* [devel] Fw: ProFTPD - Problems in file globbing, gives segmentation fault.
@ 2001-12-19 18:14 Nikita Gergel
2001-12-19 21:02 ` [devel] " Mikhail Zabaluev
0 siblings, 1 reply; 3+ messages in thread
From: Nikita Gergel @ 2001-12-19 18:14 UTC (permalink / raw)
To: devel
[-- Attachment #1: Type: text/plain, Size: 2579 bytes --]
Begin forwarded message:
Date: Wed, 19 Dec 2001 14:22:40 +0100
From: "Mattias _" <surre1@hotmail.com>
To: bugtraq@securityfocus.com
Subject: ProFTPD - Problems in file globbing, gives segmentation fault.
SUMMARY
=======
A problem in handling file globbing exists in the current version of ProFTPD
1.2.4 (but it▓s fixed in the Candidate version: 1.2.5rc1). This
is very similar to the wu-ftpd bug (⌠ls ~{■) and occurs when you issue
the command: ls /////////// (11 or more ▒/▓). I haven▓t figured out if
it▓s exploitable. That▓s why I post it to you guys. :-)
AFFECTED VERSIONS
=================
ProFTPD 1.2.4
ProFTPD 1.2.2rc3
(Others may be affected as well.)
SYSTEMS
=======
This is tested on Slackware 8.
IMPACT
======
The ftpd-child dies with signal 11 (SEGV), but the server stays up.
The question is if it▓s possible to do something nasty with this!?
DETAILS
=======
The Segmentation Fault occurs when the server tries to free a
unallocated memory with a free()-function and it could be a heap
corruption vulnerability. It▓s in the file lib/glibc-glob.c in function
void globfree (pglob) the SEGV occurs.
Here is how I tested it.
Login as ftp(anonymous) and issue the command:
ftp> ls ///////////
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
421 Service not available, remote server has closed connection
ftp>
And the debug messages reads (proftpd -n -d 5):
dispatching PRE_CMD command 'LIST ///////////' to mod_core
dispatching CMD command 'LIST ///////////' to mod_ls
active data connection opened - local : 127.0.0.1:20
active data connection opened - remote : 127.0.0.1:1286
in dir_check_full(): path = '/', fullpath = '/home/ftp/'.
ProFTPD terminating (signal 11)
VENDOR RESPONSE
===============
This problem has been reported to ProFTPD Bug Tracking System. It has
also been reported to security@proftpd.org where they asked me to wait
posting this until they release version 1.2.5rc1.
SOLUTION
========
Upgrade to version 1.2.5rc1.
REFERENCES
==========
ProFTPD (Get the latest version)
http://www.proftpd.org
ProFTPD Bug Tracking System (Where it was first reported):
http://bugs.proftpd.org/show_bug.cgi?id=1426
Information about the wu-ftpd problem:
http://www.corest.com
COMMENTS
========
This is my first post to Bugtraq, be nice to me...
Regards,
Mattias
surre1@hotmail.com
_________________________________________________________________
Join the world▓s largest e-mail service with MSN Hotmail.
http://www.hotmail.com
--
Nikita Gergel System Administrator
Moscow, Russia YAUZA-Telecom
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* [devel] Re: Fw: ProFTPD - Problems in file globbing, gives segmentation fault.
2001-12-19 18:14 [devel] Fw: ProFTPD - Problems in file globbing, gives segmentation fault Nikita Gergel
@ 2001-12-19 21:02 ` Mikhail Zabaluev
2001-12-20 12:53 ` Dmitry V. Levin
0 siblings, 1 reply; 3+ messages in thread
From: Mikhail Zabaluev @ 2001-12-19 21:02 UTC (permalink / raw)
To: devel
[-- Attachment #1: Type: text/plain, Size: 574 bytes --]
Hello Nikita,
On Wed, Dec 19, 2001 at 09:14:16PM +0300, Nikita Gergel wrote:
>
>
>
> Begin forwarded message:
>
> Date: Wed, 19 Dec 2001 14:22:40 +0100
> From: "Mattias _" <surre1@hotmail.com>
> To: bugtraq@securityfocus.com
> Subject: ProFTPD - Problems in file globbing, gives segmentation fault.
Я подозреваю, что это недавно открытая проблема с glob в glibc.
Надеюсь вскоре увидеть security update.
--
Stay tuned,
MhZ JID: mookid@jabber.org
___________
"The greatest warriors are the ones who fight for peace."
-- Holly Near
[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [devel] Re: Fw: ProFTPD - Problems in file globbing, gives segmentation fault.
2001-12-19 21:02 ` [devel] " Mikhail Zabaluev
@ 2001-12-20 12:53 ` Dmitry V. Levin
0 siblings, 0 replies; 3+ messages in thread
From: Dmitry V. Levin @ 2001-12-20 12:53 UTC (permalink / raw)
To: devel
[-- Attachment #1: Type: text/plain, Size: 946 bytes --]
On Thu, Dec 20, 2001 at 12:02:55AM +0300, Mikhail Zabaluev wrote:
> > Date: Wed, 19 Dec 2001 14:22:40 +0100
> > From: "Mattias _" <surre1@hotmail.com>
> > To: bugtraq@securityfocus.com
> > Subject: ProFTPD - Problems in file globbing, gives segmentation fault.
>
> Я подозреваю, что это недавно открытая проблема с glob в glibc.
> Надеюсь вскоре увидеть security update.
Нет, там некорректная инициализация указателя (в статическую память), это
не exploitable, поэтому security update, скорее всего, не будет.
По поводу security update для glibc я еще не решил.
Regards,
Dmitry
+-------------------------------------------------------------------------+
Dmitry V. Levin mailto://ldv@alt-linux.org
ALT Linux Team http://www.altlinux.ru/
Fandra Project http://www.fandra.org/
+-------------------------------------------------------------------------+
UNIX is user friendly. It's just very selective about who its friends are.
[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2001-12-20 12:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2001-12-19 18:14 [devel] Fw: ProFTPD - Problems in file globbing, gives segmentation fault Nikita Gergel
2001-12-19 21:02 ` [devel] " Mikhail Zabaluev
2001-12-20 12:53 ` Dmitry V. Levin
ALT Linux Team development discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \
devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru
public-inbox-index devel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git