Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote denial-of-service due to issue in network IO handling #846

Closed
stze opened this issue Oct 19, 2019 · 3 comments
Closed

Remote denial-of-service due to issue in network IO handling #846

stze opened this issue Oct 19, 2019 · 3 comments
Assignees
Milestone

Comments

@stze
Copy link

stze commented Oct 19, 2019

Dear @Castaglia

As discussed, please find below the description of the ProFTPD 1.3.6 denial-of-service issue.

Issue

Remote unauthenticated denial-of-service in ProFTPD 1.3.6, triggered by a malformed network packet due to an incorrect handling of too long commands.

Version

ProFTPD 1.3.6 - ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.6.tar.gz

Description

An unauthenticated attacker can trigger an infinite loop by sending a malformed network packet due to an incorrect handling of too long commands. The issue in the network IO causes a child process that handles the client connection to consume 100% CPU.

If errno is 7 (E2BIG) due to a too long command and the EOF is reached, read() function will always return 0 and will be called indefinitely due to the continue statement:

src/main.c:
...
    if (cmd_buflen < 0) {
      if (errno == E2BIG) {
        /* The client sent a too-long command which was ignored; give
         * them another chance?
         */
        continue;
      }
...

Impact

Remote unauthenticated denial-of-service

Cheers
-Stephan Zeisberg

@Castaglia Castaglia self-assigned this Oct 19, 2019
@Castaglia Castaglia added this to the 1.3.7 milestone Oct 19, 2019
@Castaglia
Copy link
Member

Note that this bug is also present in ProFTPD 1.3.7rc1.

Castaglia added a commit that referenced this issue Oct 19, 2019
Castaglia added a commit that referenced this issue Oct 19, 2019
Issue #846: Handle the case where a client tries to send too-large co…
Castaglia added a commit that referenced this issue Oct 19, 2019
@Castaglia
Copy link
Member

Thanks!

@stze
Copy link
Author

stze commented Oct 21, 2019

CVE-2019-18217

Sashan pushed a commit to Sashan/proftpd that referenced this issue Oct 24, 2019
…arge commands

in an effort to DoS the server.
Sashan pushed a commit to Sashan/proftpd that referenced this issue Dec 16, 2019
…arge commands

in an effort to DoS the server.
Sashan pushed a commit to Sashan/proftpd that referenced this issue Dec 16, 2019
…arge commands

in an effort to DoS the server.
Sashan pushed a commit to Sashan/proftpd that referenced this issue Dec 16, 2019
…arge commands

in an effort to DoS the server.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants