The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


ProFTPD - Problems in file globbing, gives segmentation fault.


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Wed, 19 Dec 2001 14:22:40 +0100
From: Mattias _ <surre1@hotmail.com>
To: bugtraq@securityfocus.com
Subject: ProFTPD - Problems in file globbing, gives segmentation fault.

SUMMARY
=======
A problem in handling file globbing exists in the current version of ProFTPD
1.2.4 (but its fixed in the Candidate version: 1.2.5rc1). This
is very similar to the wu-ftpd bug (ls ~{) and occurs when you issue
the command: ls /////////// (11 or more /). I havent figured out if
its exploitable. Thats why I post it to you guys. :-)

AFFECTED VERSIONS
=================
ProFTPD 1.2.4
ProFTPD 1.2.2rc3
(Others may be affected as well.)

SYSTEMS
=======
This is tested on Slackware 8.

IMPACT
======
The ftpd-child dies with signal 11 (SEGV), but the server stays up.
The question is if its possible to do something nasty with this!?

DETAILS
=======
The Segmentation Fault occurs when the server tries to free a
unallocated memory with a free()-function and it could be a heap
corruption vulnerability. Its in the file lib/glibc-glob.c in function
void globfree (pglob) the SEGV occurs.

Here is how I tested it.
Login as ftp(anonymous) and issue the command:
ftp> ls ///////////
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
421 Service not available, remote server has closed connection
ftp>

And the debug messages reads (proftpd -n -d 5):
dispatching PRE_CMD command 'LIST ///////////' to mod_core
dispatching CMD command 'LIST ///////////' to mod_ls
active data connection opened - local : 127.0.0.1:20
active data connection opened - remote : 127.0.0.1:1286
in dir_check_full(): path = '/', fullpath = '/home/ftp/'.
ProFTPD terminating (signal 11)

VENDOR RESPONSE
===============
This problem has been reported to ProFTPD Bug Tracking System. It has
also been reported to security@proftpd.org where they asked me to wait
posting this until they release version 1.2.5rc1.

SOLUTION
========
Upgrade to version 1.2.5rc1.

REFERENCES
==========
ProFTPD (Get the latest version)
http://www.proftpd.org

ProFTPD Bug Tracking System (Where it was first reported):
http://bugs.proftpd.org/show_bug.cgi?id=1426

Information about the wu-ftpd problem:
http://www.corest.com

COMMENTS
========
This is my first post to Bugtraq, be nice to me...

Regards,
Mattias

surre1@hotmail.com


_________________________________________________________________
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>


    
    
Created 1996-2014 by Maxim Chirkov  
  
RUNNet TopList