iDEFENSE reported a DoS in wu-ftpd http://www.idefense.com/application/poi/display?id=207&type=vulnerabilities After a user logs into the ftpd, an attacker can send a simple command which will cause high CPU utilization. To exploit this vulnerability, a simple ftp client is sufficient. Once logged in, either anonymously or as an authenticated user, issuing the following command will cause the machine to become less responsive. ftp> dir *************************************************************** *************************************************************** *************************************************************** **.*
Debian fixed this and say + * Applied patch by Chris Butler to fix denial of service in the NLST + command [src/ftpd.c, CAN-2005-0256] But the patch isn't broken out in their update. It's probably the hunk: <mjcox> @@ -7487,6 +7517,9 @@ <mjcox> } <mjcox> else { <mjcox> do <mjcox> + if ((in[0] == '*') && (in[1] == '*')) <mjcox> + in++; <mjcox> + else <mjcox> *out++ = *in++; <mjcox> while ((*in != '\0') && (*in != '/')); <mjcox> if (*in == '/') <mjcox> looks like that collapses multiple *
wu_fnmatch.c looks to contain code that is meant to collapse multiple *; while (c == '*') c = *++pattern; But this code is there in 2.6.1 which the report says is vulnerable. I couldn't reproduce this issue at all on my 2.6.2 wu-ftpd.
I can't reproduce it either.
Mark, Peter, Any complaints if we close this? Nobody seems to think we're vulnerable.
Not at all.
I'm closing this since we can't reproduce it.