Re: [Full-disclosure] VSFTPD Remote Heap Overrun (low severity)



This is afaik a patched CVE in Linux glibc [1] which can be triggered through
the very secure ftp daemon [2] so it will only work on older linux distros.
Be aware that vsftpd has privilege seperation built in so this bug
will not yield a root shell.
It could yield root only in junction with a linux kernel vulnerability
because the attacker
will not be able to break the chroot without being root.
This bug has a low severity because it's hard to exploit.
Linux systems without patched glibc are vulnerable even if the latest
version vsftpd-2.3.4 is installed.
The bug is in the glibc timezone code. vsftpd loads timezone files
from /usr [3]. If the attacker is inside a chroot
he can easily create this directory and the timezone file and trigger
the heap overrun.

A Debugging Session illustrating the bug can be found on youtube:
http://www.youtube.com/watch?v=KRCuozBM_dQ
I did a brief analysis of this issue. And it seems vsftpd does not add anything to this as an attack vector. Althought we can control the size of the chunk to be allocated (i.e. transitions), and can arbitrarily allocate this chunk from fast bins, the main arena, or eventually, a new mmap()'ed heap. We do not have any control over when its adjacent chunks are allocated, freed, the type of their contents, when they will be used, how they will be used, and if they will be used and useful at all. In addition, the data used to overflow (i.e. transition times) are read and decoded as 4-byte integers in network (big-endian) byte order, which increases the difficulty in faking any structure, such as the adjacent allocated chunk to, at least, get outside of glibc scope after the overflow--since all return paths from __tzfile_read frees our controlled previously allocated chunk.

Do you or anyone know a way to potentially exploit this vulnerability?


Cheers!
Thanks,


[1] http://dividead.wordpress.com/tag/heap-overflow/
[2] https://security.appspot.com/vsftpd.html
[3] For example /usr/share/zoneinfo/UTC-01:00

/Kingcope


--
Ramon de C Valle / Red Hat Security Response Team

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: Given Up on Linux1
    ... Once I had done enough work and investigated the existing bug reports on ... > dealt with thousands of computers, you should be lucky I'm even ... newbie to Linux. ... But there had not been a windows problem in 12 years I ...
    (alt.os.linux)
  • Re: M$ attack on Common Sense
    ... I've used linux for several years, at home, as my main desktop, and I ... Instead I've been able to download the ISOs from trusted sources, ... Contrast that with every install I've done with a retail version of M$ ... Even if the same bug affects 95, 98, ME, XP, ...
    (alt.computer.security)
  • Re: M$ attack on Common Sense
    ... I've used linux for several years, at home, as my main desktop, and I ... Instead I've been able to download the ISOs from trusted sources, ... Contrast that with every install I've done with a retail version of M$ ... Even if the same bug affects 95, 98, ME, XP, ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: M$ attack on Common Sense
    ... I've used linux for several years, at home, as my main desktop, and I ... Instead I've been able to download the ISOs from trusted sources, ... Contrast that with every install I've done with a retail version of M$ ... Even if the same bug affects 95, 98, ME, XP, ...
    (comp.os.linux.misc)
  • Re: Linux vs MS Security
    ... This code will lock up any P5 machine, even usermode Linux! ... ] problem doesn't show itself for the Pentium Pro or Pentium 2. ... Nov 1997 16:38:48 -0700 announcing the BSDi fix. ... Pentium bug workaround, please test! ...
    (comp.os.linux)