprian Csordas (Dec 05)
- <Possible follow-ups>
- Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability U dong-houn (Dec 05)