Timbuktu Pro文件上传和日志注入漏洞

2008-03-15T00:00:00
ID SSV:3039
Type seebug
Reporter Root
Modified 2008-03-15T00:00:00

Description

BUGTRAQ ID: 28081 CVE(CAN) ID: CVE-2008-1117,CVE-2008-1118

Motorola的Timbuktu Pro是一款远程控制软件,允许远程访问计算机桌面。

Timbuktu的tb2pro.exe所加载的tb2ftp.dll库在实现Notes功能期间检查目标文件名时没有正确地过滤“\”和“/”字符,允许攻击者执行目录遍历攻击,向目标机器的任意位置上传文件;Timbuktu直接从用户所发送的报文中获取了一些包含有对等端信息的字段(计算机名、用户名、IP地址等),并在目标机器的屏幕上显示这些信息,这就允许攻击者在受害用户的日志行中伪造对等端信息。

以下是反汇编的漏洞代码:

/-----------

.text:6063A62E mov edx, [ebp+lp] .text:6063A631 mov eax, [edx+20h] ; Packet field containing filename .text:6063A634 push eax ; EAX is also the output buffer .text:6063A635 call ds:Pascal2C ; Extract filename from packet

.text:6063A63B push '\' ; Char to filter in the filename .text:6063A63D mov ecx, [ebp+lp] .text:6063A640 mov edx, [ecx+20h] .text:6063A643 push edx ; Filename obtained in 0x6063A635 .text:6063A644 call _strrchr ; Search for '\' in the filename .text:6063A649 add esp, 8 ; At this point, the pointer to the ; position of the '\' is obtained and ; will be stored in a local variable.

.text:6063A64C mov [ebp+pSlashPosition], eax ; Store '\' pointer .text:6063A64F cmp [ebp+pSlashPosition], 0 ; This is the BUG !!!! .text:6063A653 jnz short loc_6063A669 ; It avoids checking '/' if ; '\' was found, so we must ; send '\' and then as much ; "../" as we want :)

.text:6063A655 push '/' ; This check won't be done .text:6063A657 mov eax, [ebp+lp] ; because the '\' was found .text:6063A65A mov ecx, [eax+20h] .text:6063A65D push ecx .text:6063A65E call _strrchr .text:6063A663 add esp, 8 .text:6063A666 mov [ebp+pSlashPosition], eax

.text:6063A669 loc_6063A669: .text:6063A669 cmp [ebp+pSlashPosition], 0 ; Check if a slash was
;found so .text:6063A66D jz short loc_6063A68C ; it copies past it's ;position .text:6063A66F push 200h .text:6063A674 mov edx, [ebp+pSlashPosition]; Get the '\' position and move .text:6063A677 add edx, 1 ; forward 1 byte to avoid it .text:6063A67A push edx .text:6063A67B mov eax, [ebp+lp] .text:6063A67E add eax, 4B0h .text:6063A683 push eax .text:6063A684 call ds:lstrcpynA ; From know on, the filename .text:6063A68A jmp short loc_6063A6A ; contains something like ; ../a.exe :) . . . . .

  • -----------/

Motorola Timbuktu Pro for Windows 8.6.5 Motorola


目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

<a href=http://www.motorola.com/ target=_blank>http://www.motorola.com/</a>