OT: There seems to be something strange with your MUA. Look at this
header:
Cc: "Lupe Christoph"@murphy.debian.org,
" <[EMAIL PROTECTED]>"@murphy.debian.org
On Thursday, 2006-11-30 at 12:57:53 +0100, Stefan Fritsch wrote:
> > The attacks ceased before I noticed, so I was not able to capture a TCP
> > stream. I would just like to alert people that there is still some
> > vulnerability in the ProFTPD code that was not fixed by DSA-1218-1.
> yes, there are two open vulnerabilites in proftpd. A DSA should be in the
> works, but I don't know the current status.
Good to know. I found out in the meantime that this host does not need
to expose FTP to the world, and the hole has been plugged in the
firewall. Which also means that I will not be able to get more details
from this machine. I'd need to set up a honeypot.
> One is CVE-2006-5815 and the other is a mod_tls vulnerability without CVE
> id yet. AFAIK there is no exploit for sarge's 1.2.x for CVE-2006-5815 yet.
> So I would expect this to be the mod_tls vulnerability. Do you have
> mod_tls enabled? Try connecting to your server with telnet and enter FEAT
> and see whether it returns AUTH TLS.
Nope:
211-Features:
211-MDTM
211-REST STREAM
211-SIZE
211 End
> There is a thread about this at
> http://lists.alioth.debian.org/pipermail/secure-testing-team/2006-November/000972.html
CVE-2006-5815: "Buffer overflow in ProFTPD 1.3.0 and earlier, when
configured to use the CommandBufferSize directive ...". This directive
is not in the default Debian Config file, I believe, and it isn't in the
one on that machine.
I believe this is similar to 308313 or 301275. This ProFTPD is started
from inetd, so it's probably a matter of timing if the segfault occurs
or not. If that is the case, it's not even a DoS opportunity as each
connection gets a fresh proftpd process.
Thanks for your feedback.
Lupe Christoph
--
| You know we're sitting on four million pounds of fuel, one nuclear |
| weapon and a thing that has 270,000 moving parts built by the lowest |
| bidder. Makes you feel good, doesn't it? |
| Rockhound in "Armageddon", 1998, about the Space Shuttle |
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
