Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 14 Sep 2013 09:05:01 +0200
From: Agostino Sarubbo <>
Subject: CVE request: proftpd: mod_sftp/mod_sftp_pam invalid pool allocation during kbdint authentication



ProFTPd installs with mod_sftp and mod_sftp_pam activated contain the 
vulnerability described in this post.

The current stable release of ProFTPd is 1.3.4d and the current release 
candidate is 1.3.5rc3.

First I have to note that this vulnerability is unlikely to be exploited. 
There is a way to control $rip instruction pointer

on 64 bit systems, for example on the Ubuntu 64Bit platform but I believe that 
it is not possible to get full code execution with this bug.

The bug is useful to trigger a large heap allocation and exhaust all available 
system memory of the underlying operating system.

Inside the file located at proftpd-1.3.5rc2/contrib/mod_sftp/kbdint.c ProFTPd 
handles the SSH keyboard interactive authentication procedure, in this case it 
will use pam as an authentication library therefore mod_sftp_pam has to be 
active for an installation to be vulnerable.

Source code file and line kbdint.c:300 reads:

[1] resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen);

[2] list = make_array(p, resp_count, sizeof(char *));
for (i = 0; i < resp_count; i++) {
char *resp;

resp = sftp_msg_read_string(pkt->pool, &buf, &buflen);
*((char **) push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp));

Line 1 will read the kbdint response count which is an unsigned integer with a 
size of 32 bits from the client during an SSH kbdint userauth info response 
client request.

This value is used to allocate a buffer with the size 
user_supplied_uint32_value multiplied by the size of a char pointer being 
32bits or 64bits depending on the platform.

There is no size check before the request is sent to the pool allocator that 
is called by make_array at Line 2.

The pool allocator can be tricked to handle negative allocation sizes if 
resp_count is large enough.

There is a size check of the response count value but it’s done after this 
function returns.

The DoS condition can be triggered by sending an int32 value for resp_count 
that is slightly below the available memory of the target system and repeating 
the request.

Noteably OpenSSH vulnerability CVE-2002-0640 is very similar to this ProFTPd 
vulnerability. It has the very same code path.

Here is a reference to the OpenSSH Challenge-Response Authentication bug that 
was exploited by GOBBLES Security in their year 2002 sshutuptheo.tgz exploit:

Usage of keyboard interactive authentication in ProFTPd mod_sftp is rare as it 
is not activated by default.
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.