Full Disclosure mailing list archives
SFTPLogging patch log flooding vulnerability
From: Anthony Martinez <fd () pi mrtheplague net>
Date: Fri, 8 Sep 2006 18:46:49 -0600
Log flooding vulnerability in ``sftplogging" patch Severity: low Anthony Martinez (Pi), fd () pi mrtheplague net August 20, 2006 Synopsis sftplogging patches rely on sysklogd to catch repeated messages. This could be exploited by a malicious user with an account, and cause the syslogd to be inundated and possibly drop messages, hiding other activity. About the patch sftplogging patches are available from the author's sourceforge site, http://sftplogging.sf.net/: ``This patch for openssh does several things. It allows secure ftp sessions to be logged on the ftp server; it allows one to designate a umask for ftp sessions, this umask overrides any other umask setting, including what the client sends; and it allows one to designate whether the ftp client is allowed to execute ``chown" or ``chgrp" commands on the server." Description SFTP Logging patched servers, when LogSFTP is on, log the size of transferred files by repeatedly calling logit() with the number of bytes transferred. This goes badly for us when an SSH client sends one chunk of, say, 1 byte, then differs the chunk size, possibly to 2 bytes, and continues that process for a large file, and can cause sysklogd to drop messages. This dropping of messages may or may not hide other activity on the system. On syslog daemons, such as syslog-ng, that do not track repeated messages, this could be used to fill up log space as well. If remote logging is enabled, this could also flood the network with traffic. Proof of concept sftplogmeltdown is a patch for sftp-client to go between buffer sizes, decrementing the size with each write. This defeats syslog protection against repeated messages. A thusly-patched sftp client with the -B 3 option, and uploading a large enough file, is enough to cause syslog stress and have it drop messages. Mitigation Modify sftplogging patches to hold a size_t sized counter, increment with each write length, and log that at the end of the transaction, instead of relying incorrectly on syslogd behavior. Attachments sftplogmeltdown.patch, a patch to sftp-client.c which modifies the -B (buffer) option in sftp to rotate the buffer size instead of using a fixed-size buffer. This causes sftp-server to log messages like Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file thusly flooding the logs. Vendor notification Vendor notified August 20, 2006 and given 2 weeks to fix. I'm late in reporting this to the list. Availability This document, with associated patch, is released on my domain: * http://mrtheplague.net/security/2006-sftplogging.html * http://mrtheplague.net/security/sftplogmeltdown.patch ``Greetz'', as it were, to Houdini, Chamuco, and Mom. pi 2006-08-20 -- printk(KERN_CRIT PFX "Reboot didn't ?????\n"); linux-2.6.6/drivers/char/watchdog/softdog.c _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SFTPLogging patch log flooding vulnerability Anthony Martinez (Sep 08)