dear bugtraq'ers,
i must confess that the information i provided wrt the acclaimed DoS
exploit in Debian potato's proftpd package (1.2.0pre10-2.0potato1) was
not fully accurate. the package *does in fact contain a buggy daemon*
despite having been fixed, according to the changelog:
proftpd (1.2.0pre10-2.0potato1) stable; urgency=high
* Non-Maintainer upload.
--->* Applied patch against string format buffer attack.
[...]
here's the result of my research:
the ftproot, against which i tested the daemon when i replied to the
original bugtraq post, was way too small to cause the server to break
a sweat on the recursion attack
ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
i now tested the daemon against a new ftproot, 20Gb in size with
a total of 6588 directories, and it does in fact appear to hang,
consuming memory in the excess of 100Mb, and loitering the processor
queue.
nevertheless, the proftpd parent process happily served another 99
sessions at no noticeable speed degradation. and, after 23 minutes,
the berserk proftpd process returned and surrendered the resources
(the ftp session had timed out after 5 minutes already).
the suggested temporary fix is to add the option
DenyFilter \*.*/
to /etc/proftpd.conf. however, despite common believe, Debian's
proftpd package 1.2.0pre10-2.0potato1 *does not* contain this option
and is thus vulnerable to the extent that this is a severe
vulnerability.
i don't think it's necessary to discuss this; the daemon as packaged
by debian is buggy and that has to be fixed. but i hope i was able to
give you some more information on the extent of the exploit. i will
do my best to push a fixed package into the APT archive at
security.debian.org as soon as possible.
regards,
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
"with sufficient thrust, pigs fly just fine. however, this is not
necessarily a good idea. it is hard to be sure where they are going to
land, and it could be dangerous sitting under them as they fly
overhead."
-- rfc 1925
Attachment:
pgp00114.pgp
Description: PGP signature
