CVE-2004-0148
CVSS7.2
发布时间 :2004-04-15 00:00:00
修订时间 :2016-10-17 22:41:09
NMCOS    

[原文]wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.


[CNNVD]Wu-ftpd目录限制访问绕过漏洞(CNNVD-200404-058)

        
        Wu-ftpd是一个基于BSD ftpd的FTP服务器程序,由华盛顿大学维护。
        Wu-ftpd在处理目录限制访问实现上存在问题,远程攻击者可以利用这个漏洞绕过受限目录,访问ROOT目录内容。
        Glenn Stewart发现用户可通过更改他们HOME目录上的权限绕过由'restricted-gid'选项限制的目录访问策略。在后续的登录中,当访问用户的HOME目录被拒绝后,wu-ftpd会返回到ROOT目录中,目前没有提供详细漏洞细节。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr8
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr7
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr6
cpe:/a:washington_university:wu-ftpd:2.4.2_vr17
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr5
cpe:/a:washington_university:wu-ftpd:2.4.2_vr16
cpe:/a:sgi:propack:2.3SGI ProPack 2.3
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr4
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18::academ
cpe:/a:washington_university:wu-ftpd:2.6.1
cpe:/a:washington_university:wu-ftpd:2.6.0
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr15
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr14
cpe:/a:washington_university:wu-ftpd:2.6.2
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr13
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr12
cpe:/a:washington_university:wu-ftpd:2.4.1
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr11
cpe:/a:washington_university:wu-ftpd:2.5.0
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr10
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr9
cpe:/a:washington_university:wu-ftpd:2.4.2_beta2::academ
cpe:/a:sgi:propack:2.4SGI ProPack 2.4

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:648HP-UX wuftpd Privilege Escalation Vulnerability (B.11.23)
oval:org.mitre.oval:def:1637HP-UX wuftpd Privilege Escalation Vulnerability (B.11.00)
oval:org.mitre.oval:def:1636HP-UX wuftpd Privilege Escalation Vulnerability (B.11.22)
oval:org.mitre.oval:def:1147HP-UX wuftpd Privilege Escalation Vulnerability (B.11.11)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0148
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0148
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200404-058
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=108999466902690&w=2
(UNKNOWN)  HP  SSRT4704
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102356-1
(UNKNOWN)  SUNALERT  102356
http://www.debian.org/security/2004/dsa-457
(VENDOR_ADVISORY)  DEBIAN  DSA-457
http://www.frsirt.com/english/advisories/2006/1867
(UNKNOWN)  FRSIRT  ADV-2006-1867
http://www.redhat.com/support/errata/RHSA-2004-096.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:096
http://www.securityfocus.com/bid/9832
(VENDOR_ADVISORY)  BID  9832
http://xforce.iss.net/xforce/xfdb/15423
(UNKNOWN)  XF  wuftpd-restrictedgid-gain-access(15423)

- 漏洞信息

Wu-ftpd目录限制访问绕过漏洞
高危 访问验证错误
2004-04-15 00:00:00 2005-05-13 00:00:00
远程  
        
        Wu-ftpd是一个基于BSD ftpd的FTP服务器程序,由华盛顿大学维护。
        Wu-ftpd在处理目录限制访问实现上存在问题,远程攻击者可以利用这个漏洞绕过受限目录,访问ROOT目录内容。
        Glenn Stewart发现用户可通过更改他们HOME目录上的权限绕过由'restricted-gid'选项限制的目录访问策略。在后续的登录中,当访问用户的HOME目录被拒绝后,wu-ftpd会返回到ROOT目录中,目前没有提供详细漏洞细节。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        
        http://www.debian.org/security/2004/dsa-457

- 漏洞信息

4160
WU-FTPD restricted-gid Directory Access Restriction Bypass
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

WU-FTPD contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the restricted-gid feature is used. A malicious user can change the permissions on their home directory to deny themselves access. A subsequent connection by that user will exploit the flaw, and put them into the home directory of the root user, which will disclose files that an ordinary user would not have access to resulting in a loss of confidentiality.

- 时间线

2004-03-09 Unknow
2004-03-09 Unknow

- 解决方案

Upgrade to version 2.6.2-13 (Available on some Linux distributions) or higher, as it has been reported to fix this vulnerability. In addition, WU-FTPD Development Group has released a patch for some older versions of the main distribution.

- 相关参考

- 漏洞作者

- 漏洞信息

WU-FTPD restricted-gid Unauthorized Access Vulnerability
Access Validation Error 9832
Yes No
2004-03-09 12:00:00 2007-01-25 04:33:00
This issue was discovered by Glenn Stewart.

- 受影响的程序版本

Washington University wu-ftpd 2.6.2
+ Compaq Tru64 5.1 b PK2 (BL22)
+ Compaq Tru64 5.1 b PK1 (BL1)
+ Compaq Tru64 5.1 b
+ Compaq Tru64 5.1 a PK5 (BL23)
+ Compaq Tru64 5.1 a PK4 (BL21)
+ Compaq Tru64 5.1 a PK3 (BL3)
+ Compaq Tru64 5.1 a PK2 (BL2)
+ Compaq Tru64 5.1 a PK1 (BL1)
+ Compaq Tru64 5.1 a
+ Compaq Tru64 5.1 PK6 (BL20)
+ Compaq Tru64 5.1 PK5 (BL19)
+ Compaq Tru64 5.1 PK4 (BL18)
+ Compaq Tru64 5.1 PK3 (BL17)
+ Compaq Tru64 5.1
+ Compaq Tru64 5.0 f
+ Compaq Tru64 5.0 a PK3 (BL17)
+ Compaq Tru64 5.0 a
+ Compaq Tru64 5.0 PK4 (BL18)
+ Compaq Tru64 5.0 PK4 (BL17)
+ Compaq Tru64 5.0
+ Compaq Tru64 4.0 g PK3 (BL17)
+ Compaq Tru64 4.0 g
+ Compaq Tru64 4.0 f PK7 (BL18)
+ Compaq Tru64 4.0 f PK6 (BL17)
+ Compaq Tru64 4.0 f
+ Compaq Tru64 4.0 e
+ Compaq Tru64 4.0 d PK9 (BL17)
+ Compaq Tru64 4.0 d
+ Compaq Tru64 4.0 b
+ Conectiva Linux 9.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ SCO Open Server 5.0.7
+ SCO Open Server 5.0.6 a
+ SCO Open Server 5.0.6
+ Sun Linux 5.0.7
+ Turbolinux Turbolinux Advanced Server 6.0
+ Turbolinux Turbolinux Server 6.1
+ Turbolinux Turbolinux Workstation 6.0
Washington University wu-ftpd 2.6.2
+ Turbolinux Turbolinux Advanced Server 6.0
+ Turbolinux Turbolinux Server 6.1
+ Turbolinux Turbolinux Workstation 6.0
Washington University wu-ftpd 2.6.1
+ Caldera OpenLinux 2.3
+ Caldera OpenLinux Server 3.1
+ Cobalt Qube 1.0
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
- FreeBSD FreeBSD 5.0 alpha
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3 -STABLE
- FreeBSD FreeBSD 4.3 -RELEASE
- FreeBSD FreeBSD 4.3
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ Mandriva Linux Mandrake 7.0
+ Mandriva Linux Mandrake 6.1
+ Mandriva Linux Mandrake 6.0
+ RedHat Linux 7.2 noarch
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i686
+ RedHat Linux 7.2 i586
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 athlon
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 noarch
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i686
+ RedHat Linux 7.1 i586
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
- S.u.S.E. Linux 7.3
- S.u.S.E. Linux 7.2
- S.u.S.E. Linux 7.1 x86
- S.u.S.E. Linux 7.1 sparc
- S.u.S.E. Linux 7.1 ppc
- S.u.S.E. Linux 7.1 alpha
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.0 sparc
- S.u.S.E. Linux 7.0 ppc
- S.u.S.E. Linux 7.0 alpha
- S.u.S.E. Linux 7.0
+ SCO eDesktop 2.4
+ SCO eServer 2.3.1
+ SCO Open Server 5.0.6 a
+ SCO Open Server 5.0.6
+ SCO Open Server 5.0.5
+ SCO Open Server 5.0.4
+ SCO Open Server 5.0.3
+ SCO Open Server 5.0.2
+ SCO Open Server 5.0.1
+ SCO Open Server 5.0
- Slackware Linux 8.0
- Slackware Linux 7.1
- Slackware Linux 7.0
+ Turbolinux Turbolinux 6.0.5
+ Turbolinux Turbolinux 6.0.4
+ Turbolinux Turbolinux 6.0.3
+ Turbolinux Turbolinux 6.0.2
+ Turbolinux Turbolinux 6.0.1
+ Turbolinux Turbolinux 6.0
+ Turbolinux Turbolinux Workstation 6.1
+ Wirex Immunix OS 7.0 -Beta
+ Wirex Immunix OS 7.0
+ Wirex Immunix OS 7+
Washington University wu-ftpd 2.6 .0
+ Cobalt Qube 1.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
+ Conectiva Linux 4.1
+ Conectiva Linux 4.0 es
+ Conectiva Linux 4.0
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3 -STABLE
- FreeBSD FreeBSD 4.3 -RELEASE
- FreeBSD FreeBSD 4.3
+ HP HP-UX 11.11
+ HP HP-UX 11.0
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 alpha
+ RedHat Linux 6.0
+ RedHat Linux 5.2 sparc
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 alpha
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.3 ppc
+ S.u.S.E. Linux 6.3 alpha
+ S.u.S.E. Linux 6.3
+ S.u.S.E. Linux 6.2
+ S.u.S.E. Linux 6.1 alpha
+ S.u.S.E. Linux 6.1
+ Turbolinux Turbolinux 4.0
+ Wirex Immunix OS 6.2
Washington University wu-ftpd 2.5 .0
+ Caldera OpenLinux 2.4
+ Caldera OpenLinux Desktop 2.3
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 alpha
+ RedHat Linux 6.0
+ SCO eDesktop 2.4
+ SCO eServer 2.3.1
+ SCO eServer 2.3
Washington University wu-ftpd 2.4.2 academ[BETA1-15]
+ Caldera OpenLinux Standard 1.2
Washington University wu-ftpd 2.4.2 academ[BETA-18]
+ RedHat Linux 5.2 i386
Washington University wu-ftpd 2.4.2 VR17
Washington University wu-ftpd 2.4.2 VR16
Washington University wu-ftpd 2.4.2 (beta 18) VR9
Washington University wu-ftpd 2.4.2 (beta 18) VR8
Washington University wu-ftpd 2.4.2 (beta 18) VR7
Washington University wu-ftpd 2.4.2 (beta 18) VR6
Washington University wu-ftpd 2.4.2 (beta 18) VR5
Washington University wu-ftpd 2.4.2 (beta 18) VR4
Washington University wu-ftpd 2.4.2 (beta 18) VR15
Washington University wu-ftpd 2.4.2 (beta 18) VR14
Washington University wu-ftpd 2.4.2 (beta 18) VR13
Washington University wu-ftpd 2.4.2 (beta 18) VR12
Washington University wu-ftpd 2.4.2 (beta 18) VR11
Washington University wu-ftpd 2.4.2 (beta 18) VR10
Washington University wu-ftpd 2.4.1
Sun Solaris 9_x86
Sun Solaris 9
SGI ProPack 2.4
SGI ProPack 2.3
HP HP-UX B.11.23
HP HP-UX B.11.22
HP HP-UX B.11.11
HP HP-UX B.11.00
Compaq Tru64 5.1 b PK3(BL24)
Compaq Tru64 5.1 b PK2 (BL24)
Compaq Tru64 5.1 b PK2 (BL22)
Compaq Tru64 5.1 b PK1 (BL1)
Compaq Tru64 5.1 b
Compaq Tru64 5.1 a PK6(BL24)
Compaq Tru64 5.1 a PK5 (BL23)
Compaq Tru64 5.1 a PK4 (BL21)
Compaq Tru64 5.1 a PK3 (BL3)
Compaq Tru64 5.1 a PK2 (BL2)
Compaq Tru64 5.1 a PK1 (BL1)
Compaq Tru64 5.1 a
Avaya Interactive Response 1.3
Avaya Interactive Response 1.2.1
Avaya Interactive Response
Avaya CMS Server 13.0
Avaya CMS Server 12.0
Avaya CMS Server 13.1

- 漏洞讨论

WU-FTPD FTP server is reported prone to an unauthorized-access vulnerability. The issue is related to the "restricted-gid" feature supported by WU-FTPD. This feature allows an administrator to restrict FTP user access to certain directories. The vulnerability reportedly allows users to bypass those restrictions through modifying the permissions on their home directory so that they themselves can no longer access it. Under such circumstances, the server may grant the user unauthorized access to the root directory.

Further technical details are not known at this time. This record will be updated as more information becomes available.

This BID is created in response to Two Possibly New WU-FTPD Vulnerabilities BID 9820, which is being retired.

- 漏洞利用

No exploit is required.

- 解决方案

Vendor updates are available. Please see the referenced vendor advisories for more information.


Sun Solaris 9

SGI ProPack 2.3

SGI ProPack 2.4

Washington University wu-ftpd 2.6.2

Compaq Tru64 5.1 a PK6(BL24)

Compaq Tru64 5.1 b PK3(BL24)

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站