Log flooding vulnerability in ``sftplogging" patch
Severity: low
Anthony Martinez (Pi), fd_at_pi.mrtheplague.net
August 20, 2006
Synopsis
sftplogging patches rely on sysklogd to catch repeated messages. This could be exploited by a malicious user with an account, and cause the syslogd to be inundated and possibly drop messages, hiding other activity.
About the patch
sftplogging patches are available from the author's sourceforge site, http://sftplogging.sf.net/:
``This patch for openssh does several things. It allows secure ftp sessions to be logged on the ftp server; it allows one to designate a umask for ftp sessions, this umask overrides any other umask setting, including what the client sends; and it allows one to designate whether the ftp client is allowed to execute ``chown" or ``chgrp" commands on the server."
Description
SFTP Logging patched servers, when LogSFTP is on, log the size of transferred files by repeatedly calling logit() with the number of bytes transferred.
This goes badly for us when an SSH client sends one chunk of, say, 1 byte, then differs the chunk size, possibly to 2 bytes, and continues that process for a large file, and can cause sysklogd to drop messages. This dropping of messages may or may not hide other activity on the system.
On syslog daemons, such as syslog-ng, that do not track repeated messages, this could be used to fill up log space as well.
If remote logging is enabled, this could also flood the network with traffic.
Proof of concept
sftplogmeltdown is a patch for sftp-client to go between buffer sizes, decrementing the size with each write. This defeats syslog protection against repeated messages. A thusly-patched sftp client with the -B 3 option, and uploading a large enough file, is enough to cause syslog stress and have it drop messages.
Mitigation
Modify sftplogging patches to hold a size_t sized counter, increment with each write length, and log that at the end of the transaction, instead of relying incorrectly on syslogd behavior.
Attachments
sftplogmeltdown.patch, a patch to sftp-client.c which modifies the -B (buffer) option in sftp to rotate the buffer size instead of using a fixed-size buffer. This causes sftp-server to log messages like
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 3 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 2 bytes to file
Aug 17 14:47:45 coffeehost sftp-server[20790]: writing 1 bytes to file
thusly flooding the logs.
Vendor notification
Vendor notified August 20, 2006 and given 2 weeks to fix. I'm late in reporting this to the list.
Availability
This document, with associated patch, is released on my domain:
* http://mrtheplague.net/security/2006-sftplogging.html
* http://mrtheplague.net/security/sftplogmeltdown.patch
``Greetz'', as it were, to Houdini, Chamuco, and Mom.
pi 2006-08-20
--
printk(KERN_CRIT PFX "Reboot didn't ?????\n");
linux-2.6.6/drivers/char/watchdog/softdog.c
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Sep 08 2006
Intro
