Security-Announce archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2010-008: sftp(1)/ftp(1)/glob(3) related resource exhaustion
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2010-008
=================================
Topic: sftp(1)/ftp(1)/glob(3) related resource exhaustion
Version: NetBSD-current: source prior to July 7, 2010
NetBSD 5.0.2: affected
NetBSD 5.0: affected
NetBSD 4.0.1: affected
NetBSD 4.0: affected
Severity: remote sftp/ftp DoS attack
Fixed: NetBSD-current: Jul 7, 2010
NetBSD-5 branch Jul 20, 2010
NetBSD-5-0 branch Jul 20, 2010
NetBSD-4 branch Aug 5, 2010
NetBSD-4-0 branch Aug 5, 2010
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
In 2001 GLOB_LIMIT was added to glob(3) to limit the potential amount of
memory used by globbed patterns. Unfortunately this implementation had
many limitations and did not do enough to limit memory or CPU attacks.
This bug affects:
1. ftpd(8), where a user can DoS the ftp service or increase
the load on the machine.
2. The secure ftp server sftp(1) which comes with OpenSSH. sftp(1) does not
use GLOB_LIMIT to limit glob(3) patterns, so it can also be DoS'ed in
more ways.
Technical Details
=================
The limitations of GLOB_LIMIT were:
- buffer limit was too high
- it did not limit the number of readdir(3) calls
- it did not limit the number of stat(2)
Both patterns like:
*/../*/../*/../*/../*/../*/../*
and
*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*
were not handled properly in all situations. One could DoS programs either
by memory exhaustion, or CPU utilization (many readdir(3) and stat(2) calls).
Solutions and Workarounds
=========================
- - Don't run ftpd/sftp
- - Patch, recompile and reinstall libc, restart ftpd.
Patch, recompile and reinstall sftp.
Patch, recompile and reinstall /rescue.
CVS branch file revision
------------- ---------------- --------
HEAD src/lib/libc/gen/glob.3 1.37
HEAD src/lib/libc/gen/glob.c 1.26
HEAD src/crypto/external/bsd/openssh/dist/sftp-glob.c 1.3
HEAD src/crypto/external/bsd/openssh/dist/sftp.c 1.3
CVS branch file revision
------------- ---------------- --------
netbsd-5-0 src/lib/libc/gen/glob.3 1.23.14.1
netbsd-5-0 src/lib/libc/gen/glob.c 1.23.10.1
netbsd-5-0 src/crypto/dist/ssh/sftp.c 1.23.12.1
netbsd-5-0 src/crypto/dist/ssh/sftp-glob.c 1.13.28.1
netbsd-5 src/lib/libc/gen/glob.3 1.23.8.1
netbsd-5 src/lib/libc/gen/glob.c 1.23.4.1
netbsd-5 src/crypto/dist/ssh/sftp.c 1.23.8.1
netbsd-5 src/crypto/dist/ssh/sftp-glob.c 1.13.24.1
netbsd-4-0 src/lib/libc/gen/glob.3 1.30.12.1
netbsd-4-0 src/lib/libc/gen/glob.c 1.18.10.1
netbsd-4-0 src/crypto/dist/ssh/sftp.c 1.21.6.1
netbsd-4-0 src/crypto/dist/ssh/sftp-glob.c 1.13.12.1
netbsd-4 src/lib/libc/gen/glob.3 1.30.4.1
netbsd-4 src/lib/libc/gen/glob.c 1.18.2.1
netbsd-4 src/crypto/dist/ssh/sftp.c 1.21.2.1
netbsd-4 src/crypto/dist/ssh/sftp-glob.c 1.13.2.1
The following instructions briefly summarize how to update and
recompile libc and sftp. In these instructions, replace:
BRANCH with the appropriate CVS branch (from the above table)
FILES with the file names for that branch (from the above table)
To update from CVS, re-build, and re-install libc and sftp:
* NetBSD-current:
# cd src
# cvs update -d -P -r BRANCH lib/libc/gen crypto/external/bsd/openssh
# cd lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../crypto/external/bsd/openssh
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../../../rescue
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 5.*/4.*:
# cd src
# cvs update -d -P -r BRANCH lib/libc/gen usr.bin/ssh/sftp-server
# cd lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../usr.bin/ssh/sftp-server
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../../rescue
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
For more information on building (oriented towards rebuilding the
entire system, however) see:
http://www.netbsd.org/guide/en/chap-build.html
Thanks To
=========
Maksymilian Arciemowicz for finding, suggesting fixes, and testing.
Christos Zoulas for fixing the problem.
Revision History
================
2010-10-06 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-008.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2010-008.txt,v 1.1 2010/10/06 20:54:45 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)
iQIcBAEBAgAGBQJMrPENAAoJEAZJc6xMSnBufrgQAJ5yuaKMss5kssmLjtgDtFWf
1IsRaA7peNjkoG7CP9IPDXrnCVrHES2QTCk5++OYALlbx1A+cvBFq+Bc2B01UeCz
1GgMWMHeiL5v1CRfnxqE/W3rWaZvvZCsl/fpK+i6oq7wcwe9Y5ucyezBe2Xcv6K5
FkotMy60JMBATRFX9vKfkEYDW9CNuH10WNJmU1rCtvGthoxA8e/xGQbiu4U1ZtSp
TPnP+YdAKPiarUg9YCrC9wG0anaMUsEM7RgYdQIlj4OKSYK7GTesaWvu94WyCoPw
ufTkvnoDbU03FadVBut5K9Zyqn2fUGWLE4/MX39DmBG0gD9b/vAcQsrjqSVgbuFw
w6xojErSNNTo3cB9DA2NW972NYzAHzO8QA0agov9KP5oG3kiAiIxH7hyUWBajRND
g5s3hB2lhQLI4V5eAIMQpLpR94CB+kxnEs2CuMMaxdartE/DLEfCxsPZ0XdJhMSX
bAeR0wzqRwYo8bpSJ21sE2aMWAo0vnSpv7BFFOTMzFvrRkUSfrVAH+9hVqiLCE/9
rRC1txSgfaAYEuYu0Qs0yIGM7wXe3bU8TdcHK3F+V9ogRUylaDT2N06/dirWcGUR
NQBh1ADF4EaCdvU1hLRFMPCqYJVny5GZdCdCQjN6K+RqGfa3w/GVhHVnKL4MtBKs
cNnJeYJ/W92fGbktsoAZ
=iPnO
-----END PGP SIGNATURE-----
Home |
Main Index |
Thread Index |
Old Index