Skip to content

Remote denial-of-service due to issue in network IO handling #846

Closed
@stze

Description

@stze

Dear @Castaglia

As discussed, please find below the description of the ProFTPD 1.3.6 denial-of-service issue.

Issue

Remote unauthenticated denial-of-service in ProFTPD 1.3.6, triggered by a malformed network packet due to an incorrect handling of too long commands.

Version

ProFTPD 1.3.6 - ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.6.tar.gz

Description

An unauthenticated attacker can trigger an infinite loop by sending a malformed network packet due to an incorrect handling of too long commands. The issue in the network IO causes a child process that handles the client connection to consume 100% CPU.

If errno is 7 (E2BIG) due to a too long command and the EOF is reached, read() function will always return 0 and will be called indefinitely due to the continue statement:

src/main.c:
...
    if (cmd_buflen < 0) {
      if (errno == E2BIG) {
        /* The client sent a too-long command which was ignored; give
         * them another chance?
         */
        continue;
      }
...

Impact

Remote unauthenticated denial-of-service

Cheers
-Stephan Zeisberg

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions