From: http://www.finecer.com
Serv-U FTP Server (SERV-U) is a relatively wide application of FTP Server (especially domestic telecom ISP, IDC, etc.), powerful, easy to use, serv-u3.x-November-release SERV -U6.0.0.0 All versions have local permissions to improve vulnerabilities. Use guest permission to combine Exploit to run programs with System permission, and obtain system maximum control through WebShell EXPLOIT enhancement permission has become a popular general purpose limit improvement method. Intrusion method.
Introduction to the Vulnerability: Vulnerability is to use the Serv-U local default management port to execute commands with the default administrator to execute commands, serv-u> 3.x to serv-u6.000, the local management port is: 43958, Default Administrator: Localadministrator, Default Password: #l@l@l@l@p, this is integrated in the SERV-U inside, can be connected as guest permissions, manage the Serv-U.
Detailed vulnerability announcement:
http://www.finecer.com/Article_show.asp?articleid=3369
Preventing such attacks: general prevention method: set directory permissions, to prevent the use of Webshell from running the Exploit program by removing the Web Directory IUSR_XXXX (XXXX for your machine name) user execution permission.
Countermeasure: This method has certain limitations, there are many directorys that need to be set, and you can't have a little omissions. For example, I have found a lot of virtual hosts in the c: / documents and settings / all users / documents directory and the next few subdirectory Documents are not set. Permissions, resulting in this directory to run the Exploit, which also x: / php, x: / perl, etc., because this directory is completely controlled by EVERYONE. Some hosts also support PHP, PL, ASPX, etc., which is simply the server's serv-u disaster, ^ _ ^, and running program is more convenient. Senior prevention method: Modify the Serv-U management port, open Servudaemon.exe with UltraEdit to find B6AB (43958 16), replace it with your own defined port, such as 3930 (12345), open servuadmin.exe to find the last B6AB replacement Cheng 3930 (12345), launching the Serv-U, now the local management port is 12345:
TCP 127.0.0.1:0345 0.0.0.0:0 Listening
Countermeasure: It is also very simple to deal with this kind, NetStat -an can see the port, some people say NetStat can't run on the Webshell, in fact, you will go upload a netstat.exe to the executable directory running OK, then modify Exploit Compile, upload running, then provide an Exploits that can customize the port (original code post-attached.), Run format:
USAGE: Serv-U.exe Port "Command" EXAMPLE: Serv-U.exe 43958 "Net User Test FineAracer.com / Add"
Advanced Prevention Method: Modify administrator name and password, open servudaemon.exe with UltraEdit to find ASCII: Localadministrator, and #L@'ak#.lk; 0 @p, modify other characters that are equal length, servuadmin. EXE is also processed. Countermeasure: Is there any way to connect this default administrator? Hey, some administrators install Serv-U are used by default directory C: / Program files / serv-u installation, although this directory cannot be written, but the default IUSR is readable, hackers can use WebShell Download Servudaemon.exe, open the analysis with UltraEdit, the SERV-U account password is in hand, modifying Exploit compiles upload operation, hacker is victorious. Complete defense program:
1. Set good directory permissions, don't negligently; don't let go of any directory of the server. 2.Serv-u is best not to use the default installation path, set the permissions of the Serv-U directory, only administrators can access. 3. Use the way I introduced to modify the name and password of the Serv-U of the Default Administrator, and the port you like.
