Mattias _ wrote: > AFFECTED VERSIONS > ================= > ProFTPD 1.2.4 > ProFTPD 1.2.2rc3 > (Others may be affected as well.) > > SYSTEMS > ======= > This is tested on Slackware 8. > > IMPACT > ====== > The ftpd-child dies with signal 11 (SEGV), but the server stays up. > The question is if it’s possible to do something nasty with this!? I'm running ProFTPD 1.2.2 under OpenBSD 2.8. The following happened when I tried it locally: <snip> Connected to localhost. 220 FTP Server ready. Name (localhost:maxx): 331 Password required for maxx. Password: 230 User maxx logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls //////////////////////////// 500 EPSV not understood. 227 Entering Passive Mode (127,0,0,1,134,172). 150 Opening ASCII mode data connection for file list ^C receive aborted waiting for remote to finish abort. 421 Service not available, remote server has closed connection. </snip> The logs show the following many times: Dec 20 01:27:13 phoenix proftpd in free(): warning: modified (chunk-) pointer. Dec 20 01:27:13 phoenix proftpd in free(): warning: junk pointer, too high to make sense. Dec 20 01:27:13 phoenix proftpd in free(): warning: junk pointer, too low to make sense. Both server and child didn't die. After getting disconnected, the child process was still there and I had to kill -9 it. While it was running, the computer showed symptoms of 100% CPU usage. Everything became pretty slow, but not unusable (no real DoS). After killing the child, everything went back to normal. I wasn't able to remotely reproduce this behavior. Here's what happened when using the Win2000 command line ftp from another box: <snip> 230 Anonymous access granted, restrictions apply. ftp> ls //////////////////////////// 200 PORT command successful. 150 Opening BINARY mode data connection for file list. /////////////////////////////uploads /////////////////////////////welcome.msg /////////////////////////////pub /////////////////////////////tmp 226 Transfer complete. FTP: 148 Bytes empfangen in 0,07Sekunden 2,11KB/s </snip> This time, nothing weird happened. I hope this is of any use for you. Moritz -- _______________________________________________________________________ "They who would give up an essential liberty for temporary security, deserve neither liberty or security" - Benjamin Franklin
