Subscribe
Overview
The Black Duck Cybersecurity Research Center (CyRC) has identified problems in LightFTP, a small x86-32/x64 FTP Server available under BSD 2-Clause license on https://github.com/hfiref0x/LightFTP.
The server lacks thread safety and can be crashed by anomalous data sent by an anonymous user from a remote network. The crash causes the FTP service to become unavailable, affecting all users and processes that rely on it for file transfers. If the crash occurs during file upload or download, it could lead to incomplete file transfers, potentially corrupting data. The repeated crash might also affect the stability of the underlying system, especially if it leads to resource leaks or affects other services.
Exploitation
Problem is with the race condition on worker thread cleanup: https://github.com/hfiref0x/LightFTP/blob/master/Source/ftpserv.c#L240
err = pthread_join(context->WorkerThreadId, &retv);
The section is not protected by a mutex, and the context is shared within the program. There is a two-second sleep before the join, and during the sleep, context->WorkerThreadId is changed, leading to a segmentation fault on pthread_join() and resulting in server termination. When pthread_join() is called, context->WorkerThreadValid is set to -1, but this is not checked by the caller.
The crash can be triggered for example with following sequence:
The anomaly in the EPRT command initiates cleanup and setting up a new connection during this cleanup triggers the vulnerability. This can be reproduced with an anonymous user and multiple different sequences that trigger the same race condition.
Affected software
LightFTP version 2.3. The vulnerability was introduced while the project was fixing another vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-24042.
Impact
CVSS 3.1 base score: 7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remediation
Update to LightFTP version 2.3.1
Discovery credit
Kari Hulkko from the CyRC discovered these vulnerabilities by using the Defensics® fuzz testing tool with FTP Server protocol test suites.
Timeline
- April 25, 2024: Initial disclosure
- May 9, 2024: Project maintainer confirms the issue
- June 21, 2024: Fix received
- June 24, 2024: Fix verified with Defensics
- June 30, 2024: Patch integrated into master and new release published
- December 11, 2024: Advisory published by Black Duck
About CVSS
FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.
Continue Reading
Key insights from Black Duck’s 2024 Global State of DevSecOps report
Oct 08, 2024 / 5 min read
The cybersecurity landscape - A discussion of future state and AI with Dr. Lisa Bradley
Feb 21, 2024 / 1 min read
