Re: ProFTPD 1.2.2rc3 Remote Server Vulnerability

[ARAI Yuu <y.arai () lac co jp>]

Hello,

> I think this could be quite important, but unfortunately I do not have the
> skills to audit the source code for an ftp server; so I'll leave that to the
> pro's.

I don't know whether this is related to your issue or not, I noticed
that /usr/bin/ftp on Solaris will fail when a user send a request as
"get ~{" in last week. This is just a bug of the client-side, not
a vulnerability on the server-side.

Reproduction:
=============
$ uname -a
SunOS puppet 5.7 Generic_106542-18 i86pc i386 i86pc
$ ftp localhost
Connected to localhost.
220 ProFTPD 1.2.4 Server (ProFTPD Default Installation) [puppet]
Name (localhost:arai): arai
331 Password required for arai.
Password:
230 User arai logged in.
ftp> get ~{
Segmentation Fault - core dumped
<snip>
# file ./core/core.ftp.25184
./core/core.ftp.25184:  ELF 32-bit LSB core file 80386 Version 1, from 'ftp'
#


And I confirmed "ls ls ~{" will cause same SIGSEGV.

================
$ ftp localhost
Connected to localhost.
220 ProFTPD 1.2.4 Server (ProFTPD Default Installation) [puppet]
Name (localhost:arai): arai
331 Password required for arai.
Password:
230 User arai logged in.
ftp> ls ls ~{
Segmentation Fault - core dumped
<snip>
# file ./core/core.ftp.25194
./core/core.ftp.25194:  ELF 32-bit LSB core file 80386 Version 1, from 'ftp'


Regards,
-----------------------------------------------
ARAI Yuu <y.arai () lac co jp>
Network Security Specialist / LAC Computer Security Laboratory
http://www.lac.co.jp/security/