Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15781
HistoryJan 21, 2007 - 12:00 a.m.

MOAB-18-01-2007: Rumpus Multiple Vulnerabilities

2007-01-2100:00:00
vulners.com
42
JSON

Summary

The following description is provided by the vendor (Maxum Development Corporation):

If you need to allow people from within your office or across the Internet to send, receive, and manage files on a central Mac, Rumpus FTP is what you are looking for. Rumpus is perfect for print, media or design shops, and is the answer to education and corporate file sharing needs. Rumpus FTP can handle virtually any Internet file transfer task by working with standard FTP and Web clients on any platform, and do it with remarkable ease.

rumpusd is vulnerable to different remotely exploitable heap-based buffer overflows, denial of service conditions and local privilege escalation issues. Due to the fact that Rumpus works under root privileges, successful exploitation by unprivileged users would allow a full compromise of the system.

Most of these issues are related to both FTP and HTTP request parsing, as well as insecure use of the system() function and incorrect permissions and/or handling of setuid binaries.
Affected versions

Rumpus 5.1 and previous versions on Mac OS X 10.4.8 (8L2127). Tested on both PowerPC and x86 based OS X.
Proof of concept, exploit or instructions to reproduce

The provided proof of concept can abuse one of the local privilege escalation issues and another (post-authentication) problem in the handling of the FTP LIST command.

$ ruby MOAB-18-01-2007.rb [selected issue]

example:
$ ruby bug-files/MOAB-18-01-2007.rb 1
++ Local privilege escalation…
++ Enjoy root shell…
sh-2.05b# id
uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin)

Note: The local privilege escalation exploit doesn't replace any files on the filesystem.
Debugging information

The following debugging information shows the results of launching the proof of concept against the FTP service, and the permissions and other information related to Rumpus binaries.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x33616263
[Switching to process 989 thread 0x3703]
0x00009fa5 in ?? ()
(gdb) i r
eax 0x0 0
ecx 0x0 0
edx 0x33616263 862020195
ebx 0x100007f 16777343
esp 0xb060aa50 0xb060aa50
ebp 0xb060aa78 0xb060aa78
esi 0x0 0
edi 0x0 0
eip 0x9fa5 0x9fa5
eflags 0x10297 66199
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x37 55

(gdb) x/i $eip
0x9fa5: mov (%edx,%eax,4),%eax

(gdb) x/10x $ebp
0xb0c16a78: 0xb0c16eb8 0x0000f68f 0x33616263 0x72646972
0xb0c16a88: 0xb0c16ef8 0xb0c16ea4 0x00000000 0x00000000
0xb0c16a98: 0x00000000 0x00000000

(gdb) i f
Stack level 0, frame at 0xb0c16a54:
eip = 0x9fa5; saved eip 0x0
called by frame at 0x9f9e
Arglist at 0xb0c16a4c, args:
Locals at 0xb0c16a4c, Previous frame's sp is 0xb0c16a54
Saved registers:
ebp at 0xb0c16a4c, eip at 0xb0c16a50

$ ls -l /usr/local/Rumpus/
total 1912
drwxr-xr-x 7 root wheel 238 Jan 19 08:35 Logs
-rw-r–r-- 1 root wheel 790 Jan 19 00:38 Mac2Web.txt
-rw-r–r-- 1 root wheel 2144 Jan 17 14:51 Messages.txt
-rw-rw-rw- 1 root wheel 3128 Jan 19 07:43 Rumpus.conf
-rw-rw-rw- 1 root wheel 0 Jan 19 00:38 Rumpus.fsets
-rw-rw-rw- 1 root wheel 0 Jan 19 00:38 Rumpus.notices
-rw-r–r-- 1 root wheel 3 Jan 19 08:50 Rumpus.pid
-rw-rw-rw- 1 root wheel 0 Jan 19 00:38 Rumpus.rips
-rw-r–r-- 1 root wheel 8112 Jan 19 00:38 Rumpus.strings
-rw-rw-rw- 1 root wheel 1456 Jan 19 00:38 Rumpus.types
-rw-rw-rw- 1 root wheel 200 Jan 19 07:45 Rumpus.users
-rw-r–r-- 1 root wheel 31 Jan 19 08:36 Rumpus.userstats
drwxrwxrwx 46 root wheel 1564 Jan 19 00:38 WFMTemplates
-rw-r–r-- 1 root wheel 939 Jan 19 00:38 Web2Mac.txt
-rwsr-sr-x 1 root wheel 934244 Jan 19 00:38 rumpusd

$ strings /usr/local/Rumpus/rumpusd | grep ipfw
ipfw list > /usr/local/Rumpus/Rumpus.ipfw
/usr/local/Rumpus/Rumpus.ipfw
ipfw list > /usr/local/Rumpus/Rumpus.ipfw
/usr/local/Rumpus/Rumpus.ipfw

rumpusd makes the (old, yet still common) mistake of using the system() function without absolute paths.
Notes
Exploitation conditions

Rumpus local privilege escalation issues don't need admin group privileges for exploitation. FTP service flaws, mostly heap buffer overflows, require authentication first (ex. anonymous access). HTTP service flaws can be abused without any type of authentication.
Workaround or temporary solution

For preventing exploitation of the remote issues, properly limit access to the Rumpus services from untrusted hosts, until a patch is made available by the vendor. There's no workaround for some of the local privilege escalation issues, due to the fact that they rely on mis-use of the system() function and not just 'insecure' permissions (although patching the binary is feasible). Use an alternative file sharing method.

JSON