Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 16 Sep 2013 21:18:27 -0600
From: Kurt Seifried <>
CC: Agostino Sarubbo <>
Subject: Re: CVE request: proftpd: mod_sftp/mod_sftp_pam invalid
 pool allocation during kbdint authentication

Hash: SHA1

On 09/14/2013 01:05 AM, Agostino Sarubbo wrote:
> Hello,
> From:
>  ProFTPd installs with mod_sftp and mod_sftp_pam activated contain
> the vulnerability described in this post.
> The current stable release of ProFTPd is 1.3.4d and the current
> release candidate is 1.3.5rc3.
> First I have to note that this vulnerability is unlikely to be
> exploited. There is a way to control $rip instruction pointer
> on 64 bit systems, for example on the Ubuntu 64Bit platform but I
> believe that it is not possible to get full code execution with
> this bug.
> The bug is useful to trigger a large heap allocation and exhaust
> all available system memory of the underlying operating system.
> Inside the file located at
> proftpd-1.3.5rc2/contrib/mod_sftp/kbdint.c ProFTPd handles the SSH
> keyboard interactive authentication procedure, in this case it will
> use pam as an authentication library therefore mod_sftp_pam has to
> be active for an installation to be vulnerable.
> Source code file and line kbdint.c:300 reads:
> [1] resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen);
> [2] list = make_array(p, resp_count, sizeof(char *)); for (i = 0; i
> < resp_count; i++) { char *resp;
> resp = sftp_msg_read_string(pkt->pool, &buf, &buflen); *((char **)
> push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp)); }
> Line 1 will read the kbdint response count which is an unsigned
> integer with a size of 32 bits from the client during an SSH kbdint
> userauth info response client request.
> This value is used to allocate a buffer with the size 
> user_supplied_uint32_value multiplied by the size of a char pointer
> being 32bits or 64bits depending on the platform.
> There is no size check before the request is sent to the pool
> allocator that is called by make_array at Line 2.
> The pool allocator can be tricked to handle negative allocation
> sizes if resp_count is large enough.
> There is a size check of the response count value but it’s done
> after this function returns.
> The DoS condition can be triggered by sending an int32 value for
> resp_count that is slightly below the available memory of the
> target system and repeating the request.
> Noteably OpenSSH vulnerability CVE-2002-0640 is very similar to
> this ProFTPd vulnerability. It has the very same code path.
> Here is a reference to the OpenSSH Challenge-Response
> Authentication bug that was exploited by GOBBLES Security in their
> year 2002 sshutuptheo.tgz exploit:
> Usage of keyboard interactive authentication in ProFTPd mod_sftp is
> rare as it is not activated by default.

Please use CVE-2013-4359 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Version: GnuPG v1.4.14 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ