linux, säkerhet

8237655 2002-03-29 22:40 +0100  /64 rader/ martin f krafft <madduck@madduck.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-04  04:25  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: debian security <debian-security@lists.debian.org>
Mottagare: Bugtraq (import) <21723>
Kommentar till text 8209116 av martin f krafft <madduck@madduck.net>
Ärende: Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
------------------------------------------------------------
From: martin f krafft <madduck@madduck.net>
To: bugtraq@securityfocus.com,
 debian security <debian-security@lists.debian.org>
Message-ID: <20020329214002.GA31795@fishbowl.madduck.net>

dear bugtraq'ers,

i must confess that the information i provided wrt the acclaimed DoS
exploit in Debian potato's proftpd package (1.2.0pre10-2.0potato1) was
not fully accurate. the package *does in fact contain a buggy daemon*
despite having been fixed, according to the changelog:

  proftpd (1.2.0pre10-2.0potato1) stable; urgency=high

    * Non-Maintainer upload.
--->* Applied patch against string format buffer attack.
  [...]

here's the result of my research:

the ftproot, against which i tested the daemon when i replied to the
original bugtraq post, was way too small to cause the server to break
a sweat on the recursion attack

  ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*

i now tested the daemon against a new ftproot, 20Gb in size with
a total of 6588 directories, and it does in fact appear to hang,
consuming memory in the excess of 100Mb, and loitering the processor
queue.

nevertheless, the proftpd parent process happily served another 99
sessions at no noticeable speed degradation. and, after 23 minutes,
the berserk proftpd process returned and surrendered the resources
(the ftp session had timed out after 5 minutes already).

the suggested temporary fix is to add the option

  DenyFilter \*.*/

to /etc/proftpd.conf. however, despite common believe, Debian's
proftpd package 1.2.0pre10-2.0potato1 *does not* contain this option
and is thus vulnerable to the extent that this is a severe
vulnerability.

i don't think it's necessary to discuss this; the daemon as packaged
by debian is buggy and that has to be fixed. but i hope i was able to
give you some more information on the extent of the exploit. i will
do my best to push a fixed package into the APT archive at
security.debian.org as soon as possible.

regards,

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
  
"with sufficient thrust, pigs fly just fine. however, this is not
 necessarily a good idea. it is hard to be sure where they are going to
 land, and it could be dangerous sitting under them as they fly
 overhead."
                                                           -- rfc 1925
(8237655) /martin f krafft <madduck@madduck.net>/---
Bilaga (application/pgp-signature) i text 8237656
Kommentar i text 8237891 av Alun Jones <alun@texis.com>
8237656 2002-03-29 22:40 +0100  /10 rader/ martin f krafft <madduck@madduck.net>
Importerad: 2002-04-04  04:25  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: debian security <debian-security@lists.debian.org>
Mottagare: Bugtraq (import) <21724>
Bilaga (text/plain) till text 8237655
Ärende: Bilaga till: Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjyk3zIACgkQIgvIgzMMSnXmCwCgqzf0FWHI8GiU4rG4KvEE5J5F
eOMAoMwORc59/ODcc5o1WEKMH9atrs3w
=9/kb
-----END PGP SIGNATURE-----
(8237656) /martin f krafft <madduck@madduck.net>/---
8237891 2002-04-03 20:45 -0600  /44 rader/ Alun Jones <alun@texis.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-04  08:02  av Brevbäraren
Extern mottagare: martin f krafft <madduck@madduck.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: debian security <debian-security@lists.debian.org>
Mottagare: Bugtraq (import) <21734>
Kommentar till text 8237655 av martin f krafft <madduck@madduck.net>
Ärende: Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
------------------------------------------------------------
From: Alun Jones <alun@texis.com>
To: martin f krafft <madduck@madduck.net>
Cc: bugtraq@securityfocus.com,
 debian security <debian-security@lists.debian.org>
Message-ID: <4.3.2.7.2.20020403203559.01e04e80@208.55.91.110>

At 03:40 PM 3/29/2002, martin f krafft wrote:
>   ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*

...

>   DenyFilter \*.*/

Just as a quick question, why not deny the string "/../" (you may
have to  deny the regex "/\.\./", depending how the filter in
question works)?

As far as I can tell, it's the ability to embed "/../" into a path
that is  at the root of this, far more than the ability to embed
wildcards.  I can't  think of a situation in which "/../" should
appear in a user-supplied path,  except after a string of repeated
"../"s.

The workaround suggested by Mr Krafft would disable some useful
functionality - one large user of mine, for instance, was keen to
have my  own software evaluate wildcards in the body of the path,
which Mr Krafft's  workaround disables completely.  They even paid
for the privilege (not  enough, but they paid ;-))

So, let's see, a regex that would deny "/../", except as part of a
string  of such...

One bash would be "[^/.].*/\.\./" - matching "/../" if it's after any 
character other than '/' or '.'.  Doubtless someone can come up with 
something better.

Alun.
~~~~

--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.
(8237891) /Alun Jones <alun@texis.com>/---(Ombruten)