On Wed, Apr 11, 2001 at 12:14 +0200, Sebastian Krahmer wrote:
On Wed, 11 Apr 2001, Lutz Jaenicke wrote:
it seems the security people must work 24/7 these days.
Yesterday http://www.cert.org/advisories/CA-2001-07.html was published with respect to a "glob" vulnerability in ftpd.
And the topic has been discussed for several days now. It's just that CERT released the advisory yesterday ...
While the *BSD people already made some announcements, SuSE did not send out an announcement, yet. (Nothing popped up at wu-ftpd.org, too) Maybe because its especially a *BSD problem?
Huh? How is it BSD specific? It's a simple "whenever I send expensive requests to the server the server suddenly gets busy". It's the "I can put down the machine with a fork() loop" kind of pseudo exploits. The ftpd "problem" is that the server accepts wildcards for its LIST command variants. Huhu? We talk about remotely exploitable bufferoverflows, and in fact only BSD versions of glob() are affected. I don't know about ftpd's such as wu.ftp etc etc. It was claimed that they also contain overflows. The suse standard ftpd (which is derived from OBSD's) is believed to be secure (for
On Wed, 11 Apr 2001, Gerhard Sittig wrote: that specific glob() overflow).
I still don't think that it's a program author's fault but more of an administrator's (read: pilot's) error. Apply resource constraints to your services. You have to do so anyway to not suffer too much from possible programming errors as well as DoS attacks. Why not apply them too for "valid" but yet too costly requests? It's plain selfdefence by using regular tools from your existing workbench / toolbox. :)
Seems we talk about different bugs/admin erros. An overflow in the software is not admins fault. :) regards, Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~