扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 |
X41 D-Sec GmbH Security Advisory: X41-2017-006 Multiple Vulnerabilities in PSFTPd Windows FTP Server ===================================================== Overview -------- Confirmed Affected Versions: 10.0.4 Build 729 Confirmed Patched Versions: None Vendor: Sergei Pleis Softwareentwicklung Vendor URL: http://www.psftp.de/ftp-server/ Vector: Network Credit: X41 D-Sec GmbH, Eric Sesterhenn, Markus Vervier Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-006-psftpd/ Summary and Impact ------------------ Several issues have been identified, which allow attackers to hide information in log files, recover passwords and crash the whole server. It uses neither ASLR nor DEP to make exploitation harder. Product Description ------------------- From the vendor page, roughly translated: PSFTPd is a userfriendly, functional and robust FTP server software with support for FTP, FTPS and SFTP. Use after free ============== Severity Rating: High Vector: Network CVE: CVE-2017-15271 CWE: 416 CVSS Score: 7.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Summary and Impact ------------------ An invalid memory access issue could be triggered remotely in the SFTP component of PSFTPd. This issue could be triggered prior authentication. The PSFTPd server did not automatically restart, which enabled attackers to perform a very effective DoS attack against this service. By sending the following SSH identification / version string to the server, a NULL pointer dereference could be triggered: $ cat tmp.14 SSH-2.0-BBBBBBBB CCCCCCCCCCCC $ cat tmp.14 | socat - TCP:192.168.122.50:22 The issue appears to be a race condition in the window message handling, performing the cleanup for invalid connections. Upon further investigation X41 D-Sec GmbH could confirm that the accessed memory was already freed. X41 D-Sec GmbH enabled the memory debugging functionality page heap for the psftpd_svc.exe exeutable using the command agflags.exe /p /disable psftpd_svc.exe /fulla. When observing the crash in the WinDBG 19 debugging tool, it could be confirmed that access to an already freed page was taking place. Log Injection ============= Severity Rating: Medium Vector: Network CVE: CVE-2017-15270 CWE: 117 CVSS Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Summary and Impact ------------------ The PSFTPd server does not properly escape data before writing it into a Comma Separated Values (CSV) file. This can be used by attackers to hide data in the Graphical User Interface (GUI) view and create arbitrary entries to a certain extent. Special characters as '"', ',' and '\r' are not escaped and can be used to add new entries to the log. Workarounds ----------- None Passwords stored in Plain Text ============================== Severity Rating: Low Vector: Local CVE: CVE-2017-15272 CWE: 312 CVSS Score: 3.3 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Summary and Impact ------------------ The PSFTPd server stores its configuration inside the PSFTPd.dat. This file is a Microsoft Access Database and can be extracted by using the command "mdb-export PSFTPd.dat USERS" from mdbtools (https://github.com/brianb/mdbtools). The application sets the encrypt flag with the password "ITsILLEGAL", but this is not required to extract the data. The users password is shown in clear text, since it is not stored securely. Workarounds ----------- Use the Active Directory connector for your users. FTP Bounce Scan =============== Severity Rating: Medium Vector: Network CVE: CVE-2017-15269 CWE: 441 CVSS Score: 5.0 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Summary and Impact ------------------ The PSFTPd server does not prevent FTP bounce scans by default. These can be performed using "nmap -b" and allow to perform scans via the FTP server. Workarounds ----------- It is possible to prevent FTP bounce scans by setting: Kontrollmanager > Domain > Sicherheit > Register "FTP Bounce and FXP" Workarounds ----------- None About X41 D-Sec GmbH -------------------- X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions. Timeline -------- 2017-08-31Issues found 2017-09-18Vendor contacted 2017-09-19Vendor reply 2017-10-11CVE IDs requested 2017-10-11CVE IDs assigned 2017-11-06Vendor informed us, that apparently a fixed version was released. We cannot confirm, since we do not have access. 2017-11-07Public release |
体验盒子
