Another SQL injection in ProFTPd with mod_mysql

2009.02.11
Credit: gat3way
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Hello, Just found out a problem with proftpd's sql authentication. The problem is easily reproducible if you login with username like: USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; -- and a password of "1" (without quotes). which leads to a successful login. Different account logins can be made successful using the limit clase (e.g appending "LIMIT 5,1" will make you login with as the 5th account in the users table). As far as I can see in the mysql logs the query becomes: SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (userid='{UNKNOWN TAG}') and 1=2 union select 1,1,uid,gid,homedir,shell from users limit 1,1; -- ') LIMIT 1 I think the problem lies in the handling of the "%" character (probably that's some way to sanitize input to avoid format string things?). Anyway, %' effectively makes the single quote unescaped and that eventually allows for an SQL injection during login.

References:

http://www.securityfocus.com/archive/1/archive/1/500852/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/500851/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/500833/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/500823/100/0/threaded
http://www.openwall.com/lists/oss-security/2009/02/11/5
http://www.openwall.com/lists/oss-security/2009/02/11/3
http://www.openwall.com/lists/oss-security/2009/02/11/1
http://bugs.proftpd.org/show_bug.cgi?id=3180


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top