OPIE Off-by-one Stack Buffer Overflow (June 3, 2010)


“One time Passwords In Everything” (OPIE) is a mature, Unix-like login and password package installed on the server and the client which makes un-trusted networks safer against password-sniffing packet-analysis software. It works by circumventing the delayed attack method because the same password is never used twice after installing IPIE. OPIE is shipped with DragonFly BSD, FreeBSD and OpenSUSE. The OPIE package is sometimes used by FTP servers to provide security for an FTP session.

File Transfer Protocol (FTP) is a standard network protocol used to copy a file from one host to another over a TCP/IP-based network. The protocol is defined in RFC 959. A successful FTP transfer includes a control connection and a data connection. All the communication commands between the server and client will be transferred on the control connection. A typical control traffic is listed as bellow:

Response:	220-FileZilla Server version 0.9.29 beta Response:	220-written by Tim Kosse (Tim.Kosse@gmx.de) Response:	220 Please visit http://sourceforge.net/projects/filezilla/ Command:	USER user Response:	331 Password required for user Command:	PASS ********* Response:	230 Logged on

One of the commands included in the FTP protocol is the USER command. This command is used to begin the login process, which can be found in the above example. When an FTP server is using the OPIE package, it will pass on the value of the username field to the package for processing.

A buffer-overflow vulnerability exists in OPIE. The vulnerability is due to an off-by-one error in the username handle function while processing the value of the username field of the USER command. Specifically, the vulnerable code truncate the username field into a maximum 32 bytes string, and copies it to a fixed 32 bytes buffer, then appends a Null character at the end of the string, which may overwrite the immediate following data by one byte. Successful exploitation of this vulnerability could result in execution of arbitrary code with root privileges.

SonicWALL UTM team has researched this vulnerability, and covers the exploits with the following IPS signatures:

  • 30 USER Command BO Attempt
  • 4598 Generic Server Application Buffer Overflow Exploit 3

This vulnerability is referred by CVE as CVE-2010-1938.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.