Johnny Cyberpunk wrote: > > Hi, > > i've tested these globbing vulnerability on two different SPARC Solaris > Machines. > One with 5.6 and one with 5.7 I think the subject line, 'Globbing Exploit,' is a bit premature. You have demonstrated a _potential_ vulnerability. I verified the behavior. I have also verified the stock Solaris 8 in.ftpd behaves in the same manner. All of the testing below was done with a Solaris 8 system. > i've started Netcat from a Win2K box to Port 21. > > C:\>nc 10.64.224.3 21 > 220 gsmms0 FTP server (SunOS 5.6) ready. > cwd ~ > 530 Please login with USER and PASS. > > C:\> [snip] > As you see a segment fault has happened. After that i've typed in the bt > command > to get more info about the segment fault. in offset 0xff1b6dd0 the > strcpy() command failed and produced the segment fault. > > This Problem could allow an attacker to execute code on the stack and gain > access to the system. > > Another nice effect is the following : > > C:\>nc 10.64.224.3 21 > 220 gsmms0 FTP server (SunOS 5.6) ready. > cwd ~netadm > 530 Please login with USER and PASS. > cwd ~xyz > 530 Please login with USER and PASS. > 550 Unknown user name after ~ > > As you see cwd ~netadm just produces a normal 530 message, coz this user > exists on the system. the user xyz user doesn't exist and prints out a 550 > Unknown user name after ~ > > This could being used to brute force existing users on the remote system. > > I saw the same effects on a SPARC Solaris 5.7 box. > > When i have some more time available i'll write a proof of concept code to > exploit this vulnerability, that executes a /bin/sh on the stack. I expect weird things from FTP, but this does not seem right. But I am curious how you plan to inject code if the only way to get the seg. fault is to enter a bare '~'? Kinda limits what you can get on the stack, no? As for brute forcing usernames, I just wanted to point out if you really dial-up the ftp logging, you would catch attempts, Apr 12 15:20:49 buttercup inetd[173]: [ID 317013 daemon.notice] ftp[5075] from 172.aaa.bbb.26 1769 Apr 12 15:20:49 buttercup in.ftpd[5075]: [ID 373804 daemon.info] connection from sec-tools.globalstar.com at Thu Apr 12 15:20:49 2001 Apr 12 15:20:49 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 220 Apr 12 15:20:49 buttercup in.ftpd[5075]: [ID 738965 daemon.debug] buttercup FTP server (Authorized Use Only) ready. Apr 12 15:21:04 buttercup in.ftpd[5075]: [ID 577562 daemon.debug] command: cwd ~brute Apr 12 15:21:04 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 530 Apr 12 15:21:04 buttercup in.ftpd[5075]: [ID 733789 daemon.debug] Please login with USER and PASS. Apr 12 15:21:04 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 550 Apr 12 15:21:04 buttercup in.ftpd[5075]: [ID 256206 daemon.debug] Unknown user name after ~ Apr 12 15:21:12 buttercup in.ftpd[5075]: [ID 577562 daemon.debug] command: cwd ~force Apr 12 15:21:12 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 530 Apr 12 15:21:12 buttercup in.ftpd[5075]: [ID 733789 daemon.debug] Please login with USER and PASS. Apr 12 15:21:12 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 550 Apr 12 15:21:12 buttercup in.ftpd[5075]: [ID 256206 daemon.debug] Unknown user name after ~ Apr 12 15:21:17 buttercup in.ftpd[5075]: [ID 577562 daemon.debug] command: cwd ~names Apr 12 15:21:17 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 530 Apr 12 15:21:17 buttercup in.ftpd[5075]: [ID 733789 daemon.debug] Please login with USER and PASS. Apr 12 15:21:17 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 550 Apr 12 15:21:17 buttercup in.ftpd[5075]: [ID 256206 daemon.debug] Unknown user name after ~ Apr 12 15:21:22 buttercup in.ftpd[5075]: [ID 577562 daemon.debug] command: cwd ~root Apr 12 15:21:22 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 530 Apr 12 15:21:22 buttercup in.ftpd[5075]: [ID 733789 daemon.debug] Please login with USER and PASS. Apr 12 15:21:30 buttercup in.ftpd[5075]: [ID 577562 daemon.debug] command: QUIT Apr 12 15:21:30 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 221 Apr 12 15:21:30 buttercup in.ftpd[5075]: [ID 811691 daemon.debug] Goodbye. However, without the '-d' option given to in.ftpd, all you get is the inetd message and the in.ftpd connection message. Most people would never see anything. -- Crist J. Clark Network Security Engineer crist.clarkat_private Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmasterat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 00:11:34 PDT