SFTPLogging patch log flooding vulnerability

[Anthony Martinez <fd () pi mrtheplague net>]

Log flooding vulnerability in ``sftplogging" patch
Severity: low

Anthony Martinez (Pi), fd () pi mrtheplague net

August 20, 2006

Synopsis
sftplogging patches rely on sysklogd to catch repeated messages. This could be exploited by a malicious user with an 
account, and cause the syslogd to be inundated and possibly drop messages, hiding other activity.

About the patch
sftplogging patches are available from the author's sourceforge site, http://sftplogging.sf.net/:

``This patch for openssh does several things. It allows secure ftp sessions to be logged on the ftp server; it allows 
one to designate a umask for ftp sessions, this umask overrides any other umask setting, including what the client 
sends; and it allows one to designate whether the ftp client is allowed to execute ``chown" or ``chgrp" commands on the 
server."

Description
SFTP Logging patched servers, when LogSFTP is on, log the size of transferred files by repeatedly calling logit() with 
the number of bytes transferred.

This goes badly for us when an SSH client sends one chunk of, say, 1 byte, then differs the chunk size, possibly to 2 
bytes, and continues that process for a large file, and can cause sysklogd to drop messages. This dropping of messages 
may or may not hide other activity on the system.

On syslog daemons, such as syslog-ng, that do not track repeated messages, this could be used to fill up log space as 
well.

If remote logging is enabled, this could also flood the network with traffic.

Proof of concept
sftplogmeltdown is a patch for sftp-client to go between buffer sizes, decrementing the size with each write. This 
defeats syslog protection against repeated messages. A thusly-patched sftp client with the -B 3 option, and uploading a 
large enough file, is enough to cause syslog stress and have it drop messages.

Mitigation
Modify sftplogging patches to hold a size_t sized counter, increment with each write length, and log that at the end of 
the transaction, instead of relying incorrectly on syslogd behavior.

Attachments
sftplogmeltdown.patch, a patch to sftp-client.c which modifies the -B (buffer) option in sftp to rotate the buffer size 
instead of using a fixed-size buffer. This causes sftp-server to log messages like

Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file

thusly flooding the logs.

Vendor notification
Vendor notified August 20, 2006 and given 2 weeks to fix. I'm late in reporting this to the list.

Availability
This document, with associated patch, is released on my domain:

    * http://mrtheplague.net/security/2006-sftplogging.html
    * http://mrtheplague.net/security/sftplogmeltdown.patch

``Greetz'', as it were, to Houdini, Chamuco, and Mom.
pi 2006-08-20


-- 
printk(KERN_CRIT PFX "Reboot didn't ?????\n");
    linux-2.6.6/drivers/char/watchdog/softdog.c

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/