Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: unix4935.htm

ProFTPD file globbing vulerability
19th Dec 2001 [SBWID-4935]

	ProFTPD file globbing vulerability


	 Tested on Slackware 8 :

	 ProFTPD 1.2.4

	 ProFTPD 1.2.2rc3


	 Tested on Debian :

	 ProFTPD 1.2.4 Server (Debian)

	 ProFTPD 1.2.0pre10 not vulnerable


	Mattias reported following bug :

	A problem in handling file globbing exists in  the  current  version  of
	ProFTPD 1.2.4 (but its fixed in the Candidate version: 1.2.5rc1).  This
	is very similar to the wu-ftpd bug (ls ~{) and occurs when  you  issue
	the command: ls /////////// (11 or more /).

	The ftpd-child dies with signal 11 (SEGV), but the server stays up.  The
	question is if its possible to do something nasty with this!?



	The  Segmentation  Fault  occurs  when  the  server  tries  to  free   a
	unallocated memory with  a  free()-function  and  it  could  be  a  heap
	corruption vulnerability. Its in the file lib/glibc-glob.c in  function
	void globfree (pglob) the SEGV occurs.

	 Here is how I tested it.

	 Login as ftp(anonymous) and issue the command:



	ftp> ls ///////////

	200 PORT command successful.

	150 Opening ASCII mode data connection for file list.

	421 Service not available, remote server has closed connection




	And the debug messages reads (proftpd  -n  -d  5):  dispatching  PRE_CMD
	command \'LIST ///////////\' to mod_core dispatching CMD command  \'LIST
	///////////\'  to  mod_ls  active  data  connection  opened  -  local  : active data connection opened - remote :  in
	dir_check_full(): path  =  \'/\',  fullpath  =  \'/home/ftp/\'.  ProFTPD
	terminating (signal 11)


	Upgrade to version 1.2.5rc1.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH