Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:3039
HistoryMar 15, 2008 - 12:00 a.m.

Timbuktu Pro文件上传和日志注入漏洞

2008-03-1500:00:00
Root
www.seebug.org
17

0.548 Medium

EPSS

Percentile

97.3%

JSON

BUGTRAQ ID: 28081
CVE(CAN) ID: CVE-2008-1117,CVE-2008-1118

Motorola的Timbuktu Pro是一款远程控制软件,允许远程访问计算机桌面。

Timbuktu的tb2pro.exe所加载的tb2ftp.dll库在实现Notes功能期间检查目标文件名时没有正确地过滤“\”和“/”字符,允许攻击者执行目录遍历攻击,向目标机器的任意位置上传文件;Timbuktu直接从用户所发送的报文中获取了一些包含有对等端信息的字段(计算机名、用户名、IP地址等),并在目标机器的屏幕上显示这些信息,这就允许攻击者在受害用户的日志行中伪造对等端信息。

以下是反汇编的漏洞代码:

/-----------

.text:6063A62E mov edx, [ebp+lp]
.text:6063A631 mov eax, [edx+20h] ; Packet field containing filename
.text:6063A634 push eax ; EAX is also the output buffer
.text:6063A635 call ds:Pascal2C ; Extract filename from packet

.text:6063A63B push '' ; Char to filter in the filename
.text:6063A63D mov ecx, [ebp+lp]
.text:6063A640 mov edx, [ecx+20h]
.text:6063A643 push edx ; Filename obtained in 0x6063A635
.text:6063A644 call _strrchr ; Search for '' in the filename
.text:6063A649 add esp, 8 ; At this point, the pointer to the
; position of the '' is obtained and
; will be stored in a local variable.

.text:6063A64C mov [ebp+pSlashPosition], eax ; Store '' pointer
.text:6063A64F cmp [ebp+pSlashPosition], 0 ; This is the BUG !!!
.text:6063A653 jnz short loc_6063A669 ; It avoids checking ‘/’ if
; '' was found, so we must
; send '' and then as much
; "…/" as we want :)

.text:6063A655 push ‘/’ ; This check won’t be done
.text:6063A657 mov eax, [ebp+lp] ; because the '' was found
.text:6063A65A mov ecx, [eax+20h]
.text:6063A65D push ecx
.text:6063A65E call _strrchr
.text:6063A663 add esp, 8
.text:6063A666 mov [ebp+pSlashPosition], eax

.text:6063A669 loc_6063A669:
.text:6063A669 cmp [ebp+pSlashPosition], 0 ; Check if a slash was
;found so
.text:6063A66D jz short loc_6063A68C ; it
copies past it’s ;position
.text:6063A66F push 200h
.text:6063A674 mov edx, [ebp+pSlashPosition]; Get the '' position
and move
.text:6063A677 add edx, 1 ; forward 1 byte to avoid it
.text:6063A67A push edx
.text:6063A67B mov eax, [ebp+lp]
.text:6063A67E add eax, 4B0h
.text:6063A683 push eax
.text:6063A684 call ds:lstrcpynA ; From know on, the filename
.text:6063A68A jmp short loc_6063A6A ; contains something like
; …/a.exe :)
. . . . .

  • -----------/

Motorola Timbuktu Pro for Windows 8.6.5
Motorola

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

<a href=“http://www.motorola.com/” target=“_blank”>http://www.motorola.com/</a>

Related

securityvulns 2
packetstorm 2
prion 2
cve 2
securityvulns
securityvulns
CORE-2008-0204: Timbuktu Pro Remote Path Traversal and Log Injection
2008-03-12 00:00:00
Motorola Timbuktu multiple security vulnerabilities
2008-03-13 00:00:00
packetstorm
packetstorm
Core Security Technologies Advisory 2008.0204
2008-03-13 00:00:00
Timbuktu Pro Directory Traversal/File Upload.
2009-11-26 00:00:00
prion
prion
Input validation
2008-03-14 20:44:00
Directory traversal
2008-03-14 20:44:00
cve
cve
CVE-2008-1118
2008-03-14 20:44:00
CVE-2008-1117
2008-03-14 20:44:00

0.548 Medium

EPSS

Percentile

97.3%

JSON
Related for SSV:3039
securityvulns2packetstorm2prion2cve2