From: Genco YILMAZ (gyilmaz@genco.gen.tc)
Date: Fri 25 Feb 2005 - 23:33:12 EET
selam,
WU-FTPD kullananlarin bilgisine
saygilar
iDEFENSE Labs wrote:
>WU-FTPD File Globbing Denial of Service Vulnerability
>
>iDEFENSE Security Advisory 02.25.05
>www.idefense.com/application/poi/display?id=207&type=vulnerabilities
>February 25, 2005
>
>I. BACKGROUND
>
>WU-FTPD is an ftp daemon for Unix systems developed at Washington
>University. More information is available at:
>
> http://www.wu-ftpd.org/
>
>II. DESCRIPTION
>
>Remote exploitation of an input validation vulnerability in version
>2.6.2 of WU-FPTD could allow for a denial of service of the system by
>resource exhaustion.
>
>The vulnerability specifically exists in the wu_fnmatch() function in
>wu_fnmatch.c. When a pattern containing a '*' character is supplied as
>input, the function calls itself recursively on a smaller substring. By
>supplying a string which contains a large number of '*' characters, the
>system will take a long time to return the results, during which time it
>
>will be using a large amount of CPU time.
>
>III. ANALYSIS
>
>After a user logs into the ftpd, an attacker can send a simple command
>which will cause high CPU utilization.
>
>To exploit this vulnerability, a simple ftp client is sufficient. Once
>logged in, either anonymously or as an authenticated user, issuing the
>following command will cause the machine to become less responsive.
>
>ftp> dir ***************************************************************
> ***************************************************************
> ***************************************************************
> **.*
>
>By re-connecting and issuing the command multiple times, the system can
>be made completely unresponsive. This may prevent legitimate access to
>services provided by the system for the period of the attack.
>
>IV. DETECTION
>
>iDEFENSE has confirmed the existence of this vulnerability in version
>2.6.2 and 2.6.1 of WU-FTPD. It is suspected that previous versions are
>also affected by this vulnerability.
>
>V. WORKAROUND
>Consider disabling the ftpd. If this is not viable as an option,
>consider disabling anonymous access. Disabling anonymous access will not
>
>prevent local users from exploiting this vulnerability.
>
>VI. VENDOR RESPONSE
>
>No vendor response received.
>
>VII. CVE INFORMATION
>
>The Common Vulnerabilities and Exposures (CVE) project has assigned the
>names CAN-2005-0256 to these issues. This is a candidate for inclusion
>in the CVE list (http://cve.mitre.org), which standardizes names for
>security problems.
>
>VIII. DISCLOSURE TIMELINE
>
>02/09/2005 Initial vendor notification - No response
>02/18/2005 Initial vendor notification - No response
>02/25/2005 Public disclosure
>
>IX. CREDIT
>
>Adam Zabrocki (pi3 / pi3ki31ny) is credited with this discovery.
>
>Get paid for vulnerability research
>http://www.idefense.com/poi/teams/vcp.jsp
>
>Free tools, research and upcoming events
>http://labs.idefense.com
>
>X. LEGAL NOTICES
>
>Copyright (c) 2005 iDEFENSE, Inc.
>
>Permission is granted for the redistribution of this alert
>electronically. It may not be edited in any way without the express
>written consent of iDEFENSE. If you wish to reprint the whole or any
>part of this alert in any other medium other than electronically, please
>email customerservice@idefense.com for permission.
>
>Disclaimer: The information in the advisory is believed to be accurate
>at the time of publishing based on currently available information. Use
>of the information constitutes acceptance for use in an AS IS condition.
>There are no warranties with regard to this information. Neither the
>author nor the publisher accepts any liability for any direct, indirect,
>or consequential loss or damage arising from use of, or reliance on,
>this information.
>
>
>
-- Genco YILMAZ
_______________________________________________
Linux-guvenlik mailing list
Linux-guvenlik@liste.linux.org.tr
http://liste.linux.org.tr/mailman/listinfo/linux-guvenlik