FTP exploit?

Clay_Fiske · March 19, 2001, 9:01pm

Is there a (fairly) recent exploit for common ftp daemons going around
lately? In the past several days, I've seen a very noticeable jump in
the number of people attempting anonymous ftp logins. Typically I
noticed it once or twice a week, and usually single attempts, but now
they're coming in every few hours and they each make 4 attempts within
a second (which is one per IP bound to the box I'm watching). It looks
like it has to be some kind of script.

Anyone else seeing any noticeable increases like this?

-c

Ben_Beuchler · March 19, 2001, 9:15pm

My snort logs (on my home network) show at least one scan like that
every day, usually two or more.

Ben

Scott_Francis3 · March 19, 2001, 9:20pm

On Mon, Mar 19, 2001 at 01:01:39PM -0800, Clayton Fiske had this to say:

Is there a (fairly) recent exploit for common ftp daemons going around
lately? In the past several days, I've seen a very noticeable jump in
the number of people attempting anonymous ftp logins. Typically I
noticed it once or twice a week, and usually single attempts, but now
they're coming in every few hours and they each make 4 attempts within
a second (which is one per IP bound to the box I'm watching). It looks
like it has to be some kind of script.

Anyone else seeing any noticeable increases like this?

probably due to the increasingly long thread on vulnerabilities in ftpds that
is going on over in BUGTRAQ. Nothing too new, but every time a new 'sploit' is
released there, every kiddie on the block just has to try it.

ken_harris1 · March 20, 2001, 12:17am

probably due to the increasingly long thread on vulnerabilities in ftpds that
is going on over in BUGTRAQ. Nothing too new, but every time a new 'sploit' is
released there, every kiddie on the block just has to try it.

to be a bit more specific.

the exploit/bug comes from a problem with globbing.
(ie: ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*)

affected ftp daemons are the majority of them (proftpd etc)
except ncftpd and glftpd from what i've seen.

it was another one of those 'i'm so elite i'm going to
notify the vendors 30 minutes before posting to bugtraq'
so right now vendors are working on latest versions.

cheers,
-ken harris.

Daniel_Roesen1 · March 20, 2001, 10:07am

it was another one of those 'i'm so elite i'm going to
notify the vendors 30 minutes before posting to bugtraq'

15 minutes. And this <censored> even ran a DoS attack against
ftp.proftpd.org to prove his point.

so right now vendors are working on latest versions.

For ProFTPD a workaround exists. For the interested ones:
http://www.proftpd.org/critbugs.html

Best regards,
Daniel (ProFTPD RPM packaging maintainer)