COMMAND

	ProFTPD file globbing vulerability

SYSTEMS AFFECTED

	 Tested on Slackware 8 :

	 ProFTPD 1.2.4

	 ProFTPD 1.2.2rc3

	

	 Tested on Debian :

	 ProFTPD 1.2.4 Server (Debian)

	 ProFTPD 1.2.0pre10 not vulnerable

PROBLEM

	Mattias reported following bug :
	

	A problem in handling file globbing exists in  the  current  version  of
	ProFTPD 1.2.4 (but it’s fixed in the Candidate version: 1.2.5rc1).  This
	is very similar to the wu-ftpd bug (“ls ~{”) and occurs when  you  issue
	the command: ls /////////// (11 or more ‘/’).
	

	The ftpd-child dies with signal 11 (SEGV), but the server stays up.  The
	question is if it’s possible to do something nasty with this!?
	

	 DETAILS

	 =======

	The  Segmentation  Fault  occurs  when  the  server  tries  to  free   a
	unallocated memory with  a  free()-function  and  it  could  be  a  heap
	corruption vulnerability. It’s in the file lib/glibc-glob.c in  function
	void globfree (pglob) the SEGV occurs.
	

	 Here is how I tested it.

	 Login as ftp(anonymous) and issue the command:

	

	

	ftp> ls ///////////

	200 PORT command successful.

	150 Opening ASCII mode data connection for file list.

	421 Service not available, remote server has closed connection

	ftp>

	

	

	And the debug messages reads (proftpd  -n  -d  5):  dispatching  PRE_CMD
	command \'LIST ///////////\' to mod_core dispatching CMD command  \'LIST
	///////////\'  to  mod_ls  active  data  connection  opened  -  local  :
	127.0.0.1:20 active data connection opened - remote : 127.0.0.1:1286  in
	dir_check_full(): path  =  \'/\',  fullpath  =  \'/home/ftp/\'.  ProFTPD
	terminating (signal 11)

SOLUTION

	Upgrade to version 1.2.5rc1.