[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] FTPD DoS

Subject: Re: [cobalt-security] FTPD DoS
From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
Date: Wed, 21 Mar 2001 16:18:12 +0000 (GMT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Sat, 17 Mar 2001, Jonathan Michaelson wrote:

> > > ProFTP on the RaQ servers runs through inet and so restarting inetd is
> the
> > > method for restarting the ftp server.
> >
> > Incorrect.  Restarting or killing inetd does NOT kill ProFTPD sessions
> > running.  You have to killall -9 proftpd to do this.
>
> Thank you for clarifying that point, I was indeed wrong to imply that
> restarting inetd would kill off any existing connections.
>
> I hope this rathole hasn't diluted my original post that contains the
> correct method and description to avoid this very public DoS in ProFTP.

Nah.  It's worth fixing the ProFTPD thing, because *ANYBODY* can perform
it (doesn't need any special tools) if you allow anonymous access.

> Hopefully, we'll soon see a workaround for the shell prompt DoS that is also
> a part of this for those that allow users shell access to their RaQs.

Well, hopefully your users wouldn't crash the RaQ on purpose.  There's
millions of ways to crash Linux at any rate, mostly due to lack of process
restrictions in the Linux kernel.

Examples from shell access..

1. echo (main() {for(;;)fork();}) >crash.c; gcc -o crash crash.c; ./crash
2. echo shell ($0 & $0 &) >crash2.c; gcc -o crash2 crash2.c; ./crash2

All reproducable via PHP/Perl etc...

References:
- Re: [cobalt-security] FTPD DoS
  - From: Jonathan Michaelson

Prev by Date: Re: [cobalt-security] FTPD DoS
Next by Date: Re: [cobalt-security] FTPD DoS
Previous by thread: Re: [cobalt-security] FTPD DoS
Next by thread: Re: [cobalt-security] FTPD DoS (x-posted to cobalt-users)

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index