From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Wed, 19 Dec 2001 21:14:16 +0300 From: Nikita Gergel To: devel@altlinux.ru Message-Id: <20011219211416.797d79e6.fc@altlinux.ru> Organization: ALT Linux (tm) X-Mailer: Sylpheed version 0.6.6 (GTK+ 1.2.10; i586-alt-linux) X-Face: /kH/`k:.@|9\`-o$p/YBn List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Archived-At: List-Archive: List-Post: --=.UGJW.g9p9t/Ii/ Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit Begin forwarded message: Date: Wed, 19 Dec 2001 14:22:40 +0100 From: "Mattias _" To: bugtraq@securityfocus.com Subject: ProFTPD - Problems in file globbing, gives segmentation fault. SUMMARY ======= A problem in handling file globbing exists in the current version of ProFTPD 1.2.4 (but it’s fixed in the Candidate version: 1.2.5rc1). This is very similar to the wu-ftpd bug (“ls ~{”) and occurs when you issue the command: ls /////////// (11 or more ‘/’). I haven’t figured out if it’s exploitable. That’s why I post it to you guys. :-) AFFECTED VERSIONS ================= ProFTPD 1.2.4 ProFTPD 1.2.2rc3 (Others may be affected as well.) SYSTEMS ======= This is tested on Slackware 8. IMPACT ====== The ftpd-child dies with signal 11 (SEGV), but the server stays up. The question is if it’s possible to do something nasty with this!? DETAILS ======= The Segmentation Fault occurs when the server tries to free a unallocated memory with a free()-function and it could be a heap corruption vulnerability. It’s in the file lib/glibc-glob.c in function void globfree (pglob) the SEGV occurs. Here is how I tested it. Login as ftp(anonymous) and issue the command: ftp> ls /////////// 200 PORT command successful. 150 Opening ASCII mode data connection for file list. 421 Service not available, remote server has closed connection ftp> And the debug messages reads (proftpd -n -d 5): dispatching PRE_CMD command 'LIST ///////////' to mod_core dispatching CMD command 'LIST ///////////' to mod_ls active data connection opened - local : 127.0.0.1:20 active data connection opened - remote : 127.0.0.1:1286 in dir_check_full(): path = '/', fullpath = '/home/ftp/'. ProFTPD terminating (signal 11) VENDOR RESPONSE =============== This problem has been reported to ProFTPD Bug Tracking System. It has also been reported to security@proftpd.org where they asked me to wait posting this until they release version 1.2.5rc1. SOLUTION ======== Upgrade to version 1.2.5rc1. REFERENCES ========== ProFTPD (Get the latest version) http://www.proftpd.org ProFTPD Bug Tracking System (Where it was first reported): http://bugs.proftpd.org/show_bug.cgi?id=1426 Information about the wu-ftpd problem: http://www.corest.com COMMENTS ======== This is my first post to Bugtraq, be nice to me... Regards, Mattias surre1@hotmail.com _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com -- Nikita Gergel System Administrator Moscow, Russia YAUZA-Telecom --=.UGJW.g9p9t/Ii/ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE8INj7sNi4kf7RQNcRAnlWAKCY63d2QqdGiOuJG3ILaHWD96oXZgCeNl5u Gi1yNRfs6V5R5NuYsrcF5E8= =IaHD -----END PGP SIGNATURE----- --=.UGJW.g9p9t/Ii/--