From: Nikita Gergel <fc@altlinux.ru> To: devel@altlinux.ru Subject: [devel] Fw: ProFTPD - Problems in file globbing, gives segmentation fault. Date: Wed, 19 Dec 2001 21:14:16 +0300 Message-ID: <20011219211416.797d79e6.fc@altlinux.ru> (raw) [-- Attachment #1: Type: text/plain, Size: 2579 bytes --] Begin forwarded message: Date: Wed, 19 Dec 2001 14:22:40 +0100 From: "Mattias _" <surre1@hotmail.com> To: bugtraq@securityfocus.com Subject: ProFTPD - Problems in file globbing, gives segmentation fault. SUMMARY ======= A problem in handling file globbing exists in the current version of ProFTPD 1.2.4 (but it▓s fixed in the Candidate version: 1.2.5rc1). This is very similar to the wu-ftpd bug (⌠ls ~{■) and occurs when you issue the command: ls /////////// (11 or more ▒/▓). I haven▓t figured out if it▓s exploitable. That▓s why I post it to you guys. :-) AFFECTED VERSIONS ================= ProFTPD 1.2.4 ProFTPD 1.2.2rc3 (Others may be affected as well.) SYSTEMS ======= This is tested on Slackware 8. IMPACT ====== The ftpd-child dies with signal 11 (SEGV), but the server stays up. The question is if it▓s possible to do something nasty with this!? DETAILS ======= The Segmentation Fault occurs when the server tries to free a unallocated memory with a free()-function and it could be a heap corruption vulnerability. It▓s in the file lib/glibc-glob.c in function void globfree (pglob) the SEGV occurs. Here is how I tested it. Login as ftp(anonymous) and issue the command: ftp> ls /////////// 200 PORT command successful. 150 Opening ASCII mode data connection for file list. 421 Service not available, remote server has closed connection ftp> And the debug messages reads (proftpd -n -d 5): dispatching PRE_CMD command 'LIST ///////////' to mod_core dispatching CMD command 'LIST ///////////' to mod_ls active data connection opened - local : 127.0.0.1:20 active data connection opened - remote : 127.0.0.1:1286 in dir_check_full(): path = '/', fullpath = '/home/ftp/'. ProFTPD terminating (signal 11) VENDOR RESPONSE =============== This problem has been reported to ProFTPD Bug Tracking System. It has also been reported to security@proftpd.org where they asked me to wait posting this until they release version 1.2.5rc1. SOLUTION ======== Upgrade to version 1.2.5rc1. REFERENCES ========== ProFTPD (Get the latest version) http://www.proftpd.org ProFTPD Bug Tracking System (Where it was first reported): http://bugs.proftpd.org/show_bug.cgi?id=1426 Information about the wu-ftpd problem: http://www.corest.com COMMENTS ======== This is my first post to Bugtraq, be nice to me... Regards, Mattias surre1@hotmail.com _________________________________________________________________ Join the world▓s largest e-mail service with MSN Hotmail. http://www.hotmail.com -- Nikita Gergel System Administrator Moscow, Russia YAUZA-Telecom [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next reply other threads:[~2001-12-19 18:14 UTC|newest] Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top 2001-12-19 18:14 Nikita Gergel [this message] 2001-12-19 21:02 ` [devel] " Mikhail Zabaluev 2001-12-20 12:53 ` Dmitry V. Levin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20011219211416.797d79e6.fc@altlinux.ru \ --to=fc@altlinux.ru \ --cc=devel@altlinux.ru \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux Team development discussions This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \ devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru public-inbox-index devel Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.devel AGPL code for this site: git clone https://public-inbox.org/public-inbox.git