RE: aix ftpd

["David Barroso" <david_b () attglobal es>]

In AIX 4.3.3:

220 MPN FTP server (Version 4.1 Mon Jul 26 19:58:48 CDT 1999) ready.
Name (194.194.204.77:david): 
331 Password required for david.
Password: 
230 User david logged in.
ftp> ls ~{         
200 PORT command successful.
550 Unknown user name after ~
ftp> ls ~{
200 PORT command successful.
550 Unknown user name after ~
ftp> ls ~{     
200 PORT command successful.
550 Unknown user name after ~
ftp> ls ~{
200 PORT command successful.
550 Unknown user name after ~
ftp> ls ~{
200 PORT command successful.
550 Unknown user name after ~
ftp> ls
200 PORT command successful.
150 Opening data connection for ..
.profile
.sh_history
226 Transfer complete.
ftp> 

there are no problems here.

Regards

-----Original Message-----
From: alex medvedev [mailto:alexm () synthesys com]
Sent: 29 November 2001 23:02
To: vuln-dev () securityfocus com
Subject: aix ftpd


hallo,

aix ftpd does strange things when supplied the notorious globbing pattern.
although it does not crash,
if you repeatedly run "ls ~{" it produces different results:

$ ftp aix5.1-ml01
Connected to aix.machine.com.
220 aix5.1 FTP server (Version 4.1 Tue May 29 11:57:21 CDT 2001) ready.
Name (aix5.1:alexm):
331 Password required for alexm.
Password:
230 User alexm logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
227 Entering Passive Mode (10,0,32,2,128,211)
550 Unknown user name after ~
ftp> ls ~{
150 Opening data connection for /bin/ls.
Passive mode refused.
ftp> ls ~{
226 Transfer complete.
ftp: connect: Connection refused
ftp> ls ~{
227 Entering Passive Mode (10,0,32,2,128,212)
227 Entering Passive Mode (10,0,32,2,128,213)
ftp> ls ~{
227 Entering Passive Mode (10,0,32,2,128,214)
550 Unknown user name after ~
ftp> ls ~{
150 Opening data connection for /bin/ls.
Passive mode refused.
ftp> ls ~{
226 Transfer complete.
ftp: connect: Connection refused
ftp> ls ~{
227 Entering Passive Mode (10,0,32,2,128,215)
550 Unknown user name after ~
ftp> ls ~{
150 Opening data connection for /bin/ls.
Passive mode refused.
ftp> ls ~{
226 Transfer complete.
ftp: connect: Connection refused

moreover, after running "ls ~{" once and getting any error message --> you
can not run any commands and will get a connection refused message. after
several attempts the functionality restores. Example:

ftp> ls
227 Entering Passive Mode (10,0,32,2,128,250)
150 Opening data connection for /bin/ls.
total 46797
-rw-------   1 root     system           15 Nov 07 14:38 .bash_history
-rwxr-----   1 alexm    staff           254 Nov 07 14:02 .profile
-rw-------   1 alexm    staff          1458 Nov 08 10:10 .sh_history
drwx------   2 alexm    staff           512 Nov 07 14:04 .ssh
drwxr-xr-x  28 alexm    staff          3584 Nov 08 08:35 perl-5.6.1
-rw-r--r--   1 alexm    staff      23951360 Nov 07 14:04 stable.tar
226 Transfer complete.
ftp> ls ~{
227 Entering Passive Mode (10,0,32,2,128,251)
550 Unknown user name after ~
ftp> ls
150 Opening data connection for /bin/ls.
Passive mode refused.
ftp> ls
226 Transfer complete.
ftp: connect: Connection refused
ftp> ls
227 Entering Passive Mode (10,0,32,2,128,252)
150 Opening data connection for /bin/ls.
total 46797
-rw-------   1 root     system           15 Nov 07 14:38 .bash_history
-rwxr-----   1 alexm    staff           254 Nov 07 14:02 .profile
-rw-------   1 alexm    staff          1458 Nov 08 10:10 .sh_history
drwx------   2 alexm    staff           512 Nov 07 14:04 .ssh
drwxr-xr-x  28 alexm    staff          3584 Nov 08 08:35 perl-5.6.1
-rw-r--r--   1 alexm    staff      23951360 Nov 07 14:04 stable.tar
226 Transfer complete.

i did not have time to mess with it enough,
just thought it was interesting (hi, troy :) )

-alexm
__________________________________________
panic("Aiee, killing interrupt handler!");