From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 9 Mar 2005 10:12:54 +0200
Subject: [NT] Local Privilege Escalation Vulnerability in Gene6 FTP Server
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050309093515.79F7257B1@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Local Privilege Escalation Vulnerability in Gene6 FTP Server
------------------------------------------------------------------------
SUMMARY
" <http://www.g6ftpserver.com>; Gene6 FTP Server is an advanced FTP server
software for Windows developed specifically for security and high
performance requirements. Its main assets are remote administration,
encrypted (SSL 128 bits) connection, and ease of use."
Local privilege escalation vulnerability allows local users to obtain
Local System privileges, thereby providing them with complete control of
the affected system.
DETAILS
Vulnerable Systems:
* Gene6 FTP Server version 3.4.0 and prior.
Local exploitation of a design error vulnerability in Gene6 FTP Server
could allow the attacker to gain elevated privileges, usually the SYSTEM
level privileges.
After a default installation, local non-privileged user can modify the
settings of the Gene6 FTP Server, such as adding a new "SITE COMMAND".
Gene6 FTP Server is running under the SYSTEM privileges making it easy to
elevate.
Exploit:
1.Logon as a unprivileged user
2.Open the Gene6 FTP Server control console. Add an FTP user account, for
example,"test"
3.Add a new SITE COMMAND for the FTP server, to do this, you need to map a
executable files to a new SITE COMMAND.
4. Write a .bat file named ABC.bat :
net user abc /add
net localgroup administrators abc /add
5.Map this ABC.bat to a new SITE command, for example, "ABC"
6 Now it's the time to get the SYSTEM privilege. Use the "test" user to
login to the FTP server, and execute the following command:
ftp>quote site abc
The ABC.bat was executed as from local SYSTEM.
Of course, you can Map any executable files as you want.
Vendor Status:
Vendor replied the following: "There are already options in the software
to disallow this if running in multiple users environment which you should
also report as solution. It is true that it may not be obvious though".
ADDITIONAL INFORMATION
The information has been provided by <mailto:dominusvis@click21.com.br.>
Francisco Alisson.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
