COMMAND

    ftpd

SYSTEMS AFFECTED

    SunOS 5.3, 5.5, 5.5.1, 5.6

PROBLEM

    Stanley  Stasiak  found  following.   The  bug manifests itself in
    in.ftpd process instance  'spinning' i.e. consuming  a lot of  CPU
    resource.  This was tested on:

        2.5.1 SPARC sun4u & sun4m
        2.6   SPARC sun4u & sun4m
        2.6   x86

    Here's how to reproduce:

        $ telnet some.solaris.box.org 21
        220 some FTP server (SunOS 5.6) ready.

    Now get another term and look for the telnet process.

        $ ps -ef | grep telnet    (for all SysV)
        $ ps -aux | grep telnet   (for all BSD systems)

    Say PID was 12345.   Now send it a  SIGINT or SIGQUIT followed  by
    SIGTERM.

        $ kill -2 12345
        $ kill 12345

    At this stage in.ftpd  on some.solaris.box.org starts chomping  on
    the CPU.   The victim  can be  local or  remote as  long as  its a
    Solaris box.   Note that  in.ftpd must  be Sun's  native.   If the
    machine runs say  wuftp then it  will not exhibit  this.  The  bug
    only seems to work at the server  greet so no need to log in.   In
    fact it  probably will  not work  if you  do log  in.   The server
    implements a timeout for all connection logged in or not.  It will
    thereafter "clean up" its beserk  in.ftpd process.  The effect  is
    cummulative...  connect  20  times  like  this  and watch the load
    skyrocket.

    Aggelos P. Varvitsiotis added few  more points.  When the  in.ftpd
    was left in this "hung" state, doing "truss -p" revealed that ftpd
    keeps on read(2)ing zero bytes from the network socket in a  tight
    loop, hence the  CPU time consumed.   The most plausible  scenario
    (without any kind of access to the source code) is that the client
    telnet,  when  receiving   SIGINT/QUIT,  creates  an   "exception"
    condition in  the receiving  socket, which  is not  examined as it
    should by ftpd.   The next kill is  bogus, you might just  as well
    shut  down  the  telnet  connection  (^]-close  -  tried  it   out
    successfully).  It just creates an EOF condition on ftpd's  input,
    which is not handled appropriately.

SOLUTION

    The following patches are available in relation to the above
    problem:

        SunOS               Patch ID
        -----               ---------
        SunOS 5.6           106301-01
        SunOS 5.6_x86       106302-01
        SunOS 5.5.1         103603-08
        SunOS 5.5.1_x86     103604-08
        SunOS 5.5           103577-08
        SunOS 5.5_x86       103578-08
        SunOS 5.4           101945-59       (to be released in 6 weeks)
        SunOS 5.4_x86       101946-52       (to be released in 6 weeks)
        SunOS 5.3           104938-02