Vigil@nce: ProFTPD, Cross Site Request Forgery
September 2008 by Vigil@nce
SYNTHESIS
An attacker can use a CSRF in order to execute FTP commands with
privileges of the victim seeing a HTML page.
Gravity: 2/4
Consequences: privileged access/rights
Provenance: document
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 22/09/2008
IMPACTED PRODUCTS
– FreeBSD
– NetBSD
- OpenBSD
– ProFTPD
DESCRIPTION
The FTP protocol works with sequences of commands and answers. For
example:
Client: MKD dir1
Server: 257 "dir1" directory created
Client: MKD dir2
Server: 257 "dir2" directory created
The ProFTPD daemon and FTP services of BSD have an implementation
error. Indeed, commands longer than 512 bytes are split in two
commands. For example:
Client: MKD //////.../dir1MKD dir2
Server: 257 "/////.../dir1" directory created
Server: 257 "dir2" directory created
In this case, "MKD //////.../dir1MKD dir2" is split as "MKD
//////.../dir1" and "MKD dir2"
An attacker can therefore create a HTML page containing an image
with the following url:
ftp://user@localhost/////.../SYST
Which is equivalent to:
LIST /////.../
SYST
If the "user" victim has no password to access to his "localhost"
FTP server, the SYST command is executed when the HTML page is
displayed.
An attacker can therefore use a CSRF in order to execute FTP
commands with privileges of the victim seeing a HTML page.
CHARACTERISTICS
Identifiers: BID-31289, VIGILANCE-VUL-8123