=============================================== Date: 29/11/2015 Credit: Nicholas Lemonias .::PROFTPD v1.3.5a HEAP OVERFLOWS ::. ADVANCED INFORMATION SECURITY CORPORATION Keeping Things Simple! ====================================================== .88888888:. 88888888.88888. .8888888888888888. 888888888888888888 888' _`888'_ `88888 888 888 888 88888 888_888_::_888_:888 888:::,::,:::::8888 888`:::::::::'`8888 .888 `::::' 8:88. 8888 `8:888. .8888' `888888. .8888:.. .::. ...:'8888888:. .8888.' :' `'::`88:88888 .8888 ' `.888:8888. 888:8 . 888:88888 .888:88 .: 888:88888: 8888888. :: 88:888888 `.::.888. :: .88888888 .::::::.888. :: :::`888'.:. ::::::::::.888 ' .:::::::::::: ::::::::::::.8 ' .:8::::::::::::. .::::::::::::::. .:888::::::::::::: :::::::::::::::888:.__..:88888:::::::::::' `'.:::::::::::88888888888.888:::::::::' `':::_:' -- '' -'-' `':_::::'`. ================== INTRODUCTION ================== ProFTPD is Free and open-source software, compatible with Unix-like systems and Microsoft Windows (via Cygwin). Along with vsftpd and Pure-FTPd, ProFTPD is among the most popular FTP servers in Unix-like environments today. Compared to those, which focus e.g. on simplicity, speed or security, ProFTPD's primary design goal is to be a highly feature rich FTP server, exposing a large amount of configuration options to the user ==================================================== Description: During a manual source code audit of ProFTPD latest, various security issues were discovered. [3] ===================================================== =========================== CODE SNIPPET (PoC 1) =========================== ../../mod_sftp/fxp.c:1217-1251 static struct fxp_extpair *fxp_msg_read_extpair(pool *p, unsigned char **buf, uint32_t *buflen) { uint32_t namelen, datalen; unsigned char *name, *data; struct fxp_extpair *extpair; namelen = sftp_msg_read_int(p, buf, buflen); if (*buflen < namelen) { (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION, "SFTP message format error: unable to read %lu bytes of extpair name " "data (buflen = %lu)", (unsigned long) namelen, (unsigned long) *buflen); SFTP_DISCONNECT_CONN(SFTP_SSH2_DISCONNECT_BY_APPLICATION, NULL); } name = palloc(p, namelen + 1); memcpy(name, *buf, namelen); (*buf) += namelen; (*buflen) -= namelen; name[namelen] = '\0'; datalen = sftp_msg_read_int(p, buf, buflen); if (datalen > 0) { data = sftp_msg_read_data(p, buf, buflen, datalen); } else { data = NULL; } extpair = palloc(p, sizeof(struct fxp_extpair)); extpair->ext_name = (char *) name; extpair->ext_datalen = datalen; extpair->ext_data = data; return extpair; } ===================== RATIONALE ===================== Part of the SFTP handshake involves "extensions", which are key/value pairs, comprised of strings. In SSH, strings are encoded for network transport as a 32-bit length, followed by the bytes. The mod_sftp module has no manual bounds/length metrics / limitations when reading SFTP extension key/value data from the network. A malicious attacker might attempt to encode large values, and allocate more memory than is necessary, resulting in uncontrollable memory exhaustion / and resource consumption. ======================= CONCLUSION ======================= To avoid undue resource exhaustion by a remote client, mod_sftp should include a patch on the maximum length of acceptable extension keys/values, as reported by our earlier Proftpd report. REPORT TIMELINE ============================== 22/11/2015 Reported to vendor. (Initial Report) [3] 25/11/2015 Second report to vendor. 29/11/2015 Bug Report / Patch circulation. Big thanks to TJ from Proftpd for the prompt response to the issue, and excellent cooperation in security. ============================== ACKNOWLEDGEMENTS ============================== PacketStorm Security TEAM TESO, w00w00, Netric, b0iler (eyeonsecurity), wootehfoot, badpack3t (SP), Vandal (Vic), s0kket, mantis, Big_Al , ELFQrin, bob (dtors), epic, RaT for their ~ legendary mark. ==================== REFERENCES ==================== [1] Proftpd. 2015. Proftpd Bug Report , MOD_SFTP Bug Report. [ONLINE] Available at: http://bugs.proftpd.org/show_bug.cgi?id=4210. [Accessed 29 November 2015]. [2] Lemonias, N. (2015). SecurityFocus - Proftpd Heap Overflow. [ONLINE] Securityfocus.com. Available at: http://www.securityfocus.com/archive/1/536953/30/0/threaded [Accessed 29 November 2015]. [3] Cnvd.org.cn, (2015). China's Emergency Response Team, Proftpd 1.3.5a report - CERT. [online] Available at: http://www.cnvd.org.cn/flaw/show/CNVD-2015-07798 [Accessed 30 Nov. 2015].