673040 – Proftpd in Fedora 13 is vulnerable remotely with exploit regcom(3) of http://www.kb.cert.org/vuls/id/912279

Bug 673040 - Proftpd in Fedora 13 is vulnerable remotely with exploit regcom(3) of http://www.kb.cert.org/vuls/id/912279

Summary: Proftpd in Fedora 13 is vulnerable remotely with exploit regcom(3) of http://...

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	proftpd
Sub Component:
Version:	14
Hardware:	i686
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Matthias Saou
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-01-27 06:48 UTC by xset1980
Modified:	2012-03-14 18:31 UTC (History)
CC List:	3 users (show)
Fixed In Version:	proftpd-1.3.4-0.8.rc2.fc15
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-03-14 18:31:19 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Screenshot of status proftpd after exploit, steps, source code, and refused connection after exploit caused DoS on remote server (33.21 KB, application/x-bzip2) 2011-01-27 06:48 UTC, xset1980	no flags	Details
Potential fix for testing (3.36 MB, application/octet-stream) 2011-02-24 15:08 UTC, Paul Howarth	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
ProFTPD	3595	0	None	None	None	Never

Description xset1980 2011-01-27 06:48:23 UTC

Created attachment 475533 [details]
Screenshot of status proftpd after exploit, steps, source code, and refused connection after exploit caused DoS on remote server

Description of problem:

"proftpd multiple exploit for VU#912279 (only with GNU libc/regcomp(3))
by Maksymilian Arciemowicz"

This bug was reported, so it affected only Ubuntu, Gentoo, Slackware and others.
I report the bug by using grep segfault was happening in Fedora 13, something not reported by the who wrote the bug.
Also, redhat somehow implied that was a bug in glibc, and thus was not the relevant, which shows they are wrong.
While CentOS, which is a true copy of redhat repos only brings in vsftpd, proftpd has Fedora, widely used in truth, which was exposed by my exploit the same supposedly only affected ubuntu, gentoo and slackware, leading to positive a denial of service permanently until the remote service is restarted.
Was tested on Fedora 13 i686 text-only mode with a user without a shell, only with access to your home.

Version-Release number of selected component (if applicable):

Proftpd 1.3.3c


How reproducible:

Compile the remote exploit and launch to a proftpd server running.


Steps to Reproduce:
1.compile exploit with gcc
2.launch exploit to proftpd server
3.proftpd cause an DoS and crash the service, refusing all connection.
  
Actual results:

DoS of proftpd

Expected results:

Not crash, not vulnerable!

Additional info:

Attach of screen, source exploit, and result later launch exploit, image and text.

Comment 1 Paul Howarth 2011-01-28 16:36:44 UTC

Has this been reported to proftpd upstream (http://www.proftpd.org/bugs.html)?

I can't find anything related in bugzilla there.

Comment 2 xset1980 2011-01-28 22:08:42 UTC

(In reply to comment #1)
> Has this been reported to proftpd upstream (http://www.proftpd.org/bugs.html)?
> 
> I can't find anything related in bugzilla there.

Paul,

The bug is not reported to proftpd, the bug was anounced in seclist.org and securityreason, but for some reason proftpd team did not payed atention to it.

References:

Seclist.org

http://seclists.org/fulldisclosure/2011/Jan/78

Securityreason:

http://securityreason.com/exploitalert/9808

I took the exploit from securityreason, to probe that not only the mentioned systems are affected ( Ubuntu 10.10 - Slackware 13 - Gentoo 18.10.2010 - FreeBSD 8.1 (grep(1)) - NetBSD 5.0.2 (grep(1))), but it also affects to any system that uses 'GNU libc/regcomp(3)' and proftpd.

The origin of this comes from a bug reported by me with ID:668219.
The actual exploit for Proftpd is based in the same bug, encountered in GNU libc/regcomp(3), so, it affects all system that use libc and proftpd, in this case, Fedora, but can be other distro.

Original bug libc:

http://securityreason.com/securityalert/8003

Exploit based in libc for Proftpd:

http://securityreason.com/exploitalert/9808

Author: Maksymilian Arciemowicz

The init of the thread is https://bugzilla.redhat.com/show_bug.cgi?id=645859.

I believe that if Red Hat does not consider this a security failure but limitation of libc in the handle of regular expresions, then no matters the origin of it, if its libc or whatever, as is still a failure, what Red Hat should do is eliminate the compiled RPM from Fedora's repos, or offer an alternative or recompile the RPM with the fixed libc (whitout GNU libc regcomp(3)).

Ramiro.

Comment 3 Garrett Holmstrom 2011-02-04 02:49:38 UTC

I'm pretty sure this is a duplicate of bug 645859.

Comment 4 Paul Howarth 2011-02-04 12:27:43 UTC

(In reply to comment #3)
> I'm pretty sure this is a duplicate of bug 645859.

Well yes it is but the commentary in that bug says that nothing's going to be done about so the onus is on all users of glibc's regex engine to look after themselves.

Comment 5 Paul Howarth 2011-02-24 15:08:23 UTC

Created attachment 480776 [details]
Potential fix for testing

Upstream are proposing to offer the option of using the PCRE Posix regex compatibility library instead of the system regex library. The attached 32-bit package for Fedora 13 is built using that option. Could you test it and see if it resolves the problem?

Comment 6 xset1980 2011-03-07 08:47:31 UTC

Paul,

sorry for my delay, but I was offline and technical problems, these days (no more than 3), prove the rpm you just attach.
I agree with you, no matter who is the problem, or take proftpd or arranged, CentOS does not include for example, only vsftpd, then, if not done one thing or another, unless the install package that is potentially alert dangerous under some circumstances, not all users know the bug

Comment 7 xset1980 2011-04-06 16:22:45 UTC

Paul,

I tested you rpm and the bug is persitent, proftpd are freezed after attack, and only respond if restart the service, the change with this rpm that you compile, is that the system not overload the CPU.

Attacker: 192.168.0.10
Target: 192.168.0.12

/var/log/messages of target:

Apr  6 13:01:47 pruebas proftpd[11683]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:01:52 pruebas proftpd[11683]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  6 13:01:59 pruebas proftpd[11684]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:37 pruebas proftpd[11684]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  6 13:02:39 pruebas proftpd[11688]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:39 pruebas proftpd[11690]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:39 pruebas proftpd[11691]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:39 pruebas proftpd[11687]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:39 pruebas proftpd[11686]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:39 pruebas proftpd[11689]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:39 pruebas proftpd[11685]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:40 pruebas proftpd[11693]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:40 pruebas proftpd[11692]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:42 pruebas proftpd[11695]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:42 pruebas proftpd[11698]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:42 pruebas proftpd[11694]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:42 pruebas proftpd[11696]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:42 pruebas proftpd[11699]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:42 pruebas proftpd[11697]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:43 pruebas proftpd[11700]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:43 pruebas proftpd[11701]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:45 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:45 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:45 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:45 pruebas proftpd[11703]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:45 pruebas proftpd[11702]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:45 pruebas proftpd[11704]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  6 13:02:46 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:46 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:48 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:48 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:48 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:48 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:48 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:48 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:49 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:49 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:51 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:51 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:51 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:51 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:51 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:51 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:52 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:52 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied
Apr  6 13:02:54 pruebas proftpd[11476]: 127.0.0.1 - MaxInstances (20) reached, new connection denied

Terminal of attacker:

[root@tux test]# ./reg1 192.168.0.12 21 cx password 192.168.0.10
This is exploit for ERE (GNU libc)
by Maksymilian Arciemowicz

send: USER cx
PASS password

send: STAT .

send: USER cx
PASS password

send: STAT .

send: USER cx
PASS password

send: STAT .

^C


My suggestion is that proftpd is removed from the repositories and offered vsftpd which is not vulnerable to this exploit, until proftpd team can not resolve the bug.
Fedora is a distro for end users and not all people know this bug, and run proftpd, is a big error, CentOS only have vsftpd in repos.

Greets

Comment 8 Paul Howarth 2011-04-06 16:57:28 UTC

Can you try this one and see if it's any better?

http://mirror.city-fan.org/ftp/contrib/misc/proftpd-1.3.4-0.7.0.cf.rc2.fc13.i686.rpm

Comment 9 Fedora Update System 2011-04-06 17:32:19 UTC

proftpd-1.3.4-0.7.rc2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/proftpd-1.3.4-0.7.rc2.fc15

Comment 10 xset1980 2011-04-07 17:34:39 UTC

(In reply to comment #8)
> Can you try this one and see if it's any better?
> 
> http://mirror.city-fan.org/ftp/contrib/misc/proftpd-1.3.4-0.7.0.cf.rc2.fc13.i686.rpm

Paul,

Tested with: http://mirror.city-fan.org/ftp/contrib/misc/proftpd-1.3.4-0.7.0.cf.rc2.fc13.i686.rpm
OS: Fedora 13 i686

This rpm work fine, /var/log/messages of target:

[root@pruebas ~]# tail -f /var/log/messages 
Apr  7 17:20:21 pruebas proftpd[1886]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  7 17:20:21 pruebas proftpd[1883]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  7 17:20:21 pruebas proftpd[1887]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  7 17:20:21 pruebas proftpd[1883]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  7 17:20:21 pruebas proftpd[1888]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  7 17:20:21 pruebas proftpd[1884]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  7 17:20:21 pruebas proftpd[1890]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  7 17:20:21 pruebas proftpd[1889]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  7 17:20:21 pruebas proftpd[1890]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  7 17:20:21 pruebas proftpd[1889]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  7 17:20:24 pruebas proftpd[1893]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  7 17:20:24 pruebas proftpd[1892]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  7 17:20:24 pruebas proftpd[1894]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  7 17:20:24 pruebas proftpd[1895]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  7 17:20:24 pruebas proftpd[1896]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  7 17:20:24 pruebas proftpd[1897]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  7 17:20:24 pruebas proftpd[1894]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  7 17:20:24 pruebas proftpd[1892]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  7 17:20:24 pruebas proftpd[1896]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  7 17:20:24 pruebas proftpd[1893]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  7 17:20:24 pruebas proftpd[1895]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  7 17:20:24 pruebas proftpd[1897]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  7 17:20:24 pruebas proftpd[1898]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  7 17:20:24 pruebas proftpd[1899]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.
Apr  7 17:20:24 pruebas proftpd[1899]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  7 17:20:24 pruebas proftpd[1898]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session closed.
Apr  7 17:20:27 pruebas proftpd[1903]: 127.0.0.1 (192.168.0.10[192.168.0.10]) - FTP session opened.


And the attacker stop the attack after X reintents, if stop the exploit, the ftp service in port 21 is ok without need of restarting the service in the target-server.
CPU load is fine, and there are no consecuences in the server after using the exploit regcomp(3).
Great job.-

Comment 11 Paul Howarth 2011-04-07 18:36:08 UTC

That's upstream's fix (using pcre instead of glibc regexp library) and it'll be in 1.3.4; rc2 is already in F-15 and Rawhide with this support but I'm not pushing the update to stable releases until 1.3.4 final comes out.

Comment 12 Fedora Update System 2011-04-08 12:26:47 UTC

proftpd-1.3.4-0.8.rc2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/proftpd-1.3.4-0.8.rc2.fc15

Comment 13 Fedora Update System 2011-04-15 21:49:21 UTC

proftpd-1.3.4-0.8.rc2.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Bug Zapper 2011-05-30 11:39:51 UTC

This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 15 Paul Howarth 2011-06-02 10:16:18 UTC

Fedora 14 is still affected by this issue, and will be until upstream releases 1.3.4 final.

Comment 16 xset1980 2011-07-12 10:03:29 UTC

Paul,

Is solved in f14?. f14 is supported for the moment.

Comment 17 Paul Howarth 2011-07-12 12:35:14 UTC

Not in f14; upstream has not released 1.3.4 final yet.

Comment 18 Paul Howarth 2012-03-14 18:31:19 UTC

This is fixed in all supported Fedora releases now.

Note You need to log in before you can comment on or make changes to this bug.