[devel] Fw: ProFTPD - Problems in file globbing, gives segmentation fault.

Ср Дек 19 21:14:16 MSK 2001

Begin forwarded message:

Date: Wed, 19 Dec 2001 14:22:40 +0100
From: "Mattias _" <surre1 на hotmail.com>
To: bugtraq на securityfocus.com
Subject: ProFTPD - Problems in file globbing, gives segmentation fault.

SUMMARY
=======
A problem in handling file globbing exists in the current version of ProFTPD
1.2.4 (but it▓s fixed in the Candidate version: 1.2.5rc1). This
is very similar to the wu-ftpd bug (⌠ls ~{■) and occurs when you issue
the command: ls /////////// (11 or more ▒/▓). I haven▓t figured out if
it▓s exploitable. That▓s why I post it to you guys. :-)

AFFECTED VERSIONS
=================
ProFTPD 1.2.4
ProFTPD 1.2.2rc3
(Others may be affected as well.)

SYSTEMS
=======
This is tested on Slackware 8.

IMPACT
======
The ftpd-child dies with signal 11 (SEGV), but the server stays up.
The question is if it▓s possible to do something nasty with this!?

DETAILS
=======
The Segmentation Fault occurs when the server tries to free a
unallocated memory with a free()-function and it could be a heap
corruption vulnerability. It▓s in the file lib/glibc-glob.c in function
void globfree (pglob) the SEGV occurs.

Here is how I tested it.
Login as ftp(anonymous) and issue the command:
ftp> ls ///////////
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
421 Service not available, remote server has closed connection
ftp>

And the debug messages reads (proftpd -n -d 5):
dispatching PRE_CMD command 'LIST ///////////' to mod_core
dispatching CMD command 'LIST ///////////' to mod_ls
active data connection opened - local : 127.0.0.1:20
active data connection opened - remote : 127.0.0.1:1286
in dir_check_full(): path = '/', fullpath = '/home/ftp/'.
ProFTPD terminating (signal 11)

VENDOR RESPONSE
===============
This problem has been reported to ProFTPD Bug Tracking System. It has
also been reported to security на proftpd.org where they asked me to wait
posting this until they release version 1.2.5rc1.

SOLUTION
========
Upgrade to version 1.2.5rc1.

REFERENCES
==========
ProFTPD (Get the latest version)
http://www.proftpd.org

ProFTPD Bug Tracking System (Where it was first reported):
http://bugs.proftpd.org/show_bug.cgi?id=1426

Information about the wu-ftpd problem:
http://www.corest.com

COMMENTS
========
This is my first post to Bugtraq, be nice to me...

Regards,
Mattias

surre1 на hotmail.com

_________________________________________________________________
Join the world▓s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

-- 
Nikita Gergel					System Administrator
Moscow, Russia					YAUZA-Telecom
----------- следующая часть -----------
Было удалено вложение не в текстовом формате...
Имя     : =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Тип     : application/pgp-signature
Размер  : 189 байтов
Описание: =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Url     : <http://lists.altlinux.org/pipermail/devel/attachments/20011219/ec828c90/attachment-0001.bin>