CVE request: proftpd: mod_sftp/mod_sftp_pam invalid pool allocation during kbdint authentication

[Agostino Sarubbo <ago () gentoo org>]

Hello,

From: 
http://kingcope.wordpress.com/2013/09/11/proftpd-mod_sftpmod_sftp_pam-invalid-pool-allocation-in-kbdint-authentication/

ProFTPd installs with mod_sftp and mod_sftp_pam activated contain the 
vulnerability described in this post.

The current stable release of ProFTPd is 1.3.4d and the current release 
candidate is 1.3.5rc3.

First I have to note that this vulnerability is unlikely to be exploited. 
There is a way to control $rip instruction pointer

on 64 bit systems, for example on the Ubuntu 64Bit platform but I believe that 
it is not possible to get full code execution with this bug.

The bug is useful to trigger a large heap allocation and exhaust all available 
system memory of the underlying operating system.

Inside the file located at proftpd-1.3.5rc2/contrib/mod_sftp/kbdint.c ProFTPd 
handles the SSH keyboard interactive authentication procedure, in this case it 
will use pam as an authentication library therefore mod_sftp_pam has to be 
active for an installation to be vulnerable.

Source code file and line kbdint.c:300 reads:

[1] resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen);

[2] list = make_array(p, resp_count, sizeof(char *));
for (i = 0; i < resp_count; i++) {
char *resp;

resp = sftp_msg_read_string(pkt->pool, &buf, &buflen);
*((char **) push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp));
}

Line 1 will read the kbdint response count which is an unsigned integer with a 
size of 32 bits from the client during an SSH kbdint userauth info response 
client request.

This value is used to allocate a buffer with the size 
user_supplied_uint32_value multiplied by the size of a char pointer being 
32bits or 64bits depending on the platform.

There is no size check before the request is sent to the pool allocator that 
is called by make_array at Line 2.

The pool allocator can be tricked to handle negative allocation sizes if 
resp_count is large enough.

There is a size check of the response count value but it’s done after this 
function returns.

The DoS condition can be triggered by sending an int32 value for resp_count 
that is slightly below the available memory of the target system and repeating 
the request.

Noteably OpenSSH vulnerability CVE-2002-0640 is very similar to this ProFTPd 
vulnerability. It has the very same code path.

Here is a reference to the OpenSSH Challenge-Response Authentication bug that 
was exploited by GOBBLES Security in their year 2002 sshutuptheo.tgz exploit: 
http://lwn.net/Articles/3531/.

Usage of keyboard interactive authentication in ProFTPd mod_sftp is rare as it 
is not activated by default.
-- 
Agostino Sarubbo
Gentoo Linux Developer