-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2010-008 ================================= Topic: sftp(1)/ftp(1)/glob(3) related resource exhaustion Version: NetBSD-current: source prior to July 7, 2010 NetBSD 5.0.2: affected NetBSD 5.0: affected NetBSD 4.0.1: affected NetBSD 4.0: affected Severity: remote sftp/ftp DoS attack Fixed: NetBSD-current: Jul 7, 2010 NetBSD-5 branch Jul 20, 2010 NetBSD-5-0 branch Jul 20, 2010 NetBSD-4 branch Aug 5, 2010 NetBSD-4-0 branch Aug 5, 2010 Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== In 2001 GLOB_LIMIT was added to glob(3) to limit the potential amount of memory used by globbed patterns. Unfortunately this implementation had many limitations and did not do enough to limit memory or CPU attacks. This bug affects: 1. ftpd(8), where a user can DoS the ftp service or increase the load on the machine. 2. The secure ftp server sftp(1) which comes with OpenSSH. sftp(1) does not use GLOB_LIMIT to limit glob(3) patterns, so it can also be DoS'ed in more ways. Technical Details ================= The limitations of GLOB_LIMIT were: - buffer limit was too high - it did not limit the number of readdir(3) calls - it did not limit the number of stat(2) Both patterns like: */../*/../*/../*/../*/../*/../* and */{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/* were not handled properly in all situations. One could DoS programs either by memory exhaustion, or CPU utilization (many readdir(3) and stat(2) calls). Solutions and Workarounds ========================= - - Don't run ftpd/sftp - - Patch, recompile and reinstall libc, restart ftpd. Patch, recompile and reinstall sftp. Patch, recompile and reinstall /rescue. CVS branch file revision ------------- ---------------- -------- HEAD src/lib/libc/gen/glob.3 1.37 HEAD src/lib/libc/gen/glob.c 1.26 HEAD src/crypto/external/bsd/openssh/dist/sftp-glob.c 1.3 HEAD src/crypto/external/bsd/openssh/dist/sftp.c 1.3 CVS branch file revision ------------- ---------------- -------- netbsd-5-0 src/lib/libc/gen/glob.3 1.23.14.1 netbsd-5-0 src/lib/libc/gen/glob.c 1.23.10.1 netbsd-5-0 src/crypto/dist/ssh/sftp.c 1.23.12.1 netbsd-5-0 src/crypto/dist/ssh/sftp-glob.c 1.13.28.1 netbsd-5 src/lib/libc/gen/glob.3 1.23.8.1 netbsd-5 src/lib/libc/gen/glob.c 1.23.4.1 netbsd-5 src/crypto/dist/ssh/sftp.c 1.23.8.1 netbsd-5 src/crypto/dist/ssh/sftp-glob.c 1.13.24.1 netbsd-4-0 src/lib/libc/gen/glob.3 1.30.12.1 netbsd-4-0 src/lib/libc/gen/glob.c 1.18.10.1 netbsd-4-0 src/crypto/dist/ssh/sftp.c 1.21.6.1 netbsd-4-0 src/crypto/dist/ssh/sftp-glob.c 1.13.12.1 netbsd-4 src/lib/libc/gen/glob.3 1.30.4.1 netbsd-4 src/lib/libc/gen/glob.c 1.18.2.1 netbsd-4 src/crypto/dist/ssh/sftp.c 1.21.2.1 netbsd-4 src/crypto/dist/ssh/sftp-glob.c 1.13.2.1 The following instructions briefly summarize how to update and recompile libc and sftp. In these instructions, replace: BRANCH with the appropriate CVS branch (from the above table) FILES with the file names for that branch (from the above table) To update from CVS, re-build, and re-install libc and sftp: * NetBSD-current: # cd src # cvs update -d -P -r BRANCH lib/libc/gen crypto/external/bsd/openssh # cd lib/libc # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../crypto/external/bsd/openssh # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../../../rescue # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 5.*/4.*: # cd src # cvs update -d -P -r BRANCH lib/libc/gen usr.bin/ssh/sftp-server # cd lib/libc # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../usr.bin/ssh/sftp-server # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../../rescue # make USETOOLS=no cleandir dependall # make USETOOLS=no install For more information on building (oriented towards rebuilding the entire system, however) see: http://www.netbsd.org/guide/en/chap-build.html Thanks To ========= Maksymilian Arciemowicz for finding, suggesting fixes, and testing. Christos Zoulas for fixing the problem. Revision History ================ 2010-10-06 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-008.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2010-008.txt,v 1.1 2010/10/06 20:54:45 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (NetBSD) iQIcBAEBAgAGBQJMrPENAAoJEAZJc6xMSnBufrgQAJ5yuaKMss5kssmLjtgDtFWf 1IsRaA7peNjkoG7CP9IPDXrnCVrHES2QTCk5++OYALlbx1A+cvBFq+Bc2B01UeCz 1GgMWMHeiL5v1CRfnxqE/W3rWaZvvZCsl/fpK+i6oq7wcwe9Y5ucyezBe2Xcv6K5 FkotMy60JMBATRFX9vKfkEYDW9CNuH10WNJmU1rCtvGthoxA8e/xGQbiu4U1ZtSp TPnP+YdAKPiarUg9YCrC9wG0anaMUsEM7RgYdQIlj4OKSYK7GTesaWvu94WyCoPw ufTkvnoDbU03FadVBut5K9Zyqn2fUGWLE4/MX39DmBG0gD9b/vAcQsrjqSVgbuFw w6xojErSNNTo3cB9DA2NW972NYzAHzO8QA0agov9KP5oG3kiAiIxH7hyUWBajRND g5s3hB2lhQLI4V5eAIMQpLpR94CB+kxnEs2CuMMaxdartE/DLEfCxsPZ0XdJhMSX bAeR0wzqRwYo8bpSJ21sE2aMWAo0vnSpv7BFFOTMzFvrRkUSfrVAH+9hVqiLCE/9 rRC1txSgfaAYEuYu0Qs0yIGM7wXe3bU8TdcHK3F+V9ogRUylaDT2N06/dirWcGUR NQBh1ADF4EaCdvU1hLRFMPCqYJVny5GZdCdCQjN6K+RqGfa3w/GVhHVnKL4MtBKs cNnJeYJ/W92fGbktsoAZ =iPnO -----END PGP SIGNATURE-----