Vulnerability Development: Re: proftp DoS in debian stable?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: proftp DoS in debian stable?

From: Teodor Cimpoesu <teo () gecadsoftware com>
Date: Tue, 5 Mar 2002 20:53:21 +0200

Hi Simon!
On Tue, 05 Mar 2002, Simon Barr wrote:

-----Original Message-----
From: Joe Dollard [mailto:joed () devel livenote com]
Sent: 28 February 2002 23:20
To: vuln-dev () securityfocus com
Subject: proftp DoS in debian stable?

My system is running debian stable with all patches installed (via apt-get
from security.debian.org).  My proftp daemon (as installed from the debian
deb's - 1.2.0pre10-2.0) still seems vulnerable to the glob DoS attack, as
discovered on the 15th March 2001. i.e. typing
`ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*` results
in 100% of the CPU and memory resources are consumed.
 (more info at http://proftpd.linux.co.uk/critbugs.html).  No fix or work
around seems in place in the debian stable deb's.

Can anyone confirm the same behaviour on their system?


I can confirm this on a Debian potato box I have here.  This box is also
up to date via apt-get as of this morning.

Wasn't that a known issue at the time of 1.2.0pre following one in wu-ftpd
some time ago?
I think the simplest fix is to upgrade to a more recent version.

-- teodor

By Date By Thread

Current thread:

proftp DoS in debian stable? Joe Dollard (Mar 04)
- RE: proftp DoS in debian stable? Simon Barr (Mar 05)
  - Re: proftp DoS in debian stable? Teodor Cimpoesu (Mar 05)
    - RE: proftp DoS in debian stable? Simon Barr (Mar 06)
- Re: proftp DoS in debian stable? Felipe Franciosi (Mar 05)
- Re: proftp DoS in debian stable? Johannes Segitz (Mar 05)