Uploaded image for project: 'FtpServer'
  1. FtpServer
  2. FTPSERVER-486

Timing Side Channel StringUtils

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.1.1
    • 1.1.2
    • Core
    • test on macOS High Sierra 10.13.4, but not relevant
    • Important

    Description

      Dear Apache FTPServer developers,

      We have found a timing side-channel in class org.apache.ftpserver.util.StringUtils, method "public final static String pad(String src, char padChar, boolean rightPad, int totalLength)". This method leaks the necessary padding in a timing side channel, from which a potential attacker could obtain the length of the src String. In your project this method is used to add padding to a username, hence, a potential attacker could obtain the length of a given username, which might be used for further attacks.
      Do you agree with our findings?

      We found this class in the latest version of your git repo: https://git-wip-us.apache.org/repos/asf?p=mina-ftpserver.git;a=summary

      As a secure fix we would recommend to use a variant of the equals method, which does iterate the complete strings in the case of the same string lengths, independent from whether they do match or not:

      public final static String pad_safe(String src, char padChar, boolean rightPad, int totalLength) {

      int srcLength = src.length();
      if (srcLength >= totalLength)

      { return src; }

      int padLength = totalLength - srcLength;
      StringBuilder sb = new StringBuilder(padLength);
      for (int i = 0; i < totalLength; ++i) {
      if (i < padLength)

      { sb.append(padChar); }

      else

      { sb.append(""); }

      }

      if (rightPad)

      { return src + sb.toString(); }

      else

      { return sb.toString() + src; }

      }

      Do you agree with our patch proposal?

      Please feel free to contact us for further clarification! You can reach us by the following email address:
      yannic.noller@informatik.hu-berlin.de

      Best regards,
      Yannic Noller

      Attachments

        Activity

          People

            elecharny Emmanuel L├ęcharny
            yannic.noller Yannic Noller
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Time Tracking

                Estimated:
                Original Estimate - 24h
                24h
                Remaining:
                Remaining Estimate - 24h
                24h
                Logged:
                Time Spent - Not Specified
                Not Specified