WFTPD 32-bit (X86) 3.00 R5 Directory Traversal / Buffer Overflow / DoS

From: ByteRage (byterageat_private)
Date: Thu May 24 2001 - 12:03:11 PDT

Previous message: Microsoft Security Response Center: "RE: Yahoo/Hotmail scripting vulnerability, worm propagation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

WFTPD 32-bit (X86) 3.00 R5 Directory Traversal /
Buffer Overflow / DoS

AFFECTED SYSTEMS

WFTPD 32-bit (X86) version 3.00 R5, probably others

DESCRIPTION

1) Directory Traversal
WFTPD v3.00 R5 is vulnerable to a directory traversal
bug that allows remote users to browse through any
directory on the victim's harddrive. This is possible
by sending the command :

CD .../

as much as needed to go up in the directory tree then
you can map out the current directory contents via

LS

and dive into the subdirs with CD, using GET to
retrieve the files of your liking  ;)

2) Buffer Overflow / DoS
WFTPD also contains a buffer overflow condition when
trying to map out a directory containing a very long
filename, combined with our path full of dots : an
internal buffer overflow will overwrite some registers
at about 250 chars. Users that have write access (to
their home dir for example, default permission) can
create a special 'overflow' file, and then map out the
directory using LS, effectively causing a DoS. The
buffer overflow may be exploitable and be used to gain
SYSTEM privileges to the remote host.

In brief, when we would want to exploit the bof we
would :

First have to find out what our homedir's name is on
the victim machine, because our buffer consists of
something like :

C:\OUR_HOMEDIR_BUT_WE_DONT_KNOW_THE_LENGTH\............\OUR_HOMEDIR_BUT_WE_DONT_KNOW_THE_LENGTH\FILE_WITH_LONG_FILENAME_WHICH_WE_HAVE_CREATED_THAT_MAKES_THE_OVERFLOW_HAPPEN

So, basically, we need to know the length of the home
directory to know where our EIP is at... Using the
traversal bug, listing out the directory contents, we
can figure this out. In practice it might be easier to
find this out but this is just a first idea...

Then we would login as the same user, create the file
with the long filename in our homedirectory, go to
root (\) using as much dots as needed to position our
new EIP, going back into our homedirectory and issuing
an LS command, causing the buffer overflow.

yours faithfully,
[ByteRage]

__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/

Previous message: Microsoft Security Response Center: "RE: Yahoo/Hotmail scripting vulnerability, worm propagation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jun 02 2001 - 19:55:53 PDT