[Secure-testing-team] Bug#509333: vsftpd discloses whether usernames are valid or not

Mark Hobley markhobley at yahoo.co.uk
Sun Dec 21 12:16:02 UTC 2008 

Package: vsftpd
Severity: grave
Tags: security
Justification: user security hole


The vsftpd daemon discloses whether usernames supplied by the client are 
valid or not.

On connection to the server via a client, if an invalid username is 
supplied, a 530 error is immediately returned, instead of a password 
prompt being returned before failure.

Here is a sample session:

ftp despina
Connected to despina.markhobley.yi.org
220 Welcome to vsftpd server daemon
Name (despina:mark): shaggy
530 Permission denied.                 <--- We should prompt for password
Login failed.                               before failing here.
 
By prompting for a password, the user would not know whether the 
username or the password is invalid. Without the password prompt, the 
user knows that the username is not valid, and can quickly perform a 
dictionary attack to obtain system usernames.

This vulnerability was first discovered in September 2003, and has not 
yet been patched.

http://securitytracker.com/id?1008628

Testing in December 2008 confirms that the bug is not fixed.

Mark.

-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-486
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages vsftpd depends on:
ii  adduser                       3.110      add and remove users and groups
ii  libc6                         2.7-16     GNU C Library: Shared libraries
ii  libcap1                       1:1.10-14  support for getting/setting POSIX.
ii  libpam-modules                1.0.1-4    Pluggable Authentication Modules f
ii  libpam0g                      1.0.1-4    Pluggable Authentication Modules l
ii  libssl0.9.8                   0.9.8g-14  SSL shared libraries
ii  libwrap0                      7.6.q-16   Wietse Venema's TCP wrappers libra
ii  netbase                       4.34       Basic TCP/IP networking system

Versions of packages vsftpd recommends:
ii  logrotate                     3.7.7-2    Log rotation utility

vsftpd suggests no packages.

More information about the Secure-testing-team mailing list