BulletProof FTP Server Local Privilege Escalation Vulnerability

Bugtraq ID:	13410
Class:	Design Error
CVE:	CVE-2005-1371
Remote:	No
Local:	Yes
Published:	Dec 13 2004 12:00AM
Updated:	Jul 12 2009 02:06PM
Credit:	Discovery is credited to Reed Arvin <[email protected]>.
Vulnerable:	Symantec Norton SystemWorks 2004 Symantec Norton SystemWorks 2003 Symantec Norton SystemWorks 2002 Symantec Norton SystemWorks 2001 Symantec Norton Internet Security 2004 Professional Edition Symantec Norton Internet Security 2004 Symantec Norton Internet Security 2003 Professional Edition Symantec Norton Internet Security 2003 Symantec Norton Internet Security 2002 Professional Edition 0 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows XP Home - Microsoft Windows XP Professional Symantec Norton Internet Security 2002 0 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows XP Home - Microsoft Windows XP Professional Symantec Norton Internet Security 2001 Professional Edition Symantec Norton Internet Security 2001 0 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows ME - Microsoft Windows XP Home - Microsoft Windows XP Professional Symantec Norton AntiVirus 2004 Professional Edition Symantec Norton AntiVirus 2004 Symantec Norton AntiVirus 2003 Professional Edition Symantec Norton Antivirus 2003 0 - Microsoft Windows 2000 Professional SP3 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows XP Home SP1 - Microsoft Windows XP Home - Microsoft Windows XP Professional Symantec Norton AntiVirus 2002 Professional Edition Symantec Norton AntiVirus 2002 0 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows XP Home - Microsoft Windows XP Professional Symantec Norton AntiVirus 2001 Professional Edition Symantec Norton AntiVirus 2001 0 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 b - Microsoft Windows 98 - Microsoft Windows ME - Microsoft Windows NT 3.5.1 SP5 - Microsoft Windows NT 3.5.1 SP3 - Microsoft Windows NT 3.5.1 SP2 - Microsoft Windows NT 3.5.1 SP1 - Microsoft Windows NT 3.5.1 - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 - Microsoft Windows NT 3.5 Symantec LiveUpdate 2.0 Symantec LiveUpdate 1.80.19 .0 Symantec LiveUpdate 1.9 Symantec LiveUpdate 1.8 Symantec LiveUpdate 1.7 + Symantec Norton AntiVirus 2001 0 + Symantec Norton AntiVirus 2002 0 + Symantec Norton AntiVirus Corporate Edition 7.6 Symantec LiveUpdate 1.6 + Symantec Norton AntiVirus 2001 0 + Symantec Norton AntiVirus 2002 0 + Symantec Norton AntiVirus Corporate Edition 7.51 + Symantec Norton AntiVirus Corporate Edition 7.5 Symantec LiveUpdate 1.5 + Symantec Norton AntiVirus 2001 0 Symantec LiveUpdate 1.4 + Symantec Norton AntiVirus 5.0 Symantec AntiVirus for Handhelds Corporate Edition 3.0 Symantec AntiVirus for Handhelds 3.0 BulletProof FTP BulletProof FTP 2.4.0.31
Not Vulnerable:	Symantec LiveUpdate 2.5 Symantec Java LiveUpdate

BulletProof FTP Server Local Privilege Escalation Vulnerability

BulletProof FTP Server is prone to a local privilege escalation vulnerability. This issue can allow a local unprivileged attacker to gain administrative privileges on a vulnerable computer.

A local attacker may influence the BulletProof FTP Server GUI configuration functionality in a manner that grants them elevated privileges.

This issue affects BulletProof FTP Server version 2.4.0.31.

BulletProof FTP Server Local Privilege Escalation Vulnerability

No exploit is required. The following steps are available:
1. Right click the BulletProof FTP Server tray icon and click Show Server.
2. Click the Help icon.
3. Internet Explorer will open (running under the context of the
LocalSystem account). Click File, Click Open.
4. Click Browse.
5. Change Files of type: to All Files, navigate to the system32
directory and locate cmd.exe. Right click cmd.exe and choose Open.

Jerome Athias has provided exploit code for this vunerability.

• /data/vulnerabilities/exploits/bulletproof-poc.c

BulletProof FTP Server Local Privilege Escalation Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

BulletProof FTP Server Local Privilege Escalation Vulnerability

References:

• BulletProof FTP Server Homepage (BulletProof FTP Server)
  
• SYM04-018 - Symantec Windows LiveUpdate Elevation of Privilege (Symantec)
  
• Symantec Homepage (Symantec)
  
• Privilege escalation in BulletProof FTP Server v2.4.0.31 (Reed Arvin )
  
• Re: Privilege escalation in BulletProof FTP Server v2.4.0.31 [PoC] (Jerome ATHIAS )
  
• Secure Network Operations SNOsoft Research Team [SRT2004-12-14-0322] Symantec Li ("Secure Network Operations, Inc." )