Date: Thu, 15 Mar 2001 15:52:34 -0800 From: Alfred Perlstein <bright@wintelcom.net> To: Antonio Carlos Pina <apina@infolink.com.br> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Multiple vendors FTP denial of service (fwd) Message-ID: <20010315155234.G29888@fw.wintelcom.net> In-Reply-To: <3ab14d6c.31f.0@infolink.com.br>; from apina@infolink.com.br on Thu, Mar 15, 2001 at 08:17:00PM -0500 References: <3ab14d6c.31f.0@infolink.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
* Antonio Carlos Pina <apina@infolink.com.br> [010315 15:17] wrote: > Hello, > > Actually I think this highly depends on HOW MANY files and > directories FTPD can access. > > I didn't see any damage with a jailed FTPD with 1 directoy and 2 > files. The only reason you didn't see a problem was because you had only one directory. The DoS works via a simple mechanism. if you have a dir with two directories in it 'a' and 'b' */../ -> a/.. b/.. */../*/.. -> a/../a/.. a/../b/.. b/../a/.. b/../b/.. basically for each ../*/ you do a power N where N is the number of directories. How could this be fixed? I think it's somewhat simple, have glob() maintain a truncated version of paths and make sure that any collisions are detected. Of course this is only speculation since I haven't looked at the code. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010315155234.G29888>