Bug 1007678 - (CVE-2013-4359) CVE-2013-4359 proftpd: mod_sftp/mod_sftp_pam invalid pool allocation during kbdint authentication
CVE-2013-4359 proftpd: mod_sftp/mod_sftp_pam invalid pool allocation during k...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1007679 1007680
Blocks: 1007681
  Show dependency treegraph
Reported: 2013-09-13 02:20 EDT by Ratul Gupta
Modified: 2014-01-27 03:37 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-10-01 03:12:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ratul Gupta 2013-09-13 02:20:08 EDT
ProFTPd default installation comes with mod_sftp and mod_sftp_pam activated, which initiates this flaw.
The bug is useful to trigger a large heap allocation and exhaust all available system memory of the underlying operating system.

If we look at the source code of kbdint.c: 

We'd find the lines:

resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen);

  list = make_array(p, resp_count, sizeof(char *));
  for (i = 0; i < resp_count; i++) {
    char *resp;

    resp = sftp_msg_read_string(pkt->pool, &buf, &buflen);
    *((char **) push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp));

  *count = (unsigned int) resp_count;
  *responses = ((const char **) list->elts);
  return 0;

First line will read the kbdint response count resp_count  which is an unsigned integer with a size of 32 bits from the client during an SSH kbdint userauth info response client request.
This value is used to allocate a buffer with the size user_supplied_uint32_value multiplied by the size of a char pointer being 32bits or 64bits depending on the platform.
We can see that no size check is performed before the request is sent to pool allocator called by make_array in 2nd line.
The pool allocator can be tricked to handle negative allocation sizes if resp_count is large enough.
There is a size check of the response count value but it’s done after this function returns.
The DoS condition can be triggered by sending an int32 value for resp_count that is slightly below the available memory of the target system and repeating the request.


Comment 1 Ratul Gupta 2013-09-13 02:22:08 EDT
Created proftpd tracking bugs for this issue:

Affects: fedora-all [bug 1007679]
Affects: epel-all [bug 1007680]
Comment 2 Ratul Gupta 2013-09-13 02:45:27 EDT
NOTE: Fedora does not enable mod_sftp support by default.
Comment 3 Agostino Sarubbo 2013-09-17 00:35:09 EDT

Please use CVE-2013-4359 for this issue
Comment 4 Paul Howarth 2013-09-30 15:17:17 EDT
This is now addressed in all current Fedora and EPEL releases.

Note You need to log in before you can comment on or make changes to this bug.