CVE-1999-0017
CVSS7.5
发布时间 :1997-12-10 00:00:00
修订时间 :2008-09-09 08:33:32
NMCOS    

[原文]FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce.


[CNNVD]多个供应商FTP跳转攻击漏洞(CNNVD-199712-006)

        FTP服务器存在漏洞。攻击者可以连接机器上的任意端口,出了FTP端口,也称为FTP跳转。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:sunos:5.4Sun Microsystems Solaris 2.4
cpe:/o:netbsd:netbsd:1.1NetBSD 1.1
cpe:/o:sco:unixware:2.1
cpe:/o:siemens:reliant_unixSiemens Reliant UNIX
cpe:/o:freebsd:freebsd:1.0FreeBSD 1.0
cpe:/o:sun:sunos:5.5.1::x86
cpe:/o:sun:sunos:4.1.3u1Sun SunOS 4.1.3u1
cpe:/o:sun:sunos:5.4::x86
cpe:/o:ibm:aix:4.3IBM AIX 4.3
cpe:/o:sun:sunos:4.1.4Sun SunOS 4.1.4
cpe:/o:freebsd:freebsd:2.1.0FreeBSD 2.1.0
cpe:/a:washington_university:wu-ftpd:2.4
cpe:/o:sco:openserver:5.0.4
cpe:/o:sun:sunos:5.5::x86
cpe:/o:caldera:openlinux:1.2
cpe:/a:gnu:inet:6.02
cpe:/o:sun:sunos:5.3Sun Microsystems Solaris 2.3
cpe:/o:netbsd:netbsd:1.2.1NetBSD 1.2.1
cpe:/o:netbsd:netbsd:1.2NetBSD 1.2
cpe:/o:freebsd:freebsd:2.1.7FreeBSD 2.1.7
cpe:/o:netbsd:netbsd:1.0NetBSD 1.0
cpe:/o:sco:open_desktop:3.0
cpe:/a:gnu:inet:5.01
cpe:/o:freebsd:freebsd:2.0FreeBSD 2.0
cpe:/o:ibm:aix:3.2IBM AIX 3.2
cpe:/o:ibm:aix:4.1IBM AIX 4.1
cpe:/o:sun:sunos:5.5.1Sun Microsystems Solaris 2.5.1
cpe:/a:gnu:inet:6.01
cpe:/o:ibm:aix:4.2IBM AIX 4.2
cpe:/o:sun:sunos:5.5Sun Microsystems Solaris 2.5
cpe:/o:freebsd:freebsd:1.1FreeBSD 1.1
cpe:/o:freebsd:freebsd:1.2FreeBSD 1.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0017
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0017
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199712-006
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

多个供应商FTP跳转攻击漏洞
高危 设计错误
1997-12-10 00:00:00 2006-09-20 00:00:00
远程  
        FTP服务器存在漏洞。攻击者可以连接机器上的任意端口,出了FTP端口,也称为FTP跳转。

- 公告与补丁

        SGI have released an advisory (20030304-01-P) with further details that address this issue. A number of patches to fix this vulnerability have also been provided. SGI have recommended that users upgrade to IRIX 6.5.20 or install the appropriate version specific patch.
        On SGI IRIX versions 6.5.6 and later this issue may be mitigated by running the FTP server with the -p option. If the FTP server is run via inetd, then the inetd configuration file should be modified to reflect this.
        In the reference section of this vulnerabilty you will find CERT Advisory CA-97.27.FTP_bounce which details fix information for the majority of the known vulnerable vendors. Further information is also referenced to allow you to test your ftpd for this issue.

- 漏洞信息

71
DG/UX FTP Server FTP Privileged Port Scan Bounce Weakness
Remote / Network Access Input Manipulation
Loss of Integrity Workaround, Upgrade
Exploit Public Vendor Verified

- 漏洞描述

DG/UX FTP Server contains a flaw that may lead to an information disclosure. The problem is that the FTP server does not validate IP addresses supplied via the PORT command while in passive(PASV) mode. It is possible for a remote attacker to establish a connection between the FTP server and an arbitrary port on a third-party system, essentially conducting a port-scan. This can be used to obscure the the source of the port-scan, as well as scan internal systems that may be protected by a screening device.

- 时间线

1995-07-12 Unknow
1995-07-12 Unknow

- 解决方案

Upgrade to version R4.20MU04 or higher, as it has been reported to fix this vulnerability. It is also possible to temporarily work around the flaw by implementing the following workaround: Use the '-p' flag with FTP. Change the 'ftp' line in inetd.conf to the following: ftp stream tcp nowait root /usr/bin/ftpd ftpd -p -t900

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor FTP Bounce Attack Vulnerability
Design Error 126
Yes No
1995-07-12 12:00:00 2007-12-18 08:05:00
This problem was initially posted to the Bugtraq mailing list by *Hobbit* (hobbit@avian.org) on July12/1995.

- 受影响的程序版本

Washington University wu-ftpd 2.4.2 academ[BETA1-15]
+ Caldera OpenLinux Standard 1.2
Sun SunOS 4.1.4
Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1
Sun Solaris 2.6_x86
Sun Solaris 2.6
Sun Solaris 2.5_x86
Sun Solaris 2.5
SGI IRIX 6.5.5 m
SGI IRIX 6.5.5 f
SGI IRIX 6.5.5
SGI IRIX 6.5.4 m
SGI IRIX 6.5.4 f
SGI IRIX 6.5.4
SGI IRIX 6.5.3 m
SGI IRIX 6.5.3 f
SGI IRIX 6.5.3
SGI IRIX 6.5.2 m
SGI IRIX 6.5.2 f
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
SGI IRIX 6.4
SGI IRIX 6.3
SGI IRIX 6.2
SGI IRIX 6.1
SGI IRIX 6.0.1
SGI IRIX 6.0
SGI IRIX 5.3
SGI IRIX 5.2
SGI IRIX 5.1.1
SGI IRIX 5.1
SGI IRIX 5.0.1
SGI IRIX 5.0
SGI IRIX 4.0.5 H
SGI IRIX 4.0.5 G
SGI IRIX 4.0.5 F
SGI IRIX 4.0.5 E
SGI IRIX 4.0.5 D
SGI IRIX 4.0.5 A
SGI IRIX 4.0.5
SGI IRIX 4.0.4
SGI IRIX 4.0.3
SGI IRIX 4.0.2
SGI IRIX 4.0.1
SGI IRIX 4.0
SGI IRIX 3.3.3
SGI IRIX 3.3.2
SGI IRIX 3.3.1
SGI IRIX 3.3
SGI IRIX 3.2
SCO Unixware 2.1
SCO Open Server 5.0
SCO Open Desktop 3.0
Rhino Software Serv-U 4.1
Rhino Software Serv-U 4.0 .0.4
Rhino Software Serv-U 3.1
Rhino Software Serv-U 3.0
NetBSD NetBSD 1.2
NetBSD NetBSD 1.1
NetBSD NetBSD 1.0
Mad Goat Software MGFTP 2.2
IBM AIX 4.3
IBM AIX 4.2.1
IBM AIX 4.2
IBM AIX 4.1
IBM AIX 3.2
HP HP-UX (VVOS) 10.24
HP HP-UX 11.0
HP HP-UX 10.20
HP HP-UX 10.16
HP HP-UX 10.10
HP HP-UX 9.9
HP HP-UX 9.8
HP HP-UX 9.7
HP HP-UX 9.6
HP HP-UX 9.5
HP HP-UX 9.4
HP HP-UX 9.3
HP HP-UX 9.1
HP HP-UX 9.0
HP HP-UX 7.8
HP HP-UX 7.6
HP HP-UX 7.4
HP HP-UX 7.2
HP HP-UX 7.0
FreeBSD FreeBSD 2.1.7 .1
FreeBSD FreeBSD 2.1.6
FreeBSD FreeBSD 2.1.5
FreeBSD FreeBSD 2.1
FreeBSD FreeBSD 2.0.5
FreeBSD FreeBSD 2.0
FreeBSD FreeBSD 1.1.5 .1
Digital UNIX 4.0 D
Digital UNIX 4.0 C
Digital UNIX 4.0 B
Digital UNIX 4.0 A
Digital UNIX 4.0
Digital UNIX 3.2 G

- 漏洞讨论

This problem is a design issue with the common implementation of the FTP protocol. In essence, the vulnerability is as follows: when a user FTP's into a host to retrieve files, the connection is two way (i.e. when you log in and request a file, the server then opens a connection back to your host of origin to deliver your requested data). Most FTP servers support what is called 'active mode' which allows users to specify a number of parameters to the FTP daemon. One of these is the PORT command, which lets you specify *where* you would like the return data connection to be sent. Therefore, instead of opening a connection back to yourself to drop off your requested files or data, you can then open that connection back to another host. This is true with both retrieving and putting data.

Attackers can exploit this in some instances to circumvent access control, export restrictions, etc.

- 漏洞利用

To exploit this issue, an attacker may use an FTP client.

- 解决方案

Please see the referenced advisories for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站