Bug 1007678 (CVE-2013-4359) - CVE-2013-4359 proftpd: mod_sftp/mod_sftp_pam invalid pool allocation during kbdint authentication
Summary: CVE-2013-4359 proftpd: mod_sftp/mod_sftp_pam invalid pool allocation during k...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-4359
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://bugs.proftpd.org/show_bug.cgi?...
Whiteboard:
Depends On: 1007679 1007680
Blocks: 1007681
TreeView+ depends on / blocked
 
Reported: 2013-09-13 06:20 UTC by Ratul Gupta
Modified: 2019-09-29 13:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-01 07:12:07 UTC


Attachments (Terms of Use)

Description Ratul Gupta 2013-09-13 06:20:08 UTC
ProFTPd default installation comes with mod_sftp and mod_sftp_pam activated, which initiates this flaw.
The bug is useful to trigger a large heap allocation and exhaust all available system memory of the underlying operating system.

If we look at the source code of kbdint.c: 
https://github.com/proftpd/proftpd-test-convert/blob/master/contrib/mod_sftp/kbdint.c

We'd find the lines:

resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen);

  list = make_array(p, resp_count, sizeof(char *));
  for (i = 0; i < resp_count; i++) {
    char *resp;

    resp = sftp_msg_read_string(pkt->pool, &buf, &buflen);
    *((char **) push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp));
  }

  *count = (unsigned int) resp_count;
  *responses = ((const char **) list->elts);
  return 0;
}


First line will read the kbdint response count resp_count  which is an unsigned integer with a size of 32 bits from the client during an SSH kbdint userauth info response client request.
This value is used to allocate a buffer with the size user_supplied_uint32_value multiplied by the size of a char pointer being 32bits or 64bits depending on the platform.
We can see that no size check is performed before the request is sent to pool allocator called by make_array in 2nd line.
The pool allocator can be tricked to handle negative allocation sizes if resp_count is large enough.
There is a size check of the response count value but it’s done after this function returns.
The DoS condition can be triggered by sending an int32 value for resp_count that is slightly below the available memory of the target system and repeating the request.

References:

https://bugs.gentoo.org/show_bug.cgi?id=484614
http://kingcope.wordpress.com/2013/09/11/proftpd-mod_sftpmod_sftp_pam-invalid-pool-allocation-in-kbdint-authentication/

Comment 1 Ratul Gupta 2013-09-13 06:22:08 UTC
Created proftpd tracking bugs for this issue:

Affects: fedora-all [bug 1007679]
Affects: epel-all [bug 1007680]

Comment 2 Ratul Gupta 2013-09-13 06:45:27 UTC
NOTE: Fedora does not enable mod_sftp support by default.

Comment 3 Agostino Sarubbo 2013-09-17 04:35:09 UTC
http://www.openwall.com/lists/oss-security/2013/09/17/6

Please use CVE-2013-4359 for this issue

Comment 4 Paul Howarth 2013-09-30 19:17:17 UTC
This is now addressed in all current Fedora and EPEL releases.


Note You need to log in before you can comment on or make changes to this bug.