Date: Thu, 15 Mar 2001 22:30:24 +0000 From: The Flying Hamster <hamster@VOM.TM> Subject: [SECURITY] DoS vulnerability in ProFTPD To: BUGTRAQ@SECURITYFOCUS.COM ProFTPD Bug ID: 1066 (http://bugs.proftpd.org/show_bug.cgi?id=1066) Versions affected: ProFTPD 1.2.1 is vulnerable. Earlier versions are also believed to be affected. Problem commands: Problem commands include: ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* ls */.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/ ls .*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/ Other commands of this style may also cause the same behavior; the exact commands listed here are not necessary to trigger. Effect: The daemon process starts to consume all CPU and memory resources available to it. Multiple simultaneous instances will result in faster depletion of resources, causing either the daemon process or the server to crash. Fix / Workaround: A patch against the 1.2.1 source is currently being worked on. However, given the nature of the problem and the lack of time given between notification and publication of the vulnerability, it is not ready for release yet. Until a more permanent fix is ready, we recommend adding the following directive in the <Global> context which should catch most variants of this problem. DenyFilter \*.*/ We also recommend that the daemon process is started with appropriate ulimits set to control the system resources that can be utilized by the running daemon. This should help in maintaining a viable server regardless attacks being made. The development team is looking into modifying ProFTPD to provide native ulimit functionality. Summary: The ProFTPD development team is aware of this issue and will be looking into providing a proper patch shortly. Details of any patch or new version will be released on http://www.proftpd.org/. Additionally, the administrators of ftp.proftpd.org would like to thank Frank Denis for testing his theory about the vunerability by launching a denial of service attack against that server, causing it to become unavailable for a period of time. All security issues regarding ProFTPD should be directed to security@proftpd.org. Details on the mailing lists for the ProFTPD Project can be found at http://www.proftpd.org/ -- The Flying Hamster <hamster@suespammers.org> http://hamster.wibble.org/ Everyone who visits a psychatrist should have his head examined.