[20189] in bugtraq
Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !
daemon@ATHENA.MIT.EDU (Crist Clark)
Fri Apr 13 02:56:39 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3AD62BA2.888966F4@globalstar.com>
Date: Thu, 12 Apr 2001 15:26:42 -0700
Reply-To: Crist Clark <crist.clark@GLOBALSTAR.COM>
From: Crist Clark <crist.clark@GLOBALSTAR.COM>
X-To: Johnny Cyberpunk <johncybpk@GMX.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Johnny Cyberpunk wrote:
>
> Hi,
>
> i've tested these globbing vulnerability on two different SPARC Solaris
> Machines.
> One with 5.6 and one with 5.7
I think the subject line, 'Globbing Exploit,' is a bit premature.
You have demonstrated a _potential_ vulnerability. I verified the
behavior. I have also verified the stock Solaris 8 in.ftpd
behaves in the same manner. All of the testing below was done with
a Solaris 8 system.
> i've started Netcat from a Win2K box to Port 21.
>
> C:\>nc 10.64.224.3 21
> 220 gsmms0 FTP server (SunOS 5.6) ready.
> cwd ~
> 530 Please login with USER and PASS.
>
> C:\>
[snip]
> As you see a segment fault has happened. After that i've typed in the bt
> command
> to get more info about the segment fault. in offset 0xff1b6dd0 the
> strcpy() command failed and produced the segment fault.
>
> This Problem could allow an attacker to execute code on the stack and gain
> access to the system.
>
> Another nice effect is the following :
>
> C:\>nc 10.64.224.3 21
> 220 gsmms0 FTP server (SunOS 5.6) ready.
> cwd ~netadm
> 530 Please login with USER and PASS.
> cwd ~xyz
> 530 Please login with USER and PASS.
> 550 Unknown user name after ~
>
> As you see cwd ~netadm just produces a normal 530 message, coz this user
> exists on the system. the user xyz user doesn't exist and prints out a 550
> Unknown user name after ~
>
> This could being used to brute force existing users on the remote system.
>
> I saw the same effects on a SPARC Solaris 5.7 box.
>
> When i have some more time available i'll write a proof of concept code to
> exploit this vulnerability, that executes a /bin/sh on the stack.
I expect weird things from FTP, but this does not seem right. But I am
curious how you plan to inject code if the only way to get the seg. fault
is to enter a bare '~'? Kinda limits what you can get on the stack, no?
As for brute forcing usernames, I just wanted to point out if you really
dial-up the ftp logging, you would catch attempts,
Apr 12 15:20:49 buttercup inetd[173]: [ID 317013 daemon.notice] ftp[5075] from 172.aaa.bbb.26 1769
Apr 12 15:20:49 buttercup in.ftpd[5075]: [ID 373804 daemon.info] connection from sec-tools.globalstar.com at Thu Apr 12 15:20:49 2001
Apr 12 15:20:49 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 220
Apr 12 15:20:49 buttercup in.ftpd[5075]: [ID 738965 daemon.debug] buttercup FTP server (Authorized Use Only) ready.
Apr 12 15:21:04 buttercup in.ftpd[5075]: [ID 577562 daemon.debug] command: cwd ~brute
Apr 12 15:21:04 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 530
Apr 12 15:21:04 buttercup in.ftpd[5075]: [ID 733789 daemon.debug] Please login with USER and PASS.
Apr 12 15:21:04 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 550
Apr 12 15:21:04 buttercup in.ftpd[5075]: [ID 256206 daemon.debug] Unknown user name after ~
Apr 12 15:21:12 buttercup in.ftpd[5075]: [ID 577562 daemon.debug] command: cwd ~force
Apr 12 15:21:12 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 530
Apr 12 15:21:12 buttercup in.ftpd[5075]: [ID 733789 daemon.debug] Please login with USER and PASS.
Apr 12 15:21:12 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 550
Apr 12 15:21:12 buttercup in.ftpd[5075]: [ID 256206 daemon.debug] Unknown user name after ~
Apr 12 15:21:17 buttercup in.ftpd[5075]: [ID 577562 daemon.debug] command: cwd ~names
Apr 12 15:21:17 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 530
Apr 12 15:21:17 buttercup in.ftpd[5075]: [ID 733789 daemon.debug] Please login with USER and PASS.
Apr 12 15:21:17 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 550
Apr 12 15:21:17 buttercup in.ftpd[5075]: [ID 256206 daemon.debug] Unknown user name after ~
Apr 12 15:21:22 buttercup in.ftpd[5075]: [ID 577562 daemon.debug] command: cwd ~root
Apr 12 15:21:22 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 530
Apr 12 15:21:22 buttercup in.ftpd[5075]: [ID 733789 daemon.debug] Please login with USER and PASS.
Apr 12 15:21:30 buttercup in.ftpd[5075]: [ID 577562 daemon.debug] command: QUIT
Apr 12 15:21:30 buttercup in.ftpd[5075]: [ID 988435 daemon.debug] <--- 221
Apr 12 15:21:30 buttercup in.ftpd[5075]: [ID 811691 daemon.debug] Goodbye.
However, without the '-d' option given to in.ftpd, all you get is the
inetd message and the in.ftpd connection message. Most people would never
see anything.
--
Crist J. Clark Network Security Engineer
crist.clark@globalstar.com Globalstar, L.P.
(408) 933-4387 FAX: (408) 933-4926
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above. If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
e-mail in error, please contact postmaster@globalstar.com
