Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !

From: Crist Clark (crist.clarkat_private)
Date: Thu Apr 12 2001 - 15:26:42 PDT

Next message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd"

Previous message: John Weidley: "FTPD Globbing vulnerability in Solaris 8"
Next in thread: Jasper Jans: "Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !"
Reply: Half Adder: "Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Johnny Cyberpunk wrote:
>
> Hi,
>
> i've tested these globbing vulnerability on two different SPARC Solaris
> Machines.
> One with 5.6 and one with 5.7

I think the subject line, 'Globbing Exploit,' is a bit premature.
You have demonstrated a _potential_ vulnerability. I verified the
behavior. I have also verified the stock Solaris 8 in.ftpd
behaves in the same manner. All of the testing below was done with
a Solaris 8 system.

> i've started Netcat from a Win2K box to Port 21.
>
> C:\>nc 10.64.224.3 21
> 220 gsmms0 FTP server (SunOS 5.6) ready.
> cwd ~
> 530 Please login with USER and PASS.
>
> C:\>

[snip]

> As you see a segment fault has happened. After that i've typed in the bt
> command
> to get more info about the segment fault. in offset 0xff1b6dd0 the
> strcpy() command failed and produced the segment fault.
>
> This Problem could allow an attacker to execute code on the stack and gain
> access to the system.
>
> Another nice effect is the following :
>
> C:\>nc 10.64.224.3 21
> 220 gsmms0 FTP server (SunOS 5.6) ready.
> cwd ~netadm
> 530 Please login with USER and PASS.
> cwd ~xyz
> 530 Please login with USER and PASS.
> 550 Unknown user name after ~
>
> As you see cwd ~netadm just produces a normal 530 message, coz this user
> exists on the system. the user xyz user doesn't exist and prints out a 550
> Unknown user name after ~
>
> This could being used to brute force existing users on the remote system.
>
> I saw the same effects on a SPARC Solaris 5.7 box.
>
> When i have some more time available i'll write a proof of concept code to
> exploit this vulnerability, that executes a /bin/sh on the stack.

I expect weird things from FTP, but this does not seem right. But I am
curious how you plan to inject code if the only way to get the seg. fault
is to enter a bare '~'? Kinda limits what you can get on the stack, no?

As for brute forcing usernames, I just wanted to point out if you really
dial-up the ftp logging, you would catch attempts,

  Apr 12 15:20:49 buttercup inetd[173]: [ID 317013 daemon.notice] ftp[5075] from 172.aaa.bbb.26 1769
  Apr 12 15:20:49 buttercup in.ftpd[5075]: [ID 373804 daemon.info] connection from sec-tools.globalstar.com at Thu Apr 12 15:20:49 2001
  Apr 12 15:20:49 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 220
  Apr 12 15:20:49 buttercup in.ftpd[5075]: [ID 738965 daemon.debug] buttercup FTP server (Authorized Use Only) ready.
  Apr 12 15:21:04 buttercup in.ftpd[5075]: [ID 577562 daemon.debug] command: cwd ~brute
  Apr 12 15:21:04 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 530
  Apr 12 15:21:04 buttercup in.ftpd[5075]: [ID 733789 daemon.debug] Please login with USER and PASS.
  Apr 12 15:21:04 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 550
  Apr 12 15:21:04 buttercup in.ftpd[5075]: [ID 256206 daemon.debug] Unknown user name after ~
  Apr 12 15:21:12 buttercup in.ftpd[5075]: [ID 577562 daemon.debug] command: cwd ~force
  Apr 12 15:21:12 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 530
  Apr 12 15:21:12 buttercup in.ftpd[5075]: [ID 733789 daemon.debug] Please login with USER and PASS.
  Apr 12 15:21:12 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 550
  Apr 12 15:21:12 buttercup in.ftpd[5075]: [ID 256206 daemon.debug] Unknown user name after ~
  Apr 12 15:21:17 buttercup in.ftpd[5075]: [ID 577562 daemon.debug] command: cwd ~names
  Apr 12 15:21:17 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 530
  Apr 12 15:21:17 buttercup in.ftpd[5075]: [ID 733789 daemon.debug] Please login with USER and PASS.
  Apr 12 15:21:17 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 550
  Apr 12 15:21:17 buttercup in.ftpd[5075]: [ID 256206 daemon.debug] Unknown user name after ~
  Apr 12 15:21:22 buttercup in.ftpd[5075]: [ID 577562 daemon.debug] command: cwd ~root
  Apr 12 15:21:22 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 530
  Apr 12 15:21:22 buttercup in.ftpd[5075]: [ID 733789 daemon.debug] Please login with USER and PASS.
  Apr 12 15:21:30 buttercup in.ftpd[5075]: [ID 577562 daemon.debug] command: QUIT
  Apr 12 15:21:30 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 221
  Apr 12 15:21:30 buttercup in.ftpd[5075]: [ID 811691 daemon.debug] Goodbye.

However, without the '-d' option given to in.ftpd, all you get is the
inetd message and the in.ftpd connection message. Most people would never
see anything.
--
Crist J. Clark                                Network Security Engineer
crist.clarkat_private                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmasterat_private

Next message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd"
Previous message: John Weidley: "FTPD Globbing vulnerability in Solaris 8"
Next in thread: Jasper Jans: "Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !"
Reply: Half Adder: "Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 00:11:34 PDT