lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5ed07f7a05030708092d774ef8@mail.gmail.com>
Date: Tue, 8 Mar 2005 00:09:24 +0800
From: Sowhat <isowhat@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Gene6 FTP Server Local Privilege Escalation Vulnerability


Gene6 FTP Server Local Privilege Escalation Vulnerability 


By Sowhat
03.Mar.2005
http://secway.org/Advisory/ad20050303.txt


Product:
Gene6 FTP Server

Vendor:
Gene6 Sarl Inc.


(1) Introduction

Gene6 FTP Server is a popular FTP Server for Microsoft Windows platforms.
For more information: www.G6FtpServer.com


(2) Details

Local exploitation of a design error vulnerability in Gene6 FTP Server could 

allow the attacker to gain elevated Priveleges,usually the SYSTEM.

The problem is that ,After a default installation,a local
non-privleged user can

Modify the settings of the Gene6 FTP Server,such as adding a new "SITE 

COMMAND",And because the Gene6 FTP Server run under the SYSTEM ,so
it's easy to elevate the privelege.

Exploit:
1.Logon as a unprivileged user

2.Open the Gene6 FTP Server control console.Add a FTP user account,for 

example,"test"

3.Add a new "SITE" COMMAND for the FTP server,to do this ,you need to map a 

executable files to a new SITE COMMAND.see step 4 and 5

4.Simply write a .bat file named ABC.bat
---cut here -------------------------
net user abc /add
net localgroup administrators abc /add
---cut here  -------------------------

5.Map this ABC.bat to a new SITE command ,for example ,"ABC"

6.ok,now it's the time to GOT the SYSTEM privelege.
Use the "test" user logon to the FTP server,and execute the following command:
ftp>quote site abc
OK.the ABC.bat was executed as SYSTEM,you got it !

Of course ,you can Map any executable files as you want :)

(3) Impact

Exploitation allows local users to obtain Local System privileges, 
thereby providing them with complete control of the affected system.


(4) Vendor Reply

Reply from the support@...tpServer.com
"there are already options in the software to disallow this if running in 

multiple users environment which you should also report as solution. It is true 

that it may not be obvious though"

They said that in fact there is an option to set up an FTP
administrator account

,and also need some other steps. "It is true that it may not be obvious though"


Powered by blists - more mailing lists