Debian Bug report logs -
#500278
ftpd: command line split (CSRF)
Reported by: Paul Szabo <psz@maths.usyd.edu.au>
Date: Fri, 26 Sep 2008 20:42:01 UTC
Severity: grave
Tags: patch, security
Found in version linux-ftpd/0.17-23
Fixed in version linux-ftpd/0.17-29
Done: Alberto Gonzalez Iniesta <agi@inittab.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#500278; Package ftpd.
(Fri, 26 Sep 2008 20:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Szabo <psz@maths.usyd.edu.au>:
New Bug report received and forwarded. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>.
(Fri, 26 Sep 2008 20:42:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ftpd
Version: 0.17-23
Severity: normal
Similar to recent OpenBSD changes:
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y
this Debian package seems vulnerable to the same issue
(and I expect the solution here to be the same).
See also:
multiple vendor ftpd - Cross-site request forgery
http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064697.html
(My setting of severity on this bug is probably alarmist...)
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-pk02.19-svr
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages ftpd depends on:
ii libc6 2.3.6.ds1-13etch7 GNU C Library: Shared libraries
ii libpam-modules 0.79-5 Pluggable Authentication Modules f
ii libpam0g 0.79-5 Pluggable Authentication Modules l
ii netbase 4.29 Basic TCP/IP networking system
ftpd recommends no packages.
-- debconf information:
* ftpd/globattack:
Information forwarded
to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#500278; Package ftpd.
(Mon, 29 Sep 2008 00:42:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Ian Beckwith <ianb@erislabs.net>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>.
(Mon, 29 Sep 2008 00:42:02 GMT) (full text, mbox, link).
Message #10 received at 500278@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 500278 + patch security
clone 500278 -1
reassign -1 ftpd-ssl
thanks
Unfortunately this came in just as I was going on VAC.
Whoever fixes this in linux-ftpd please NMU linux-ftpd-ssl as well.
If nobody NMUs, I'll fix this in linux-ftpd-ssl after I get back from VAC.
The attached patch is a port of the openbsd fix to linux-ftpd-ssl,
but it also applies to the vanilla linux-ftpd (with offsets)
Please note I haven't had time to do more than test that the fix
compiles, so please test before uploading.
Ian
--
Ian Beckwith - ianb@erislabs.net - http://erislabs.net/ianb/
GPG fingerprint: AF6C C0F1 1E74 424B BCD5 4814 40EC C154 A8BA C1EA
[ftpd-truncate-commands.patch (text/x-diff, attachment)]
Tags added: patch, security
Request was from Ian Beckwith <ianb@erislabs.net>
to control@bugs.debian.org.
(Mon, 29 Sep 2008 00:42:06 GMT) (full text, mbox, link).
Bug 500278 cloned as bug 500518.
Request was from Ian Beckwith <ianb@erislabs.net>
to control@bugs.debian.org.
(Mon, 29 Sep 2008 00:42:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#500278; Package ftpd.
(Mon, 06 Oct 2008 12:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Bläsing <thomasbl@pool.math.tu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>.
(Mon, 06 Oct 2008 12:33:03 GMT) (full text, mbox, link).
Message #19 received at 500278@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
hi,
I've installed the actually linux-ftpd version in order to make a NMU.
I was wondering by doing the following to reproduce the bug:
] $ echo "open ftp://thomasbl@127.0.0.1:21" > script; python -c 'for i in range(1,5200): print "%ssyst" % ("A"*i)' >> script
] $ lftp -f script &> out
] $ grep -iv "Unknown command \`[A]*syst'." out | wc -l
] 0
As you can see there is no problem :)
Btw, the buffer is only 512K big, so ftpd might split the incoming buffer as
mentioned in http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064697.html
Furthermore, the patch which is attached to this bug causes the package
not to build properly. So, it's better to wait for a new upstream release
or fix the patch :)
Kind regards,
Thomas.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#500278; Package ftpd.
(Wed, 08 Oct 2008 03:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>.
(Wed, 08 Oct 2008 03:06:02 GMT) (full text, mbox, link).
Message #24 received at 500278@bugs.debian.org (full text, mbox, reply):
I do not understand what Thomas's test would do exactly... but I get:
$ perl -e 'print "A"x511,"SYST\nQUIT\n"' | nc asti 21
220 asti.maths.usyd.edu.au FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.17) ready.
500 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA': command not understood.
530 Please login with USER and PASS.
221 Goodbye.
$
where asti (a server that does not accept anonymous FTP) first complains
about the many As it cannot understand, then gets SYST "correctly" but
refuses to act, then quits happily.
Is this sufficient demo of the vulnerability?
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Information forwarded
to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#500278; Package ftpd.
(Fri, 17 Oct 2008 02:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ian Beckwith <ianb@erislabs.net>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>.
(Fri, 17 Oct 2008 02:36:03 GMT) (full text, mbox, link).
Message #29 received at 500278@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
severity 500278 grave
thanks
Attached is a fixed version of the patch.
This bug should really be severity: grave ('introduces a security hole
allowing access to the accounts of users who use the package').
If no-one beats me to it, I'll prepare an NMU soon and ask my AM to
upload it.
Ian.
--
Ian Beckwith - ianb@erislabs.net - http://erislabs.net/ianb/
GPG fingerprint: AF6C C0F1 1E74 424B BCD5 4814 40EC C154 A8BA C1EA
Listening to: Mark Lanegan - Field Songs - No Easy Action
[ftpd-csrf.patch (text/x-diff, attachment)]
Severity set to `grave' from `normal'
Request was from Ian Beckwith <ianb@erislabs.net>
to control@bugs.debian.org.
(Fri, 17 Oct 2008 02:36:04 GMT) (full text, mbox, link).
Reply sent
to Alberto Gonzalez Iniesta <agi@inittab.org>:
You have taken responsibility.
(Fri, 17 Oct 2008 19:30:08 GMT) (full text, mbox, link).
Notification sent
to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer.
(Fri, 17 Oct 2008 19:30:08 GMT) (full text, mbox, link).
Message #36 received at 500278-close@bugs.debian.org (full text, mbox, reply):
Source: linux-ftpd
Source-Version: 0.17-29
We believe that the bug you reported is fixed in the latest version of
linux-ftpd, which is due to be installed in the Debian FTP archive:
ftpd_0.17-29_i386.deb
to pool/main/l/linux-ftpd/ftpd_0.17-29_i386.deb
linux-ftpd_0.17-29.diff.gz
to pool/main/l/linux-ftpd/linux-ftpd_0.17-29.diff.gz
linux-ftpd_0.17-29.dsc
to pool/main/l/linux-ftpd/linux-ftpd_0.17-29.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 500278@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated linux-ftpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 17 Oct 2008 20:34:17 +0200
Source: linux-ftpd
Binary: ftpd
Architecture: source i386
Version: 0.17-29
Distribution: unstable
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description:
ftpd - File Transfer Protocol (FTP) server
Closes: 493433 500278
Changes:
linux-ftpd (0.17-29) unstable; urgency=high
.
* Ian Beckwith:
- Patch to fix cross-site request forgery (CSRF) attacks.
CVE-2008-4247 (Closes: #500278)
* Updated package description. (Closes: #493433)
Checksums-Sha1:
602b955a2269dab421fe1136f8042022565842a9 1006 linux-ftpd_0.17-29.dsc
17a94fa3307cd6ad3c1a60ca7e295cdca91f0196 17754 linux-ftpd_0.17-29.diff.gz
fa338494542ea14250a05e4d660650c97bf43868 43566 ftpd_0.17-29_i386.deb
Checksums-Sha256:
b2a658c51f5b1d77279c04f27897a952d73e68e91904ca97a80e4e006de2fe33 1006 linux-ftpd_0.17-29.dsc
d5acace5666ae0b3f3a1ce2e256d8d68d6ec6edacc4af28b0a52fc98e24deecd 17754 linux-ftpd_0.17-29.diff.gz
b4abcf1db8b20bab7c0545946098871c8b22bfa69fa5270f1ac21f9bac2402b8 43566 ftpd_0.17-29_i386.deb
Files:
0e8a0a5d0a2671b9afc8694a2aa81fab 1006 net extra linux-ftpd_0.17-29.dsc
b65ab41af52b55f3e28fbbfc69594d12 17754 net extra linux-ftpd_0.17-29.diff.gz
cdec41b0bfe8d3b6e25d997e7e349554 43566 net extra ftpd_0.17-29_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkj43lgACgkQxRSvjkukAcOyoQCgh4U3nR4raG5Of5gFgi3wJK6Y
YtwAoKeFjcFuAUh4HCQ5J683gDVGLj6w
=VUEU
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Mar 2009 10:05:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:37:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon