EFTP Version 2.0.7.337 vulnerabilities

[ByteRage <byterage () yahoo com>]

EFTP Version 2.0.7.337 vulnerabilities

According to their site @ www.eftp.org

"EFTP is a 32bit combined Client/Server application,
basically 2 programs in one. EFTP incorporates the
448bit Blowfish Encryption Algorithm and the FTP
protocol (RFC 959 implementation) to provide secure
file transfers over TCP/IP based networks (The
Internet) providing strong encryption when the remote
and local hosts both use EFTP."

EFTP runs under Win9x/NT/2000/ME/XP.

The program has some bugs, and some of them
might lead to a full system compromise. I will try to
put an up-to-date version of this advisory online @
www.byterage.cjb.net

1) Revelation of drive contents & netbios password
hash retrieval via the LIST command

Example session (using the sample account):

USER SampleUser
PASS NothingSpectacular
LS ../*
LS c:/*
LS /c:/*.bat
LS a:/
...

This way we can browse through all resources available
to the machine.

We can also use UNC (universal naming convention)
pathnames (\\), meaning that we can force the FTP
Server to make an outbound Netbios connection to the
internet and sniff the credentials. Since the captured
credentials could then be decrypted using tools like
L0phtcrack, this could lead to a full system
compromise. This type of attack - and the solution -
has already been discussed by Rob Beck of @stake, Inc.
for G6 FTP Server at
http://www.atstake.com/research/advisories/2001/a040301-1.txt.

2) Revelation of drive contents via the SIZE and MDTM
commands

Example session:

QUOTE SIZE ../autoexec.bat
213 900
QUOTE MDTM ../autoexec.bat
213 20010901063342.000

So, both the SIZE & MDTM tell us that ../autoexec.bat
exists, in contrast to :

QUOTE SIZE ../notthere
550 Command failed: File not found.
QUOTE MDTM ../notthere
550 'c:\restricted\..\notthere':no such file or
directory

What's that? with the last command we can also obtain
the name of our homedirectory !
Indeed, but the homedirectory is also available
through a PWD command or a GET of a nonexistant file,
as the makers don't seem to make a problem of users
knowing their absolute homedirectory.

We can make use of the filelengths the SIZE commands
gives us to determine the exact windows OS version &
associated DLL versions, which might come in handy in
further (buffer overflow) attacks.

Since we can also use wildcards, we can 'bruteforce'
the filenames to map out the drive contents via SIZE
or MDTM commands. This type of attack has proven to
work on other FTP server software as well (GuildFTPd
<= v0.992), the proof of concept code (ftpsizemap.pl)
is attached to this mail.

3) Remotely exploitable buffer overflow / Denial of
Service attacks

Users with upload permissions can upload a *.lnk file
which contains :

("A" x 1744) . "CCCC"

Issuing an LS command will then cause the EIP to be
changed to 043434343h ("CCCC"), exploit code
(ex_eftp.c) which spawns a bindshell is attached to
this mail.

This buffer overflow could also lead to a DoS
attack...

Another Denial of Service can be caused by repeatedly
sending the command CWD A:, which queries the A:
drive. (but this could already be done via an LS A:\)

Another way to do a DoS could be sending a GET AUX.
which crashes win98 machines.
A GET /CON/CON is not filtered either... ==> crash on
unpatched win9x
And a PUT C:\PHEARME.TXT PRN.F00 makes nice printouts
on the remote machine ;) (if the printer is on, if
it's not on, the computer freezes until the printer is
turned on)

4) Plaintext password storage

The passwords are stored without encryption in the
\Program Files\eftp2\eftp2users.dat file. The risk is
obvious when combined with enough privileges to
remotely spawn a bindshell using the remote *.lnk
buffer overflow I demonstrated earlier.

VENDOR STATUS

I have notified the programmers, they responded that
they will release an update that fixes these bugs as
soon as possible.

GREETS & THANKS

all the #securax people, incubus, Zoa Chien, sentinel,
woody, AreS, r00t-dude, eXploitek, phr0zen, nsanity,
... the party animals :) Wouter H., Maarten V.H.,
Kristof D.(x2), Bart D.B., Cindy V.

==================================================
[ByteRage] byterage () yahoo com www.byterage.cjb.net
==================================================

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com

Attachment: ex_eftpd.c
Description: ex_eftpd.c

Attachment: ftpsizemap.pl
Description: ftpsizemap.pl