Date: Thu, 3 Jan 2002 18:16:45 +0700 From: Eugene Grosbein <eugen@www.svzserv.kemerovo.su> To: stable@freebsd.org Subject: How to make stock ftpd crash Message-ID: <20020103181645.A99459@svzserv.kemerovo.su>
next in thread | raw e-mail | index | archive | help
Hi!
I've found 100% repeatable way to segfault stock ftpd (FreeBSD 4.4-STABLE).
I run it from /etc/inetd.conf:
ftp stream tcp nowait/50/120 root /usr/libexec/ftpd ftpd -llSd
Here is a log of connection:
Jan 3 18:00:38 <ftp.info> www ftpd[99297]: connection from kost (213.184.65.82)
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: <--- 220
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: www.svzserv.kemerovo.su FTP server (Version 6.00LS) ready.
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: command: USER ftp
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: <--- 331
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: Guest login ok, send your email address as password.
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: command: PASS eugen@iname.com
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: <--- 230
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: Guest login ok, access restrictions apply.
Jan 3 18:00:38 <ftp.info> www ftpd[99297]: ANONYMOUS FTP LOGIN FROM kost, eugen@iname.com
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: command: PWD
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: <--- 257
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: "/" is current directory.
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: command: SYST
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: <--- 215
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: UNIX Type: L8 Version: BSD-199506
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: command: CWD /pub/FreeBSD/ports/distfiles
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: <--- 250
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: CWD command successful.
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: command: PWD
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: <--- 257
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: "/pub/FreeBSD/ports/distfiles" is current directory.
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: command: PASV
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: <--- 227
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: Entering Passive Mode (213,184,65,80,200,151)
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: command: LIST
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: <--- 150
Jan 3 18:00:38 <ftp.debug> www ftpd[99297]: Opening ASCII mode data connection for '/bin/ls'.
Jan 3 18:00:39 <ftp.debug> www ftpd[99297]: <--- 226
Jan 3 18:00:39 <ftp.debug> www ftpd[99297]: Transfer complete.
Jan 3 18:00:40 <ftp.debug> www ftpd[99297]: command: TYPE I
Jan 3 18:00:40 <ftp.debug> www ftpd[99297]: <--- 200
Jan 3 18:00:40 <ftp.debug> www ftpd[99297]: Type set to I.
Jan 3 18:00:40 <ftp.debug> www ftpd[99297]: command: PASV
Jan 3 18:00:40 <ftp.debug> www ftpd[99297]: <--- 227
Jan 3 18:00:40 <ftp.debug> www ftpd[99297]: Entering Passive Mode (213,184,65,80,200,152)
Jan 3 18:00:40 <ftp.debug> www ftpd[99297]: command: RETR pkg_tarup?rev=1.2&content-type=text%2fplain
Jan 3 18:00:40 <ftp.debug> www ftpd[99297]: <--- 150
Jan 3 18:00:40 <ftp.debug> www ftpd[99297]: Opening BINARY mode data connection for 'pkg_tarup?rev=1.2&content-type=text%2fplain' (2512 bytes).
Jan 3 18:00:40 <ftp.debug> www ftpd[99297]: <--- 226
Jan 3 18:00:40 <ftp.debug> www ftpd[99297]: Transfer complete.
Jan 3 18:00:40 <ftp.info> www ftpd[99297]: get pub/FreeBSD/ports/distfiles/pkg_tarup?rev=1.2&content-type=text%2fplain = 2512 bytes
Jan 3 18:00:40 <ftp.debug> www ftpd[99297]: command: ABOR
Jan 3 18:00:40 <ftp.debug> www ftpd[99297]: <--- 426
Jan 3 18:00:40 <ftp.debug> www ftpd[99297]: Transfer aborted. Data connection closed.
Jan 3 18:00:40 <ftp.debug> www ftpd[99297]: <--- 226
Jan 3 18:00:40 <ftp.debug> www ftpd[99297]: Abort successful
Here ftpd died with signal 11.
A client was FAR 1.63 (by Eugene Roshal) running on Windows95OSR2 with
FAT32 filesystem. It requested a file named
pkg_tarup?rev=1.2&content-type=text%2fplain
but could not create such file on its filesystem so it sent ABOR.
File is small (2512 bytes) and link is fast, 100Mb ethernet.
My ftpd is compiled with debug info and I've enabled creating of core
so I can supply output of gdb:
Script started on Thu Jan 3 18:13:34 2002
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `ftpd'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libskey.so.2...done.
Reading symbols from /usr/lib/libmd.so.2...done.
Reading symbols from /usr/lib/libcrypt.so.2...done.
Reading symbols from /usr/lib/libutil.so.3...done.
Reading symbols from /usr/lib/libpam.so.1...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0 0x804c9b0 in retrieve (cmd=0x0,
name=0x60004 <Address 0x60004 out of bounds>) at ftpd.c:1469
1469 LOGBYTES("get", name, byte_count);
(gdb) l 1469
1464 (void) fclose(dout);
1465 data = -1;
1466 pdata = -1;
1467 done:
1468 if (cmd == 0)
1469 LOGBYTES("get", name, byte_count);
1470 (*closefunc)(fin);
1471 }
1472
1473 void
(gdb) p name
$1 = 0x60004 <Address 0x60004 out of bounds>
(gdb) p byte_count
$2 = 2512
(gdb) quit
Script done on Thu Jan 3 18:13:57 2002
I can reproduce this any time.
Not sure if there might be any security issues.
After all, ftpd does chroot for anonymous.
Eugene Grosbein
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020103181645.A99459>