Merge remote-tracking branch 'security/topic/awelzel/121-ftp-timeout-again'

* security/topic/awelzel/121-ftp-timeout-again: ftp: Introduce FTP::max_command_length
2025-10-02 14:48:21 +00:00 · 2022-11-22 12:27:26 -07:00 · 2022-11-22 12:27:26 -07:00 · 9e8833e2d5
commit 9e8833e2d5
parent eb3fb68fcc 3f5cb75a2a
12 changed files with 96 additions and 1 deletions
--- a/12
+++ b/12
@ -1,3 +1,15 @@
+5.2.0-dev.357 | 2022-11-22 12:27:26 -0700
+
+  * ftp: Introduce FTP::max_command_length (Arne Welzel, Corelight)
+
+    oss-fuzz produced FTP traffic with a ~550KB long FTP command. Cap FTP command
+    length at 100 bytes, log a weird if a command is larger than that and move
+    on to the next. Likely it's not actual FTP traffic, but raising an
+    analyzer violation would allow clients an easy way to disable the analyzer
+    by sending an overly long command.
+
+    The added test PCAP was generated using a fake Python socket server/client.
+
 5.2.0-dev.355 | 2022-11-22 12:26:50 -0700

  * http: Heuristic around rejecting malformed HTTP/0.9 traffic (Arne Welzel, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-5.2.0-dev.355
+5.2.0-dev.357
--- a/scripts/base/frameworks/notice/weird.zeek
+++ b/scripts/base/frameworks/notice/weird.zeek
@ -136,6 +136,7 @@ export {
 		["FIN_advanced_last_seq"]               = ACTION_LOG,
 		["FIN_after_reset"]                     = ACTION_IGNORE,
 		["FIN_storm"]                           = ACTION_NOTICE_PER_ORIG,
+		["FTP_max_command_length_exceeded"]     = ACTION_LOG_PER_CONN,
 		["FTP_too_many_pending_commands"]       = ACTION_LOG_PER_CONN,
 		["HTTP_bad_chunk_size"]                 = ACTION_LOG,
 		["HTTP_chunked_transfer_for_multipart_message"] = ACTION_LOG,
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -337,6 +337,15 @@ type ftp_port: record {
 	valid: bool;	##< True if format was right. Only then are *h* and *p* valid.
 };

+
+module FTP;
+
+## Limits the size of commands accepted by the FTP analyzer. Longer commands
+## raise a FTP_max_command_length_exceeded weird and are discarded.
+const max_command_length = 100 &redef;
+
+module GLOBAL;
+
 ## Statistics about what a TCP endpoint sent.
 ##
 ## .. zeek:see:: conn_stats
--- a/src/analyzer/protocol/ftp/FTP.cc
+++ b/src/analyzer/protocol/ftp/FTP.cc
@ -96,6 +96,17 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 			// Weird("FTP command missing", end_of_line - orig_line, orig_line);
 			cmd_str = new StringVal("<missing>");
 			}
+		else if ( BifConst::FTP::max_command_length > 0 &&
+		          static_cast<zeek_uint_t>(cmd_len) > BifConst::FTP::max_command_length )
+			{
+			// If the FTP command is unusually long, log a weird if the analyzer
+			// has previously been confirmed, but otherwise just ignore the whole
+			// line and move on to the next.
+			if ( AnalyzerConfirmed() )
+				Weird("FTP_max_command_length_exceeded", util::fmt("%d", cmd_len));
+
+			return;
+			}
 		else
 			cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();

--- a/src/const.bif
+++ b/src/const.bif
@ -11,6 +11,8 @@ const exit_only_after_terminate: bool;
 const digest_salt: string;
 const max_analyzer_violations: count;

+const FTP::max_command_length: count;
+
 const NFS3::return_data: bool;
 const NFS3::return_data_max: count;
 const NFS3::return_data_first_only: bool;
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-command-length/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-command-length/conn.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58634	127.0.0.1	21	tcp	ftp	0.213412	358	313	SF	-	-	0	ShAdDaFf	23	1562	17	1205	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-command-length/dpd.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-command-length/dpd.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58634	127.0.0.1	21	tcp	FTP	FTP::max_command_length exceeded
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-command-length/ftp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-command-length/ftp.log
@ -0,0 +1,15 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ftp
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	password	command	arg	mime_type	file_size	reply_code	reply_msg	data_channel.passive	data_channel.orig_h	data_channel.resp_h	data_channel.resp_p	fuid
+#types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	string	bool	addr	addr	port	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58634	127.0.0.1	21	anonymous	-	USER	anonymous	-	-	230	Response to USER command	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58634	127.0.0.1	21	anonymous	anonymous@zeek.org	SYST	-	-	-	200	Response to TYPEEEEEEEEEEEEE command	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58634	127.0.0.1	21	anonymous	anonymous@zeek.org	PASV	-	-	-	215	Response to SYSTTTTTTTTTTTTT command	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58634	127.0.0.1	21	anonymous	anonymous@zeek.org	RETR	ftp://127.0.0.1/./robots.txt	-	-	225	Response to RETR command	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58634	127.0.0.1	21	anonymous	anonymous@zeek.org	PORT	114,115	-	-	200	Response to PORT command	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-command-length/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-command-length/weird.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58634	127.0.0.1	21	FTP_max_command_length_exceeded	132	F	zeek	FTP
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Traces/ftp/fake-long-commands.pcap
+++ b/testing/btest/Traces/ftp/fake-long-commands.pcap
--- a/testing/btest/scripts/base/protocols/ftp/ftp-max-command-length.zeek
+++ b/testing/btest/scripts/base/protocols/ftp/ftp-max-command-length.zeek
@ -0,0 +1,12 @@
+# @TEST-DOC: Artificially generated pcap with FTP commands of length > 100. Verify generation of the involved logs.
+#
+# @TEST-EXEC: zeek -b -r $TRACES/ftp/fake-long-commands.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ftp.log
+# @TEST-EXEC: btest-diff weird.log
+# @TEST-EXEC: test ! -f reporter.log
+
+@load base/protocols/conn
+@load base/protocols/ftp
+
+redef FTP::logged_commands += { "USER", "SYST" };