EFTP Version 2.0.7.337 vulnerabilities According to their site @ www.eftp.org "EFTP is a 32bit combined Client/Server application, basically 2 programs in one. EFTP incorporates the 448bit Blowfish Encryption Algorithm and the FTP protocol (RFC 959 implementation) to provide secure file transfers over TCP/IP based networks (The Internet) providing strong encryption when the remote and local hosts both use EFTP." EFTP runs under Win9x/NT/2000/ME/XP. The program has some bugs, and some of them might lead to a full system compromise. I will try to put an up-to-date version of this advisory online @ www.byterage.cjb.net 1) Revelation of drive contents & netbios password hash retrieval via the LIST command Example session (using the sample account): USER SampleUser PASS NothingSpectacular LS ../* LS c:/* LS /c:/*.bat LS a:/ ... This way we can browse through all resources available to the machine. We can also use UNC (universal naming convention) pathnames (\\), meaning that we can force the FTP Server to make an outbound Netbios connection to the internet and sniff the credentials. Since the captured credentials could then be decrypted using tools like L0phtcrack, this could lead to a full system compromise. This type of attack - and the solution - has already been discussed by Rob Beck of @stake, Inc. for G6 FTP Server at http://www.atstake.com/research/advisories/2001/a040301-1.txt. 2) Revelation of drive contents via the SIZE and MDTM commands Example session: QUOTE SIZE ../autoexec.bat 213 900 QUOTE MDTM ../autoexec.bat 213 20010901063342.000 So, both the SIZE & MDTM tell us that ../autoexec.bat exists, in contrast to : QUOTE SIZE ../notthere 550 Command failed: File not found. QUOTE MDTM ../notthere 550 'c:\restricted\..\notthere':no such file or directory What's that? with the last command we can also obtain the name of our homedirectory ! Indeed, but the homedirectory is also available through a PWD command or a GET of a nonexistant file, as the makers don't seem to make a problem of users knowing their absolute homedirectory. We can make use of the filelengths the SIZE commands gives us to determine the exact windows OS version & associated DLL versions, which might come in handy in further (buffer overflow) attacks. Since we can also use wildcards, we can 'bruteforce' the filenames to map out the drive contents via SIZE or MDTM commands. This type of attack has proven to work on other FTP server software as well (GuildFTPd <= v0.992), the proof of concept code (ftpsizemap.pl) is attached to this mail. 3) Remotely exploitable buffer overflow / Denial of Service attacks Users with upload permissions can upload a *.lnk file which contains : ("A" x 1744) . "CCCC" Issuing an LS command will then cause the EIP to be changed to 043434343h ("CCCC"), exploit code (ex_eftp.c) which spawns a bindshell is attached to this mail. This buffer overflow could also lead to a DoS attack... Another Denial of Service can be caused by repeatedly sending the command CWD A:, which queries the A: drive. (but this could already be done via an LS A:\) Another way to do a DoS could be sending a GET AUX. which crashes win98 machines. A GET /CON/CON is not filtered either... ==> crash on unpatched win9x And a PUT C:\PHEARME.TXT PRN.F00 makes nice printouts on the remote machine ;) (if the printer is on, if it's not on, the computer freezes until the printer is turned on) 4) Plaintext password storage The passwords are stored without encryption in the \Program Files\eftp2\eftp2users.dat file. The risk is obvious when combined with enough privileges to remotely spawn a bindshell using the remote *.lnk buffer overflow I demonstrated earlier. VENDOR STATUS I have notified the programmers, they responded that they will release an update that fixes these bugs as soon as possible. GREETS & THANKS all the #securax people, incubus, Zoa Chien, sentinel, woody, AreS, r00t-dude, eXploitek, phr0zen, nsanity, ... the party animals :) Wouter H., Maarten V.H., Kristof D.(x2), Bart D.B., Cindy V. ================================================== [ByteRage] byterageat_private www.byterage.cjb.net ================================================== __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com
This archive was generated by hypermail 2b30 : Wed Sep 12 2001 - 10:50:55 PDT