Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 16 Sep 2013 21:18:27 -0600
From: Kurt Seifried <>
CC: Agostino Sarubbo <>
Subject: Re: CVE request: proftpd: mod_sftp/mod_sftp_pam invalid
 pool allocation during kbdint authentication

Hash: SHA1

On 09/14/2013 01:05 AM, Agostino Sarubbo wrote:
> Hello,
> From:
>  ProFTPd installs with mod_sftp and mod_sftp_pam activated contain
> the vulnerability described in this post.
> The current stable release of ProFTPd is 1.3.4d and the current
> release candidate is 1.3.5rc3.
> First I have to note that this vulnerability is unlikely to be
> exploited. There is a way to control $rip instruction pointer
> on 64 bit systems, for example on the Ubuntu 64Bit platform but I
> believe that it is not possible to get full code execution with
> this bug.
> The bug is useful to trigger a large heap allocation and exhaust
> all available system memory of the underlying operating system.
> Inside the file located at
> proftpd-1.3.5rc2/contrib/mod_sftp/kbdint.c ProFTPd handles the SSH
> keyboard interactive authentication procedure, in this case it will
> use pam as an authentication library therefore mod_sftp_pam has to
> be active for an installation to be vulnerable.
> Source code file and line kbdint.c:300 reads:
> [1] resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen);
> [2] list = make_array(p, resp_count, sizeof(char *)); for (i = 0; i
> < resp_count; i++) { char *resp;
> resp = sftp_msg_read_string(pkt->pool, &buf, &buflen); *((char **)
> push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp)); }
> Line 1 will read the kbdint response count which is an unsigned
> integer with a size of 32 bits from the client during an SSH kbdint
> userauth info response client request.
> This value is used to allocate a buffer with the size 
> user_supplied_uint32_value multiplied by the size of a char pointer
> being 32bits or 64bits depending on the platform.
> There is no size check before the request is sent to the pool
> allocator that is called by make_array at Line 2.
> The pool allocator can be tricked to handle negative allocation
> sizes if resp_count is large enough.
> There is a size check of the response count value but it’s done
> after this function returns.
> The DoS condition can be triggered by sending an int32 value for
> resp_count that is slightly below the available memory of the
> target system and repeating the request.
> Noteably OpenSSH vulnerability CVE-2002-0640 is very similar to
> this ProFTPd vulnerability. It has the very same code path.
> Here is a reference to the OpenSSH Challenge-Response
> Authentication bug that was exploited by GOBBLES Security in their
> year 2002 sshutuptheo.tgz exploit:
> Usage of keyboard interactive authentication in ProFTPd mod_sftp is
> rare as it is not activated by default.

Please use CVE-2013-4359 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Version: GnuPG v1.4.14 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.