nullftp-inject.txt

2008-12-05T00:00:00
ID PACKETSTORM:72655
Type packetstorm
Reporter Tan Chew Keong
Modified 2008-12-05T00:00:00

Description

                                        
                                            `vuln.sg Vulnerability Research Advisory  
  
NULL FTP Server SITE Parameters Command Injection Vulnerability  
  
by Tan Chew Keong  
Release Date: 2008-12-05  
  
Summary  
  
A vulnerability has been found in NULL FTP Server. When exploited, this  
vulnerability allows an authenticated user to execute arbitrary shell  
commands on the FTP server. In order to exploit this vulnerability, the  
FTP SITE commands must be enabled on the server and the SITE commands  
must be configured to accept parameters from the user.  
  
Tested Versions  
  
* NULL FTP Server Free/Pro Version 1.1.0.7  
  
  
Details  
  
A vulnerability has been found in NULL FTP Server. When exploited, this  
vulnerability allows an authenticated user to execute arbitrary shell  
commands on the FTP server. In order to exploit this vulnerability, the  
FTP SITE commands must be enabled on the server and the SITE commands  
must be configured to accept parameters from the user.  
  
NULL FTP Server allows customised SITE commands to be defined in the FTP  
server, for example, to allow the user to run Windows shell commands  
like attrib, dir, etc. It supports the passing of parameters to the SITE  
commands so that the user can pass commandline arguments to the  
corresponding shell commands.  
  
Parameters are defined using the %readfile1, %writefile1, %1, %2, %3,  
%4, %5, %6, %7, %8, and %9 placeholders when creating the SITE commands.  
For example, to allow the user to use dir, it is possible to define the  
NATIVEDIR SITE command as dir %readfile1. Upon logon to the NULL FTP  
Server, the user can issue SITE NATIVEDIR test.txt to run dir test.txt.  
  
NULL FTP Server performs some validation checks on the parameters passed  
by the user to prevent command injection. See screenshot below:  
  
However, this validation check is insufficent and thus, cannot totally  
prevent the user from injecting arbitrary Windows shell commands.  
Enclosing the placeholders in double-quotes do not fully resolve the  
issue. Please use the POC instructions below to verify the  
vulnerability.  
  
POC / Test Code  
  
Please follow the instructions below to confirm the vulnerability on a Windows system.  
  
Prerequisites  
  
Please configure NULL FTP Server as follows prior to testing:  
  
1. Create a test user on the NULL FTP Server.  
  
2. Ensure that this user is given Full Access (i.e. read and write) to the FTP directory. This is required since the %writefile1 parameter requires the user to have write access to the FTP directory.  
  
3. Configure NULL FTP Server to Enable SITE commands and click on Apply.  
  
4. Download and extract netcat from here. netcat (nc.exe) will be used to issue FTP commands directly to NULL FTP Server.  
  
  
  
Test Case 1  
  
1. Create the following SITE command in NULL FTP Server if it does not already exist.  
  
Command Name: NATIVEDIR  
Executable/batch file: dir %readfile1  
  
2. Using netcat, logon to the FTP server and issue the following SITE command.  
  
SITE NATIVEDIR "."\""&ping 127.0.0.1&  
  
OR  
  
SITE NATIVEDIR a&ipconfig  
  
3. The above SITE commands will inject the ping or the ipconfig command. See screenshot below.  
  
  
  
Test Case 2  
  
The purpose of this test case is to show that enclosing the %readfile1 placeholder in double-quotes will not solve the issue.  
  
1. Create the following SITE command in NULL FTP Server if it does not already exist.  
  
Command Name: NATIVEDIR  
Executable/batch file: dir "%readfile1"  
  
2. Using netcat, logon to the FTP server and issue the following SITE command. Do note that this exploit is slightly different from Test Case 1.  
  
SITE NATIVEDIR ".""\""&ping 127.0.0.1&  
  
3. The above SITE command will inject the ping command. See screenshot below.  
  
  
  
Test Case 3  
  
1. Create the following SITE command in NULL FTP Server if it does not already exist.  
  
Command Name: ATTRIB  
Executable/batch file: attrib %writefile1 %2 %3 %4 %5 %6 %7 %8 %9  
  
2. Using netcat, logon to the FTP server and issue the following SITE command.  
  
SITE ATTRIB a&& ping 127.0.0.1  
  
OR  
  
SITE ATTRIB a &ping 127.0.0.1  
  
OR  
  
SITE ATTRIB a| ping 127.0.0.1  
  
3. The above SITE command will inject the ping command. See screenshot below.  
  
  
  
Test Case 4  
  
1. Enclosing the placeholders in double-quotes will not solve the issue.  
  
Command Name: ATTRIB  
Executable/batch file: attrib "%writefile1" "%2" "%3" "%4" "%5" "%6" "%7" "%8" "%9"  
  
Test Exploit: SITE ATTRIB a" &ping 127.0.0.1&  
  
2. Again, enclosing the placeholders in double-quotes will not solve the issue.  
  
Command Name: ATTRIB  
Executable/batch file: attrib %writefile1 "%2" "%3" "%4" "%5" "%6" "%7" "%8" "%9"  
  
Test Exploit: SITE ATTRIB a &"ping 127.0.0.1&  
  
3. The above SITE commands will inject the ping command.  
  
  
  
  
Patch / Workaround  
  
Update to version 1.1.0.8. See vendor's release notes.  
  
Disclosure Timeline  
  
2008-11-25 - Vulnerability Discovered.  
2008-11-26 - Initial Notification Sent to Vendor (Support Ticket #20786).  
2008-11-26 - Initial Vendor Reply. Vulnerability details sent to vendor.  
2008-11-27 - Received vendor response that vulnerability has been fixed in version 1.1.0.8, and the fixed version has been released via online update.  
2008-12-05 - Public Release.  
  
Contact  
For further enquries, comments, suggestions or bug reports, simply email them to Tan Chew Keong.  
  
`