Date: Thu, 15 Mar 2001 22:30:24 +0000
From: The Flying Hamster <[email protected]>
To: [email protected]Subject: [SECURITY] DoS vulnerability in ProFTPD
ProFTPD Bug ID: 1066
(http://bugs.proftpd.org/show_bug.cgi?id=1066)
Versions affected:
ProFTPD 1.2.1 is vulnerable. Earlier versions are also believed to be
affected.
Problem commands:
Problem commands include:
ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
ls */.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/
ls .*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/
Other commands of this style may also cause the same behavior; the exact
commands listed here are not necessary to trigger.
Effect:
The daemon process starts to consume all CPU and memory resources
available to it. Multiple simultaneous instances will result in faster
depletion of resources, causing either the daemon process or the server
to crash.
Fix / Workaround:
A patch against the 1.2.1 source is currently being worked on. However,
given the nature of the problem and the lack of time given between
notification and publication of the vulnerability, it is not ready for
release yet.
Until a more permanent fix is ready, we recommend adding the following
directive in the <Global> context which should catch most variants of this
problem.
DenyFilter \*.*/
We also recommend that the daemon process is started with appropriate
ulimits set to control the system resources that can be utilized by the
running daemon. This should help in maintaining a viable server
regardless attacks being made. The development team is looking into
modifying ProFTPD to provide native ulimit functionality.
Summary:
The ProFTPD development team is aware of this issue and will be
looking into providing a proper patch shortly. Details of any patch
or new version will be released on http://www.proftpd.org/.
Additionally, the administrators of ftp.proftpd.org would like to thank
Frank Denis for testing his theory about the vunerability by launching a
denial of service attack against that server, causing it to become
unavailable for a period of time.
All security issues regarding ProFTPD should be directed to
[email protected]. Details on the mailing lists for the ProFTPD
Project can be found at http://www.proftpd.org/
--
The Flying Hamster <[email protected]> http://hamster.wibble.org/
Everyone who visits a psychatrist should have his head examined.
