[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] SFTPLogging patch log flooding vulnerability
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] SFTPLogging patch log flooding vulnerability
- From: Anthony Martinez <fd@xxxxxxxxxxxxxxxxxx>
- Date: Fri, 8 Sep 2006 18:46:49 -0600
Log flooding vulnerability in ``sftplogging" patch
Severity: low
Anthony Martinez (Pi), fd@xxxxxxxxxxxxxxxxxx
August 20, 2006
Synopsis
sftplogging patches rely on sysklogd to catch repeated messages. This could be
exploited by a malicious user with an account, and cause the syslogd to be
inundated and possibly drop messages, hiding other activity.
About the patch
sftplogging patches are available from the author's sourceforge site,
http://sftplogging.sf.net/:
``This patch for openssh does several things. It allows secure ftp sessions to
be logged on the ftp server; it allows one to designate a umask for ftp
sessions, this umask overrides any other umask setting, including what the
client sends; and it allows one to designate whether the ftp client is allowed
to execute ``chown" or ``chgrp" commands on the server."
Description
SFTP Logging patched servers, when LogSFTP is on, log the size of transferred
files by repeatedly calling logit() with the number of bytes transferred.
This goes badly for us when an SSH client sends one chunk of, say, 1 byte, then
differs the chunk size, possibly to 2 bytes, and continues that process for a
large file, and can cause sysklogd to drop messages. This dropping of messages
may or may not hide other activity on the system.
On syslog daemons, such as syslog-ng, that do not track repeated messages, this
could be used to fill up log space as well.
If remote logging is enabled, this could also flood the network with traffic.
Proof of concept
sftplogmeltdown is a patch for sftp-client to go between buffer sizes,
decrementing the size with each write. This defeats syslog protection against
repeated messages. A thusly-patched sftp client with the -B 3 option, and
uploading a large enough file, is enough to cause syslog stress and have it
drop messages.
Mitigation
Modify sftplogging patches to hold a size_t sized counter, increment with each
write length, and log that at the end of the transaction, instead of relying
incorrectly on syslogd behavior.
Attachments
sftplogmeltdown.patch, a patch to sftp-client.c which modifies the -B (buffer)
option in sftp to rotate the buffer size instead of using a fixed-size buffer.
This causes sftp-server to log messages like
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file
thusly flooding the logs.
Vendor notification
Vendor notified August 20, 2006 and given 2 weeks to fix. I'm late in reporting
this to the list.
Availability
This document, with associated patch, is released on my domain:
* http://mrtheplague.net/security/2006-sftplogging.html
* http://mrtheplague.net/security/sftplogmeltdown.patch
``Greetz'', as it were, to Houdini, Chamuco, and Mom.
pi 2006-08-20
--
printk(KERN_CRIT PFX "Reboot didn't ?????\n");
linux-2.6.6/drivers/char/watchdog/softdog.c
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/