CVE-2001-0187
CVSS10.0
发布时间 :2001-03-26 00:00:00
修订时间 :2013-09-13 00:13:04
NMCOE    

[原文]Format string vulnerability in wu-ftp 2.6.1 and earlier, when running with debug mode enabled, allows remote attackers to execute arbitrary commands via a malformed argument that is recorded in a PASV port assignment.


[CNNVD]Wu-ftp debug命令执行漏洞(CNNVD-200103-098)

        Wu-ftp 2.6.1及其之前的版本在启用debug模式运行时存在格式化字符串漏洞。远程攻击者可以借助PASV端口分配记录的畸形参数执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr7
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr8
cpe:/a:washington_university:wu-ftpd:2.4.1
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr5
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr6
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr4
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18::academ
cpe:/a:washington_university:wu-ftpd:2.4.2_vr16
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr9
cpe:/a:washington_university:wu-ftpd:2.4.2_vr17
cpe:/a:washington_university:wu-ftpd:2.4.2_beta9::academ
cpe:/a:washington_university:wu-ftpd:2.6
cpe:/a:washington_university:wu-ftpd:2.5
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr13
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr12
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr11
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr10
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr15
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr14

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0187
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0187
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200103-098
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/2296
(VENDOR_ADVISORY)  BID  2296
http://xforce.iss.net/static/6020.php
(VENDOR_ADVISORY)  XF  wuftp-debug-format-string
http://www.debian.org/security/2001/dsa-016
(UNKNOWN)  DEBIAN  DSA-016
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/missing_format_strings.patch
(UNKNOWN)  CONFIRM  ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/missing_format_strings.patch
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000443
(UNKNOWN)  CONECTIVA  CLA-2001:443

- 漏洞信息

Wu-ftp debug命令执行漏洞
危急 格式化字符串
2001-03-26 00:00:00 2006-09-20 00:00:00
远程  
        Wu-ftp 2.6.1及其之前的版本在启用debug模式运行时存在格式化字符串漏洞。远程攻击者可以借助PASV端口分配记录的畸形参数执行任意命令。

- 公告与补丁

        

- 漏洞信息 (20594)

Wu-Ftpd 2.4.2/2.5/2.6 Debug Mode Client Hostname Format String Vulnerability (EDBID:20594)
unix remote
2001-01-23 Verified
0 Wu-ftpd team
N/A [点击下载]
source: http://www.securityfocus.com/bid/2296/info

Wu-ftpd is a widely used unix ftp server. It contains a format string vulnerability that may be exploitable under certain (perhaps 'extreme') circumstances.

When running in debug mode, Wu-ftpd logs user activity to syslog in an insecure manner. An attacker with control over the server's hostname resolving facility could exploit this vulnerability to get root access remotely on the victim host. 

The following example demonstrates the vulnerability.

Note: /etc/hosts is used as the example name resolving mechanism. Could be DNS, NIS, etc.

Conditions:

$ grep 127.0.0.1 /etc/hosts
127.0.0.1 %x%x%x%x%x%x%x%x%x%x

$ grep ftpd /etc/inetd.conf
ftp stream tcp nowait root /usr/sbin/tcpd /tmp/wuftpd-2.6.0/src/ftpd -v

$ ncftpget -F 127.0.0.1 /tmp /usr/lib/ld.so

$ tail /var/log/syslog.debug

Jan 24 14:17:01 xxx ftpd[30912]: PASV port 47479 assigned to 80862b0806487eb9778084da87bffff16c9640151020bfffe108401c9004 [127.0.0.1]

..<snip extra output>.. 		

- 漏洞信息

1744
WU-FTPD Debug Mode Client Hostname Remote Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity

- 漏洞描述

WU-FTPD contains a flaw that may allow a remote attacker to execute arbitrary code. The issue occurs when the service runs in 'debug' mode and an attacker has control over ident information being returned to the server. By manipulating the ident data returned to the host when requested by RFC 931 based authentication, an attacker can provide custom data with user-supplied format string identifiers that are passed to the syslog facility. This can be abused to overwrite portions of the system memory and execute arbitrary code.

- 时间线

2001-01-23 Unknow
2001-01-23 Unknow

- 解决方案

Upgrade to version 2.6.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站