Bug 149720 - CAN-2005-0256 DoS in wu-ftpd
Summary: CAN-2005-0256 DoS in wu-ftpd
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: wu-ftpd
Version: 2.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Peter Vrabec
QA Contact: David Lawrence
URL:
Whiteboard: impact=moderate,public=20050225,sourc...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-02-25 18:51 UTC by Josh Bressers
Modified: 2007-11-30 22:06 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-05-16 12:01:01 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Josh Bressers 2005-02-25 18:51:24 UTC
iDEFENSE reported a DoS in wu-ftpd
http://www.idefense.com/application/poi/display?id=207&type=vulnerabilities




After a user logs into the ftpd, an attacker can send a simple command
which will cause high CPU utilization.

To exploit this vulnerability, a simple ftp client is sufficient. Once
logged  in, either anonymously or as an authenticated user, issuing the
following command will cause the machine to become less responsive.

ftp> dir ***************************************************************
         ***************************************************************
         ***************************************************************
         **.*

Comment 1 Mark J. Cox 2005-04-28 10:01:40 UTC
Debian fixed this and say

+  * Applied patch by Chris Butler to fix denial of service in the NLST         
+    command [src/ftpd.c, CAN-2005-0256]   

But the patch isn't broken out in their update.  It's probably the hunk:

<mjcox> @@ -7487,6 +7517,9 @@
<mjcox>         }                                                              
        
<mjcox>         else {                                                         
        
<mjcox>             do                                                         
        
<mjcox> +              if ((in[0] == '*') && (in[1] == '*'))                   
        
<mjcox> +                in++;                                                 
        
<mjcox> +              else                                                    
        
<mjcox>                 *out++ = *in++;                                        
        
<mjcox>             while ((*in != '\0') && (*in != '/'));                     
        
<mjcox>             if (*in == '/')   
<mjcox> looks like that collapses multiple *

Comment 2 Mark J. Cox 2005-04-28 10:33:44 UTC
wu_fnmatch.c looks to contain code that is meant to collapse multiple *; 

            while (c == '*')
                c = *++pattern;

But this code is there in 2.6.1 which the report says is vulnerable.  I couldn't
reproduce this issue at all on my 2.6.2 wu-ftpd.

Comment 3 Peter Vrabec 2005-04-28 12:54:11 UTC
I can't reproduce it either.

Comment 4 Josh Bressers 2005-05-13 21:06:23 UTC
Mark, Peter,

Any complaints if we close this?  Nobody seems to think we're vulnerable.

Comment 5 Peter Vrabec 2005-05-16 11:11:33 UTC
Not at all.

Comment 6 Josh Bressers 2005-05-16 12:01:01 UTC
I'm closing this since we can't reproduce it.


Note You need to log in before you can comment on or make changes to this bug.