Bug: glob() DoS attack
Bugzilla ID: 1066
Version: 1.2.1 and earlier
Platforms: All
Severity/Effect: Critical
Fixed in: 1.2.2rc1
Reported
on BUGTRAQ on the 15th of
March by Frank DENIS (Jedi/Sector One).
Official response from the development
team.
Problem commands:
ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
ls */.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/
ls .*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/
Other commands of this style may also cause the same behavior; the
exact commands listed here are not necessary to trigger.
Effect:
The daemon process starts to consume all CPU and memory resources
available to it. Multiple simultaneous instances will result in faster
depletion of resources, causing either the daemon process or the server
to crash.
Fix / Workaround:
A fixed version of GNU glob is used in ProFTPD 1.2.2rc1 and
later.
As a temporary workaround in lieu of using an updated version of
ProFTPD, we recommend adding the following directive in the
<Global> context which should catch most variants of this
problem.
DenyFilter \*.*/
We also recommend that the daemon process is started with appropriate
ulimits set to control the system resources that can be utilized by
ProFTPD processes. This should help in maintaining a viable server
regardless attacks being made. The development team is looking into
modifying ProFTPD to provide native ulimit functionality.
Summary:
This issue has been remedied in ProFTPD 1.2.2rc1.
Additionally, the administrators of ftp.proftpd.org would like to
thank Frank Denis for testing his theory about the vunerability by
launching a denial of service attack against that server, causing it to
become unavailable for a period of time.
|