Bogus command can take server off-line. Reproducible: Always Steps to Reproduce: 1.telnet to ftp.server.com on port 21a nd type "port 300" and return. 2. 3. Actual Results: FTP service goes off-line. Expected Results: Not go off-line? Hm.
Quote from URL above. ------------------------------------------ I received the following e-mail. I was travelling at the time, but put together a patch on the flight home. It took me a couple of weeks to release it, partially due to travel and partially due to laziness. Shane Kerr 2004-03-25 Date: Thu, 04 Mar 2004 22:48:49 +0100 From: Philippe Oechslin <philippe.oechslin@epfl.ch> Subject: DoS vulnerability in oftpd To: shane@time-travellers.org Hello Shane, We have found a simple denial of service vulnerability in your oftpd FTP server (v 0.3.6). Vulnerability: When the server receives a port command with a number that is higher than 255 the server crashes and has to be restarted manually. The port command can even be given before the user has given a username and a password. Consequence: Denial of service. An ftp server can be taken offline with a simple telnet connection. Exploit: telnet to ftp.server.com on port 21 and type "port 300" and return. The server crashes. Tested on: - oftpd server 0.3.6 on Suse Linux 8.2 Discovered by: Andreas Rueegg and Philippe Oechslin of the Security Bug Catcher project (http://lasecwww.epfl.ch/philippe.shtml). The security bug catcher is a tool to automatically find vulnerabilities. We are currently running tests on scores of FTP servers and notifying vendors when we find something. ------------------------------------------------------------ Version bumped in portage to 0.3.7 KEYWORDS="~x86 ~sparc ~ppc ~ppc64" epm -q -l oftpd /usr/sbin/oftpd /usr/share/man/man8/oftpd.8.gz /usr/share/doc/oftpd-0.3.7/AUTHORS.gz /usr/share/doc/oftpd-0.3.7/BUGS.gz /usr/share/doc/oftpd-0.3.7/COPYING.gz /usr/share/doc/oftpd-0.3.7/INSTALL.gz /usr/share/doc/oftpd-0.3.7/FAQ.gz /usr/share/doc/oftpd-0.3.7/NEWS.gz /usr/share/doc/oftpd-0.3.7/README.gz /usr/share/doc/oftpd-0.3.7/TODO.gz /home/ftp /etc/init.d/oftpd ----- Please test.
manson has not been a dev for quite a while, we need to get his email addy changed
adding others who might want to take (temporary) ownership of this package
I'll take it temporarily... I'll verify the fix and modify the init script which is saying to set stuff in rc.conf which should be in /etc/conf.d ...
ok. I fixed up the conf/init scripts a bit and marked the security fix stable in x86.
this fix needs testing on sparc, ppc, and ppc64. Please test out on your arches. does ppc64 have its own address or is it part of ppc? Thanks.
Stable on sparc.
ppc guys, please test this out ASAP so we can release teh GLSA.
Marked ppc
Ok, then this is ready for a GLSA...
GLSA 200403-08 closing.
