xorl %eax, %eax

CVE-2009-0362: fail2ban Incorrect Regular Expression

leave a comment »

Fail2ban is a nice program which I’ve personally used and I know people working on large networks that also use it. It’s a nice way to extend your firewall. You can ban users based on log files. Anyway, this bug affects 0.8.3 release of this great project and it was reported by Chris Butler of Debian on 4 February 2009. File /etc/fail2ban/filter.d/wuftpd.conf has the following regular expression filter:

failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>$

What Chris Butler noticed is that when rhost is set to something that looks like an IP. His example was:

rhost=26.232.125.75.gs.dynamic.163data.com.cn

Then, fail2ban will parse <HOST> entry as 26.232.125.75 instead of resolving the actual IP of the above hostname. Using this a malicious user can ban other users by having a hostname starting with the IP address of the user he wants to ban, this DoS was initially fixed by C. Butler using the entire string as <HOST> like this:

- failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>$
+ failregex = wu-ftpd\[\d+\]:\s+failed login from .* \[<HOST>\]$

Later, Yaroslav Halchenko submitted a patch that fixes the regular expression that parses the IP addresses at server/filter.py to this:

 class DNSUtils:

-    IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}")
+    IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3} *$")

Written by xorl

April 22, 2009 at 13:37

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s