Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484614 (CVE-2013-4359) - <net-ftp/proftpd-1.3.4d: mod_sftp/mod_sftp_pam invalid pool allocation during kbdint authentication (CVE-2013-4359)
Summary: <net-ftp/proftpd-1.3.4d: mod_sftp/mod_sftp_pam invalid pool allocation during...
Status: RESOLVED FIXED
Alias: CVE-2013-4359
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://kingcope.wordpress.com/2013/09...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-11 20:58 UTC by Agostino Sarubbo
Modified: 2013-10-02 15:07 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-09-11 20:58:27 UTC
From ${URL} :

ProFTPd installs with mod_sftp and mod_sftp_pam activated contain the vulnerability described in this post.

The current stable release of ProFTPd is 1.3.4d and the current release candidate is 1.3.5rc3.

First I have to note that this vulnerability is unlikely to be exploited. There is a way to control $rip instruction pointer

on 64 bit systems, for example on the Ubuntu 64Bit platform but I believe that it is not possible to get full code execution with this bug.

The bug is useful to trigger a large heap allocation and exhaust all available system memory of the underlying operating system.

Inside the file located at proftpd-1.3.5rc2/contrib/mod_sftp/kbdint.c ProFTPd handles the SSH keyboard interactive authentication procedure, in this case it will use pam as 
an authentication library therefore mod_sftp_pam has to be active for an installation to be vulnerable.

Source code file and line kbdint.c:300 reads:

[1] resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen);

[2] list = make_array(p, resp_count, sizeof(char *));
for (i = 0; i < resp_count; i++) {
char *resp;

resp = sftp_msg_read_string(pkt->pool, &buf, &buflen);
*((char **) push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp));
}

Line 1 will read the kbdint response count which is an unsigned integer with a size of 32 bits from the client during an SSH kbdint userauth info response client request.

This value is used to allocate a buffer with the size user_supplied_uint32_value multiplied by the size of a char pointer being 32bits or 64bits depending on the platform.

There is no size check before the request is sent to the pool allocator that is called by make_array at Line 2.

The pool allocator can be tricked to handle negative allocation sizes if resp_count is large enough.

There is a size check of the response count value but it’s done after this function returns.

The DoS condition can be triggered by sending an int32 value for resp_count that is slightly below the available memory of the target system and repeating the request.

Noteably OpenSSH vulnerability CVE-2002-0640 is very similar to this ProFTPd vulnerability. It has the very same code path.

Here is a reference to the OpenSSH Challenge-Response Authentication bug that was exploited by GOBBLES Security in their year 2002 sshutuptheo.tgz exploit: 
http://lwn.net/Articles/3531/.

Usage of keyboard interactive authentication in ProFTPd mod_sftp is rare as it is not activated by default.


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Sergei Trofimovich (RETIRED) gentoo-dev 2013-09-12 19:59:39 UTC
Pushed to the tree as:

> *proftpd-1.3.4d (12 Sep 2013)
> 
>   12 Sep 2013; Sergei Trofimovich <slyfox@gentoo.org>
>   +files/proftpd-1.3.4d-sftp-kbdint-max-responses-bug3973.patch,
>   +proftpd-1.3.4d.ebuild:
>   Version bump. Added fix for sftp kbdint security issue. Bug #484614 by
>   Agostino Sarubbo.

Thanks!
Comment 2 Sergey Popov gentoo-dev 2013-09-13 05:04:45 UTC
Good. Ready for stabilization? If yes - please CC arches
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2013-09-13 06:43:22 UTC
Arches, please stabilize. STABLREQ KEYWORDS:

    alpha amd64 arm hppa ppc ppc64 sparc x86

Thanks!
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2013-09-13 15:22:52 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2013-09-14 08:12:56 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-09-14 10:13:31 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-09-14 10:23:30 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-09-14 10:23:59 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-09-14 10:24:24 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-09-14 10:24:44 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-09-14 10:37:54 UTC
ppc stable
Comment 12 Sergey Popov gentoo-dev 2013-09-15 12:07:57 UTC
Thanks for your work

Added to existing GLSA draft
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-09-24 23:39:34 UTC
This issue was resolved and addressed in
 GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-10-02 15:07:28 UTC
CVE-2013-4359 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4359):
  Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and 1.3.5r3
  allows remote attackers to cause a denial of service (memory consumption)
  via a large response count value in an authentication request, which
  triggers a large memory allocation.