BSDSec

deadsimple BSD Security Advisories and Announcements

NetBSD Security Advisory 2023-007: multiple vulnerabilities in ftpd(8)

16 November, 2023 by security-officer@netbsd.org | netbsd 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

		 NetBSD Security Advisory 2023-007
		 =================================

Topic:	multiple vulnerabilities in ftpd(8)

Version:	NetBSD-current:		affected prior to 2023-10-01
		NetBSD 10.0_BETA:	affected prior to 2023-10-01
		NetBSD 9.3:		affected
		NetBSD 9.2:		affected
		NetBSD 9.1:		affected
		NetBSD 9.0:		affected
		NetBSD 8.2:		affected
		NetBSD 8.1:		affected
		NetBSD 8.0:		affected
		tnftpd:			prior to tnftpd-20231001

Severity: Remote unauthenticated attacker may get directory listing, potential
buffer overflows.

Fixed:		NetBSD-current:		2023-09-30
		NetBSD-10 branch:	2023-10-02
		NetBSD-9 branch:	2023-10-02
		NetBSD-8 branch:	2023-10-03
		tnftpd:			tnftpd-20231001

Please note that NetBSD releases prior to 8.2 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

A vulnerability in the NetBSD FTP server allows unauthenticated
users to execute MLST and MLSD commands without authentication.
This can lead to information leakage - unauthorized party may be
able to download the listing of the current ftpd(8) directory. This
vulnerability has been assigned CVE-2023-45198.

Additionally, potential buffer overflow in count_users() and reading
outside of allocated memory issues due to wrong struct type used
in the pam_set_item() call have been identified.

Technical Details
=================

The NetBSD FTP server had a security flaw that allowed unauthenticated
users to execute MLST and MLSD commands without requiring proper
authentication. This could enable unauthorized users to retrieve
directory listings and information about files on the server,
potentially leading to an information leak. It should be noted that
MLST and MLSD commands can be executed by unauthenticated user, it
allows attacker to operate only on the current directory of the
ftpd(8) process.

Another issue is associated with count_users() function which
potentially used uninitialized memory. If the file was previously
empty, pids table used by the daemon is not set, the code however
used pids[0] which is uninitialized in this case. In some scenarios
it may lead to propagate garbage value from pids[0] to the file
and cause writing outside of allocated memory.

Additionally two other weaknesses have been identified. pam_set_item
used with the PAM_SOCKADDR option expects sockaddr_storage structure.
Instead, internal struct sockinet was used. Because it's length is
shorter than sockaddr_storage, libpam was copying also memory
outside of sockinet struct.

Solutions and Workarounds
=========================

As a temporary workaround, ftpd(8) might be disabled.

To apply a fixed version from a releng build, fetch a fitting base.tgz
from nycdn.NetBSD.org and extract the fixed binaries:

cd /var/tmp
ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz
tar -C / -xzpf /var/tmp/base.tgz ./usr/libexec/ftpd

with the following replacements:
REL   = the release version you are using
BUILD = the source date of the build. %DATE%* and later will fit
ARCH  = your system's architecture

The following instructions describe how to upgrade your ftpd(8)
binaries by updating your source tree and rebuilding and installing
a new version of ftpd(8).

* NetBSD-current:

	Systems running NetBSD-current dated from before 2023-09-30
	should be upgraded to NetBSD-current dated 2023-10-01 or later.

	The following files/directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		src/libexec/ftpd

	To update from CVS, re-build, and re-install ftpd(8):

		# cd src
		# cvs update -d -P src/libexec/ftpd
		# cd src/libexec/ftpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 9.*:

	Systems running NetBSD 9.* sources dated from before
	2023-10-02 should be upgraded from NetBSD 9.* sources dated
	2023-10-03 or later.

	The following files/directories need to be updated from the
	netbsd-9 branch:
		src/libexec/ftpd

	To update from CVS, re-build, and re-install ftpd(8):

		# cd src
		# cvs update -r netbsd-9 -d -P src/libexec/ftpd
		# cd src/libexec/ftpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 8.*:

	Systems running NetBSD 8.* sources dated from before
	2023-10-03 should be upgraded from NetBSD 8.* sources dated
	2013-10-04 or later.

	The following files/directories need to be updated from the
	netbsd-8 branch:
		src/libexec/ftpd

	To update from CVS, re-build, and re-install ftpd(8):

		# cd src
		# cvs update -r netbsd-8 -d -P src/libexec/ftpd
		# cd path/to/files
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* tnftpd (or older installations):

	Rebuild tnftpd from sources. The tnftpd-20231001 distribution is at:
        https://cdn.netbsd.org/pub/NetBSD/misc/tnftp/tnftpd-20231001.tar.gz
        https://cdn.netbsd.org/pub/NetBSD/misc/tnftp/tnftpd-20231001.tar.gz.asc

Thanks To
=========

Mateusz Kocielski (shm@) who analyzed this problem and supplied the fixes.
Luke Mewburn (lukem@) and Taylor R Campbell (riastradh@) for reviewing patches.

Revision History
================

	2023-11-16	Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

	https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2023-007.txt.asc

Information about NetBSD and NetBSD security can be found at

	https://www.NetBSD.org/
	https://www.NetBSD.org/Security/

Copyright 2023, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.
-----BEGIN PGP SIGNATURE-----

iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmVWMZEcHHNlY3VyaXR5
LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/wOlD/9koL3r4jHb8IPrZ+rU
R6f2AfAG2KMx9Yg/H+aMIarEfKLlKKH+wi8Jig78hyfTygbOZ13MFyl7LF2cdvA6
IOPCnuxU9F+5V19o+R6OcQdcUklQMX0zxRWVc0rx6qTGJcW8LkzghbNM6/hwLLqc
iSh0AOxhg8/xoF8HkUYljggJrQLwHReqjkdPFITn26lhKGIwbKEQ6Put46YLob1b
fqZ5A5qdtRsV0PWIMIq+j9PMiAnspXrfYc4wHy2DhiPYY6wm4h3d5HqMN8SCPluI
RjQNcxRgjwyZ8GqQQswEJCkzyya63ecrSj6ZrvGoQAAoRcEXUp9T5zez7UwiCgBm
A6uv/VBgvmglGw+nnQX1JObMFjB80P3Rs0FBBH9IZfKuzSG1Ms+nd79RwWVQ+Y8T
CZwnDAYQiHKeDpDMqTNaUq0ujOrCS2vd5xlrnRJd8wh5/kAOjTGpS0jtH9Ao1fKp
BQbrX+utvJMgCI5ztp0QHLlvPeA55Kr6bxGr7qlhTX654EiAs2KzsAEOX+pUi17P
kLLC71jhNUgCnmJOEOT9V+w2cvpgvC2W10BZDgJgS9kGfcf2j0h/s+gPuICKbUaa
xNjT4kAD7dkvVpzy9waJ7lygpeslsyuU5w6Uxl9N+CCufBktFmDZGVKhlt5LPxVA
twuKtferm7A+RI7ac9ut86F5Hw==
=MshM
-----END PGP SIGNATURE-----