From owner-freebsd-hackers  Tue Sep  9 07:41:28 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id HAA12506
          for hackers-outgoing; Tue, 9 Sep 1997 07:41:28 -0700 (PDT)
Received: from pds-gateway.pdspc.com ([207.7.39.130])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA12498
          for <freebsd-hackers@FreeBSD.ORG>; Tue, 9 Sep 1997 07:41:25 -0700 (PDT)
Received: by pds-gateway.pdspc.com with Internet Mail Service (5.0.1457.3)
	id <S1XQNZKY>; Tue, 9 Sep 1997 09:42:56 -0500
Message-ID: <91DD7FDA88E4D011BED00000C0DD87E70BE975@pds-gateway.pdspc.com>
From: Kenny Hanson <khanson@pdspc.com>
To: "'Josef Karthauser'" <joe@pavilion.net>
Cc: "FreeBSD Hackers (E-mail)" <freebsd-hackers@FreeBSD.ORG>
Subject: RE: FTP compromise.
Date: Tue, 9 Sep 1997 09:42:54 -0500
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1457.3)
Content-Type: text/plain;
	charset="iso-8859-1"
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

I just successfully shot my cpu utilization up to 100% without any hopes
of seeing it come down.  I had to kill the ftp process before the system
returned to a normal state.  This is definitely D.O.S... anybody out
there
have any ideas on how to erradicate this?  I ran this for 15 minutes
before
I had to stop because it is on a production server...

> -----Original Message-----
> From:	Josef Karthauser [SMTP:joe@pavilion.net]
> Sent:	Tuesday, September 09, 1997 8:44 AM
> To:	security@FreeBSD.ORG
> Subject:	FTP compromise.
> 
> ll versions)
> 
> TESTED:         BSDI 3.0 (all patches), FreeBSD 2.2.1
> 
> DATE:           15th Aug 1997
> 
> REPEAT BY:      Log into a wu_ftp server (either anonymously or as a
> user)
>                 and issue the command...
>                 
>                 nlist
> ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/
> 
> ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/
> 
> ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/
>                 ../*/../*/../*/../*/../*../*../*
> 
> DESCRIPTION:    You can severly compromise the ftp servers
> performance.
>                 This command will create a HUGE directory listing, no
>                 matter how many files/directories are in the current 
>                 directory (this is recursive).
> 
> CONSEQUENCES:   These vary.  On my FreeBSD 2.2 box I was able to eat
> up
>                 all memory and swap memory until the kernel spewed
>                 "out of swap space" errors and killed a few processes.
>                 It also eats up all available CPU space (up to 99.22%
>                 on my box).  If repeated a few times you will no
>                 longer use up swap space and the processor usage will
>                 rocket and stay there for quite a while (hours).
> Since
>                 the ftpd program is still processing the command your
>                 ftp session will not idle timeout.  However, if you
>                 do decide to kill your attacking ftp session, ftpd
>                 will still process teh command and therefore, the
> hosts
>                 resources will take a beating.
> 
>                 Basically, it looks like any user can severely drain
>                 your systems resources - a kind of Denial of Service
>                 attack.  I was able to use up all remaining processor
>                 time for two hours (would have gone on for much longer
>                 only I got bored and kill it).
> 
> CONTACT:        You can email me at ener@shell.firehouse.net if you
>                 want to discuss this problem further (or let me know
>                 if it works on any other ftpd).
> I found this today.  Any comments?
> 
> 
> BUG:            wu_ftpd (all versions)
> 
> TESTED:         BSDI 3.0 (all patches), FreeBSD 2.2.1
> 
> DATE:           15th Aug 1997
> 
> REPEAT BY:      Log into a wu_ftp server (either anonymously or as a
> user)
>                 and issue the command...
>                 
>                 nlist
> ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/
> 
> ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/
> 
> ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/
>                 ../*/../*/../*/../*/../*../*../*
> 
> DESCRIPTION:    You can severly compromise the ftp servers
> performance.
>                 This command will create a HUGE directory listing, no
>                 matter how many files/directories are in the current 
>                 directory (this is recursive).
> 
> CONSEQUENCES:   These vary.  On my FreeBSD 2.2 box I was able to eat
> up
>                 all memory and swap memory until the kernel spewed
>                 "out of swap space" errors and killed a few processes.
>                 It also eats up all available CPU space (up to 99.22%
>                 on my box).  If repeated a few times you will no
>                 longer use up swap space and the processor usage will
>                 rocket and stay there for quite a while (hours).
> Since
>                 the ftpd program is still processing the command your
>                 ftp session will not idle timeout.  However, if you
>                 do decide to kill your attacking ftp session, ftpd
>                 will still process teh command and therefore, the
> hosts
>                 resources will take a beating.
> 
>                 Basically, it looks like any user can severely drain
>                 your systems resources - a kind of Denial of Service
>                 attack.  I was able to use up all remaining processor
>                 time for two hours (would have gone on for much longer
>                 only I got bored and kill it).
> 
> CONTACT:        You can email me at ener@shell.firehouse.net if you
>                 want to discuss this problem further (or let me know
>                 if it works on any other ftpd).
> 
> -- 
> Josef Karthauser        
> Technical Manager       Email: joe@pavilion.net
> Pavilion Internet plc.  [Tel: +44 1273 607072  Fax: +44 1273 607073]