CVE-2023-36049: MICROSOFT .NET CRLF INJECTION ARBITRARY FILE WRITE/DELETION VULNERABILITY

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hung and Yazhi Wang of the Trend Micro Research Team detail a recently patched privilege escalation vulnerability in .NET Framework and Visual Studio. This bug was originally discovered by Piotr Bazydło of Trend Micro’s Zero Day Initiative (ZDI). Successful exploitation of this vulnerability would allow a remote attacker to write or delete files in the context of the FTP server. The following is a portion of their write-up covering CVE-2023-36049, with a few minimal modifications.
在趋势科技漏洞研究服务漏洞报告的摘录中,趋势科技研究团队的 Justin Hung 和 Yazhi Wang 详细介绍了最近修补的 .NET Framework 和 Visual Studio 中的权限提升漏洞。该漏洞最初是由趋势科技零日计划 (ZDI) 的 Piotr Bazydło 发现的。成功利用此漏洞将允许远程攻击者在 FTP 服务器上下文中写入或删除文件。以下是他们涵盖 CVE-2023-36049 的文章的一部分,并进行了一些最小的修改。


A remote command execution vulnerability has been reported in the Microsoft .NET Framework and Visual Studio. This vulnerability is due to improper validation of user input. An attacker could exploit this vulnerability by sending malicious requests to the FTP servers. Successful exploitation could allow the attacker to write or delete files in the context of the FTP server.
Microsoft .NET Framework 和 Visual Studio 中已报告存在远程命令执行漏洞。该漏洞是由于对用户输入的验证不当造成的。攻击者可以通过向 FTP 服务器发送恶意请求来利用此漏洞。成功利用该漏洞可能允许攻击者在 FTP 服务器上下文中写入或删除文件。

The Vulnerability 漏洞

The .NET Framework is a software framework for Microsoft Windows that provides development and execution tools for software applications. Applications written for the .NET Framework are executed in the Common Language Runtime (CLR) environment. The CLR takes .NET applications as Common Intermediate Language (CIL) object code and uses a just-in-time (JIT) compiler to compile the CIL object code to native code for the target platform.
.NET Framework 是 Microsoft Windows 的软件框架,为软件应用程序提供开发和执行工具。为 .NET Framework 编写的应用程序在公共语言运行时 (CLR) 环境中执行。 CLR 将 .NET 应用程序作为通用中间语言 (CIL) 目标代码,并使用即时 (JIT) 编译器将 CIL 目标代码编译为目标平台的本机代码。

FTP is the File Transfer Protocol described in RFC 959 and other RFCs. FTP uses two separate TCP connections – one for control and another for data transfer. A connection to the listening port from the FTP client forms the control stream on which FTP service commands are passed from the FTP client to the FTP server and on occasion from the FTP server to the FTP client. FTP service commands are used for authentication, file transfer, file system functions, etc. FTP commands have the following syntax:
FTP 是 RFC 959 和其他 RFC 中描述的文件传输协议。 FTP 使用两个独立的 TCP 连接 – 一个用于控制,另一个用于数据传输。从 FTP 客户端到侦听端口的连接形成控制流,通过该控制流,FTP 服务命令从 FTP 客户端传递到 FTP 服务器,有时从 FTP 服务器传递到 FTP 客户端。 FTP服务命令用于身份验证、文件传输、文件系统功能等。FTP命令具有以下语法:

         <command> <SP> [parameters] <CRLF>

where is the string of the command name, and [parameters] are optional or multiple depending on the command. represents the new line sequence Carriage Return (CR) followed by Line Feed (LF) and represents a space character that splits the command and parameters or parameters themselves. The following is an example of an RETR command, which is used to begin the transmission of a file from the remote host.
其中 是命令名称的字符串,[参数] 是可选的或多个,具体取决于命令。表示新行序列回车 (CR) 后跟换行 (LF),并表示分隔命令和参数或参数本身的空格字符。以下是 RETR 命令的示例,该命令用于开始从远程主机传输文件。

         RETR remote-filename

A separate TCP connection is used for the transfer of data when a command, such as STOR, RETR, LIST, and so on, is received. Information, such as command results, the content of the transferred file, and so on are exchanged via this data stream connection. This data stream connection can be initiated by the client or the server. The client can issue the PASV command to request the FTP server to open an ephemeral port to wait for connections from the client. If the client wishes to wait for connections from the server instead, a PORT command is issued.
当接收到命令(例如 STOR、RETR、LIST 等)时,将使用单独的 TCP 连接来传输数据。命令结果、传输文件的内容等信息通过该数据流连接进行交换。这个数据流连接可以由客户端发起,也可以由服务器发起。客户端可以发出 PASV 命令来请求 FTP 服务器打开临时端口以等待来自客户端的连接。如果客户端希望等待来自服务器的连接,则会发出 PORT 命令。

A command injection vulnerability exists in Microsoft .NET Framework. The vulnerability is due to insufficient validation of FTP command parameters and FTP URI requests. More specifically, the .NET Framework implements a class FtpControlStream to handle basic FTP control connections. In the implementation, it calls an internal function FormatFtpCommand() to form a valid FTP command with command and parameters as arguments. However, when the vulnerable function handles the FTP parameters, it fails to validate if the parameters include CRLF characters. It will form the following FTP commands when the command is “RETR” and the parameter is “onefile<CRLF>DELE otherfile\<CRLF>“:
Microsoft .NET Framework 中存在命令注入漏洞。该漏洞是由于 FTP 命令参数和 FTP URI 请求验证不充分造成的。更具体地说,.NET Framework 实现了一个类 FtpControlStream 来处理基本的 FTP 控制连接。在实现中,它调用内部函数 FormatFtpCommand() 以命令和参数作为参数形成有效的FTP命令。然而,该漏洞函数在处理FTP参数时,无法验证参数是否包含CRLF字符。当命令为“RETR”,参数为“ onefile<CRLF>DELE otherfile\<CRLF> ”时,会形成如下FTP命令:

“}” data-block-type=”22″ data-immersive-translate-walked=”c95df7dd-cdc4-4605-800c-51f6ce400980″>

Similarly, another internal function FtpWebRequest() fails to validate if the URI argument contains or not. A malicious FTP URI could make the vulnerable function send malicious FTP command after the FTP connection established.
同样,另一个内部函数 FtpWebRequest() 无法验证 URI 参数是否包含。恶意 FTP URI 可以使易受攻击的功能在建立 FTP 连接后发送恶意 FTP 命令。

The attack vector depends on how the vulnerable .NET functions are used in the FTP applications. An attacker could exploit this vulnerability by sending malicious requests to the FTP server. Successful exploitation could allow the attacker to write or delete files in the context of the FTP server.
攻击向量取决于易受攻击的 .NET 功能在 FTP 应用程序中的使用方式。攻击者可以通过向 FTP 服务器发送恶意请求来利用此漏洞。成功利用该漏洞可能允许攻击者在 FTP 服务器上下文中写入或删除文件。

Source Code Walkthrough 源代码演练

The following code snippet was taken from .NET commit 0ed0438152b25a8a19bcc87eb335fa8a089ac8db. Comments added by Trend Micro have been highlighted.
以下代码片段取自 .NET 提交 0ed0438152b25a8a19bcc87eb335fa8a089ac8db 。趋势科技添加的评论已突出显示。

In src/libraries/System.Net.Requests/src/System/Net/FtpControlStream.cs: 在 src/libraries/System.Net.Requests/src/System/Net/FtpControlStream.cs 中:

“}” data-block-type=”22″ data-immersive-translate-walked=”c95df7dd-cdc4-4605-800c-51f6ce400980″>

In src/libraries/System.Net.Requests/src/System/Net/FtpWebRequest.cs: 在 src/libraries/System.Net.Requests/src/System/Net/FtpWebRequest.cs 中:

“}” data-block-type=”22″ data-immersive-translate-walked=”c95df7dd-cdc4-4605-800c-51f6ce400980″>

Detection Guidance 检测指导

To detect an attack exploiting this vulnerability, the detection device must monitor and parse all FTP traffic, which is on TCP port 21 by default.
为了检测利用此漏洞的攻击,检测设备必须监控并解析所有 FTP 流量,默认情况下位于 TCP 端口 21。

The detection device must inspect if there are multiple FTP commands (multiple CRLF) sent in one packet. If found, the traffic should be considered suspicious, and an attack exploiting this vulnerability is likely underway.
检测设备必须检查一个数据包中是否发送了多个FTP命令(多个CRLF)。如果发现,则流量应被视为可疑,并且利用此漏洞的攻击可能正在进行中。

Note that since most FTP servers accept multiple FTP commands in one packet, there might be false positives using this detection guidance in normal FTP traffic.
请注意,由于大多数 FTP 服务器在一个数据包中接受多个 FTP 命令,因此在正常 FTP 流量中使用此检测指南可能会出现误报。

Conclusion 结论

Microsoft addressed this vulnerability by releasing a patch in November, however, it has been revised multiple times. The most notable revision adds PowerShell versions 7.2, 7.3, and 7.4 as affected platforms. If you are unable to apply the patch, you can prevent exploitation by refusing to accept FTP URIs from untrusted peers or otherwise filtering FTP traffic. Still, it is recommended to apply the vendor fix to fully resolve this vulnerability.
微软在11月份发布了一个补丁来解决这个漏洞,但该补丁已经被多次修改。最值得注意的修订将 PowerShell 版本 7.2、7.3 和 7.4 添加为受影响的平台。如果您无法应用补丁,您可以通过拒绝接受来自不受信任的对等方的 FTP URI 或以其他方式过滤 FTP 流量来防止利用。尽管如此,建议应用供应商修复程序以完全解决此漏洞。

Special thanks to Justin Hung and Yazhi Wang of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit http://go.trendmicro.com/tis/.
特别感谢趋势科技研究团队的 Justin Hung 和 Yazhi Wang 对此漏洞提供了如此全面的分析。有关趋势科技研究服务的概述,请访问 http://go.trendmicro.com/tis/。

The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.
威胁研究团队将来会带着其他精彩的漏洞分析报告回来。在此之前,请在 Twitter、Mastodon、LinkedIn 或 Instagram 上关注该团队,了解最新的漏洞利用技术和安全补丁。

原文始发于Trend Micro Research Team:CVE-2023-36049: MICROSOFT .NET CRLF INJECTION ARBITRARY FILE WRITE/DELETION VULNERABILITY

版权声明:admin 发表于 2024年3月7日 上午10:51。
转载请注明:CVE-2023-36049: MICROSOFT .NET CRLF INJECTION ARBITRARY FILE WRITE/DELETION VULNERABILITY | CTF导航

相关文章